The Glider

A CPPI report highlights the fact that cloud computing and mobile technologies have lowered the cost of entry for smaller firms. - Small businesses have the power to revive the nations economy; they just need the opportunity, technology and the right government policies to help them succeed, according to a report from the Center for Public Policy Innovation (CPPI) and the Digital Dialogue Forum (DDF). The report also notes smal...

SSL Inspector allows organizations to identify threats hidden within SSL-encrypted communications. - Fidelis Security Systems, a specialist in network visibility, analysis and control solutions, announced a cloud-security solution designed to provide visibility and control to decrease risks associated with using software as a service (SaaS). The solution is deployed at the enterprise network ed...

Digital Certificate Authority (CA) Trustwave revealed that it has issued a digital certificate that enabled an unnamed private company to spy on SSL-protected connections within its corporate network, an action that prompted the Mozilla community to debate whether the CA's root certificate should be removed from Firefox.

Google announced the launch of a new Google+ Developers page where developers can go to get and share information about developing for the Google+ platform. - Google has launched a new Google+ Developers page to help developers stay abreast of all the latest Google+ platform news, events, community and more. With Google+ gaining users every day up to 90 million at last count the companys social platform becomes a much more attractive target for dev...

Apple and Google Android are battling for smartphone market superiority. Microsoft's Windows Phone can learn something from each rival. - How can Windows Phone claim a bigger chunk of the smartphone market? Since Microsoft released the first iteration of Windows Phone in late 2010, pundits and analysts of all stripes have picked over the best way to answer that question. For Microsoft itself, of course, any answer is more than pu...

Google launches Chrome for Android, a mobile version of the popular, speedy Web browser used by more than 200 million people worldwide. It's in beta and only available for Android 4.0 Ice Cream Sandwich. - Google (NASDAQ:GOOG) Feb. 7 launched a beta of Chrome for Android, a mobile version of the popular browser that is used by more than 200 million people worldwide on the desktop. The catch is that it is currently only available for smartphones and tablets based on the latest Android 4.0 Ice Cr...

NEWS ANALYSIS: The long-rumored Apple television could be a sales hit in the coming years. And in the process, it might hurt Google and Android. - The amount of talk surrounding the Apple television has hit a tipping point. Almost every day, there is a new rumor that crops up about a possible feature, a launch date, pricing and more. There appears to be no end to the speculation in sight, and Apple, as it has done in the past, has relished ...

There was a post on Ars Technica yesterday, that led back to another blog post from Sunday that suggests that Google Chrome will stop doing CRLchecks at some point in the not too distant future. This has led to some interesting debate because the CRLmechanism has largely been ineffective. For a public key infrastructure (PKI) such as HTTPS to work, there must be an effective way of verifying the validity of the certificates. Due to the number of Certificate Authority (CA) breaches in recent years we'd all like a fast and effective method of taking compromised certificates out of play. During the highest profile breaches, all the major browser vendors simply pushed new versions of the browser with the root certificates from the breached CAs removed, in part because the browsers by design fail open (allow the connection)if they are unable to verify the certificate. So, is this a big deal? Is it the right way to go? Is it time to rethink/redesign/replace SSLor HTTPS? What do you think?
References
http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.ars
http://www.imperialviolet.org/2012/02/05/crlsets.html
---------------

Jim Clausing, GIAC GSE #26

jclausing --at-- isc [dot] sans (dot) edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.