|
Tim Callan
@
TimCallan
Woodside, CA
|
|
Senior Fellow at Sectigo. Long time blogger about online security, branding, marketing, and technology.
|
|
|
272
Tweetovi
|
147
Pratim
|
400
Osobe koje vas prate
|
| Tweetovi |
|
Tim Callan
@TimCallan
|
1. lis |
|
Recently at Black Hat and on YouTube a security newcomer has claimed to factor the RSA algorithm. It turns out these feats were accomplished as early as 1999. Join @jasonsoroko and me as we debunk this rumor and discuss the reality of RSA encryption today. soundcloud.com/tim-callan/roo…
|
||
|
|
||
|
Tim Callan
@TimCallan
|
20. kol |
|
The CA/Browser Forum is voting on a ballot to limit maximum SSL certificate duration to 13 months. Otherwise browsers such as Chrome can simply distrust longer certificates. @jasonsoroko and I discuss the shorter certificates and how automation can help.
soundcloud.com/tim-callan/roo…
|
||
|
|
||
|
Tim Callan
@TimCallan
|
13. kol |
|
Few people know that caller ID numbers are completely self-reported, enabling the plague of robocalling scams we experience today. @jasonsoroko & I discuss telephony and other systems suffering from this problem, their vulnerabilities, & what can be done. soundcloud.com/tim-callan/roo…
|
||
|
|
||
|
Tim Callan
@TimCallan
|
6. kol |
|
Recently we've seen major news items in some of the common Root Causes themes. @jasonsoroko and I discuss new whopping breach fines from GDPR and the FTC, what happens when an entire country has its PII stolen, and phishing sites with SSL. soundcloud.com/tim-callan/roo…
|
||
|
|
||
|
Tim Callan
@TimCallan
|
31. srp |
|
That's just false. BRs can be changed. If EV certs indicate a low propensity for online crime, that information is vitally important and should be used, even if nobody knew that would happen when they were created.
|
||
|
|
||
|
Tim Callan
@TimCallan
|
31. srp |
|
I don't see why interest from the browsers is required for a cybersecurity academic to offer options for interface improvements. You don't wait for permission before offering your opinions on things. Maybe if enough people discuss alternatives, the browsers will make it better.
|
||
|
|
||
|
Tim Callan
@TimCallan
|
31. srp |
|
In the case of this research is means unassociated with the known criminal activities that were studied. It also happens to mean associated with a known business enterprise or individual.
|
||
|
|
||
|
Tim Callan
@TimCallan
|
31. srp |
|
Maybe the security indicators have been poorly designed. If there is valid information that will be helpful to users but the interface fails to communicate that information, why wouldn't we try to do better?
|
||
|
|
||
|
Tim Callan
@TimCallan
|
31. srp |
|
Elsewhere on this thread I've stated that Georgia Tech may extend this research to other authentication levels and we would like to see that. Nonetheless, this is a very important data point that nobody has had before now.
|
||
|
|
||
|
Tim Callan
@TimCallan
|
31. srp |
|
The word SSL is used an order of magnitude more often than TLS. Just look at search volume. When I talk about the technology I make a point of weaving in both terms so that I'm speaking to the market in the terms it uses.
|
||
|
|
||
|
Tim Callan
@TimCallan
|
31. srp |
|
We would love to know what the numbers are for DV. Georgia Tech has suggested they might do that as a follow-on. If they agree to do so, we will seriously look into funding it if that's necessary.
|
||
|
|
||
|
Tim Callan
@TimCallan
|
31. srp |
|
Georgia Tech had complete control over how to design and conduct the research and how to report the results.
|
||
|
|
||
|
Tim Callan
@TimCallan
|
31. srp |
|
In this case we had a great wealth of anecdotal experience suggesting that EV cert holders are less likely to be shady. But we wanted to know what the whole body of evidence would say. So we made it possible for Georgia Tech to find out.
|
||
|
|
||
|
Tim Callan
@TimCallan
|
31. srp |
|
There is nothing specious about this statement. This is simply a report of what the evidence says. Gathering and using evidence is good. That is how we make better decisions.
|
||
|
|
||
|
Tim Callan
@TimCallan
|
31. srp |
|
CABF's stated purposes for EV certs are irrelevant to the fact that there is very little correlation between criminal activity and EV. This low correlation is still useful information regardless of the cert type's original intention back in 2007.
|
||
|
|
||
|
Tim Callan
@TimCallan
|
31. srp |
|
The Kazakhstan government is forcing citizens to trust its own root, enabling persecution of dissidents, journalists & human rights advocates. Learn the long history of this weaponization of PKI, its effects & the how the browser community could fight it soundcloud.com/tim-callan/roo…
|
||
|
|
||
|
Tim Callan
@TimCallan
|
18. srp |
|
Germany has published a draft of its latest guidelines for safe browsers, including requirements for how SSL certificates and treated. @jasonsoroko and I discuss these requirements and their potential impact on Germany, other governments, and industry. soundcloud.com/tim-callan/roo…
|
||
|
|
||
|
Tim Callan
@TimCallan
|
14. srp |
|
The White House is the latest government entity seeking to defeat encryption technology through back door access. @jasonsoroko & I explain why this is unworkable & would endanger all our confidential online business and personal services #encryption #pki
soundcloud.com/tim-callan/roo…
|
||
|
|
||
|
Tim Callan
@TimCallan
|
2. srp |
|
Cryptography requires entropy, genuinely unpredictable values. But random numbers are harder to create than you may think. @jasonsoroko and I discuss the need for random numbers, how companies create them, and the bad things that happen when they fail. soundcloud.com/tim-callan/roo…
|
||
|
|
||
|
Tim Callan
@TimCallan
|
20. lip |
|
The world's energy grids and utilities are increasingly targets for cyber attack, both state-sponsored and otherwise. @jasonsoroko and I discuss the latest developments, possible consequences of cyber war against energy grids, and what we can do about it. soundcloud.com/tim-callan/roo…
|
||
|
|
||