Root Causes: A PKI and Security Podcast

Root Causes 605: Chrome Declares Its Support for Merkle Tree Certificates (MTC)

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Wed, 15 Apr 2026 13:54:43 +0000

Google has taken a strong position supporting Merkle Tree Certificates (MTC) as the PQC-enabled future for SSL / TLS. We unpack this extremely important position from the WebPKI's most influential organization.

Root Causes 604: Accelerated Timeline for Quantum Computers Breaking ECC in Crypto and Blockchain

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Mon, 13 Apr 2026 14:56:56 +0000

A new paper from Google Quantum AI and others documents a new technique for breaking ECC, particularly the curve protecting crypto currencies, smart contracts, and blockchain. This accelerates post quantum cryptography (PQC) timelines.

Root Causes 603: Cryptographically Relevant Quantum Computing (CRQC) with Only 10,000 Qubits

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Fri, 10 Apr 2026 19:09:26 +0000

New research suggests that a cryptographically relevant quantum computer is achievable with only 10,000 qubits. This was an important contributor to Google moving its PQC target to 2029.

Root Causes 602: Google Moves the PQC Date Forward to 2029

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Wed, 8 Apr 2026 15:21:06 +0000

Google has announced that it is moving its target for full PQC support to 2029. This is a strong statement from one of the most knowledgeable PQC technology companies that the existing 2030 target is too late.

Root Causes 601: The Zombie in the Server Room

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Mon, 6 Apr 2026 13:22:08 +0000

Legacy PKI implementations in the enterprise are holding back technical progress and creating security risk. We discuss reasons why, consequences, and what to do about it.

Root Causes 600: Cryptographic Design Is Not Neutral

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Fri, 3 Apr 2026 12:11:41 +0000

In our previous episode we defined cryptography as the new geopolitics. Now in our 600th episode we follow up to explain how all cryptographic decisions reflect the social, political, and legal viewpoints of the cryptography's designers.

Root Causes 599: Cryptography Is the New Geopolitics

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Wed, 1 Apr 2026 13:44:18 +0000

In the last decade or so, nations around the world have become keenly determined to use cryptography for their own legal, economic, and military advantage. We explore this concept.

Root Causes 598: Why Johnny Can't authN in OT

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Mon, 30 Mar 2026 17:25:50 +0000

A recent CISA report declares that the nation's OT infrastructure is incapable of keeping up with the crypto agility and certificate management needs that modern security demands. We examine this finding.

Root Causes 597: If You Don't Hold the Keys, You Don't Hold the Subpoenas

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Fri, 27 Mar 2026 14:47:05 +0000

Microsoft has publicly stated that it will hand over Bitlocker keys to US law enforcement agencies without requiring a subpoena or court order. These keys can be held by users rather than Microsoft, at their option. We dive into this topic.

Root Causes 596: CLM and Operational Uptime

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Wed, 25 Mar 2026 13:21:18 +0000

We usually think of Certificate Lifecycle Management (CLM) as a security category. But we could equally well categorize it as an operations category that enables uptime. In this episode we make our case.

Root Causes 595: What Is a Digital Parasite?

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Mon, 23 Mar 2026 13:42:55 +0000

We introduce the concept of a "digital parasite," explaining why this attack philosophy appears to be on the rise.

Root Causes 594: Google's Five PQC Recommendations for Policy Makers

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Wed, 18 Mar 2026 21:04:04 +0000

In a recent blog post Google made five recommendations for policy makers. We walk down the list.

Root Causes 593: New PQC Guidance from CISA

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Mon, 16 Mar 2026 09:00:00 +0000

CISA (Cybersecurity and Infrastructure Security Agency) has released new guidance about post-quantum cryptography in critical infrastructure, including some very sobering warnings. We go into the details.

Root Causes 592: When a CAA Record Outlives the CA

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 13 Mar 2026 08:20:00 +0000

CAA records exist to restrict issuing CAs for a given domain to as few as one CA. But what happens when the CAA record outlives the CA to which it restricts issuance? Join us to find out.

Root Causes 591: Client Authentication Deprecation Date Moves Out

tim.callan@sectigo.com (Tim Callan Jason Soroko) — Wed, 11 Mar 2026 00:00:00 +0000

Chrome's deadline for deprecation of the clientAuth EKU and mTLS in public certificates has moved out. We give you the what, when, and why.

Root Causes 590: The Size of the CA Is Not the Size of the Risk

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Tue, 10 Mar 2026 01:05:31 +0000

It would be easy to believe that the amount of risk posed to the WebPKI by any individual public CA is somehow proportional to the number of active certificates that CA has. This is false, however. In this episode we address this misconception.

Root Causes 589: Is a Cryptographically Relevant Quantum Computer Economically Viable?

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Fri, 6 Mar 2026 16:45:05 +0000

We recently heard the argument that it's simply too expensive to develop a cryptographically relevant quantum computer. We vehemently disagree. In this episode we explain why.

Root Causes 588: It's Cryptographic Frogger from Here on Out

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Wed, 4 Mar 2026 17:49:13 +0000

In this episode Tim explains that the transition to PQC is not just a change in cryptographic algorithms but also a fundamental shift in how we treat our cryptography. From here on out, IT systems need to be fundamentally crypto agile in a way we've never had to be before. Cryptographic Agility is the key to solve this problem.

Root Causes 587: AI Orchestration for Attackers

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Mon, 2 Mar 2026 17:47:58 +0000

YouTube video version of this episode
https://youtu.be/-wMy3rPV1Lg

Root Causes 586: Beyond Harvest Now Decrypt Later

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Fri, 27 Feb 2026 00:00:00 +0000

We expand on the concept of trust-now-forge-later to list a whole bevy of additional attacks that eventually will be enabled by cryptographically relevant quantum computers.

Root Causes 585: The Cryptographic Inventory Manifesto

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Wed, 25 Feb 2026 00:00:00 +0000

We all love a good manifesto! Jason spells out the ten principles of the Cryptographic Inventory Manifesto, and we discuss.

Root Causes 584: Mapping DORA to CLM

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Mon, 23 Feb 2026 00:00:00 +0000

We look at the new European DORA and NIS2 regulations and how Certificate Lifecycle Management is a key requirement to meet these requirements. You will be surprised how explicit these requirements are.

Root Causes 583: AI Versus ECC P 256

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 20 Feb 2026 00:00:00 +0000

Recorded in Ottawa Ontario.

Root Causes 582: New Research Drastically Cuts Number of Qubits for Cryptographic Relevance

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 17 Feb 2026 00:00:00 +0000

New research indicates that the number of qubits necessary to achieve cryptographic relevance has reduced by two orders of magnitude. We cover this breaking news and its implications.

Root Causes 581: A Timeline for Deprecation of Manual DCV Methods

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 15 Feb 2026 00:00:00 +0000

By CABF ballot all manual methods of Domain Control Validation (DCV) will be deprecated by 2028. We explain which methods are due for deprecation and when.

Root Causes 580: Top Use Cases for Hybrid Certificates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 13 Feb 2026 20:01:25 +0000

We go over the qualities in abstract of a use case that strongly invites the use of hybrid certificates and then run down a list of specific use cases that meet these criteria. This includes OT systems, code signing, secure boot, WiFi, enterprise S/MIME, and more.

Root Causes 579: Make Cryptography Boring Again

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 10 Feb 2026 00:00:00 +0000

In this episode Jason declares that we must make cryptography boring again. We get into what that means and why it matters.

Root Causes 578: 200 Days Won't Actually Be 200 Days

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 9 Feb 2026 00:00:00 +0000

We have seen much talk of the upcoming drop of maximum TLS term to 200 days, followed by 100 days, and eventually down to 47 days. It happens that all those numbers are too large and the actual maxima will be less than that. We explain.

Root Causes 577: All the Stuff That's Coming in March

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 6 Feb 2026 00:00:00 +0000

March 2026 is due to be the most eventful month in the history of the WebPKI. Join us as we go over all the many changes coming next month.

Root Causes 576: Jeffries Dumps Bitcoin Due to the Quantum Threat

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 4 Feb 2026 00:00:00 +0000

A large investment firm divests from Bitcoin for fear of the quantum threat.

Root Causes 575: Shortening Certificate Term - All the Dates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 2 Feb 2026 00:00:00 +0000

Everybody knows about March 15 and the drop in maximum public TLS certificate term to 200 days. But that only scratches the surface on key dates with this maximum term reduction. Join us as we go over "all the dates" for TLS maximum term reduction.

Root Causes 574: 2025 Predictions Scorecard - Part 2

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 30 Jan 2026 00:00:00 +0000

We score our 2025 predictions in this second of two parts.

Root Causes 573: 2025 Predictions Scorecard - Part 1

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 28 Jan 2026 00:00:00 +0000

Every new year we make predictions for the year to come, and every year we go back and see how we did. This is the first of two parts scoring our 2025 predictions.

Root Causes 572: Quality of Entropy

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 26 Jan 2026 00:00:00 +0000

We discuss the idea that not all cryptographic entropy is equally "random" and potential consequences.

Root Causes 571: Will There Ever Be a Cryptographically Relevant Quantum Computer?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 23 Jan 2026 00:00:00 +0000

We discuss the idea that it might be impossible to actually create a cryptographically relevant quantum computer and weigh in on this idea.

Root Causes 570: PQC Readiness at the Boardroom Level

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 21 Jan 2026 00:00:00 +0000

Repeat guest Chris McGrath shares what enterprises need to be doing now to stay on track for the NIST PQC deadline in 2030.

Root Causes 569: New Regulations Are Changing the PKI Landscape

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 19 Jan 2026 00:00:00 +0000

Repeat guest Chris McGrath joins us to discuss how increasingly strict regulations are requiring increased rigor, visibility, and auditability for enterprise digital certificates and PKI.

Root Causes 568: Upping Your Certificate Game for Better Security

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 16 Jan 2026 00:00:00 +0000

Senior cyber security advisor Chris McGrath joins us to discuss redefining digital certificates and their role in your organizational security profile, increasing regulation of certificates, and how enterprises can up their certificate game.

Root Causes 567: Top 10 PQC Laggards in the Enterprise

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 14 Jan 2026 00:00:00 +0000

We name the ten enterprise environments and use cases that are most likely to be late adopters of post quantum cryptography (PQC).

Root Causes 566: Time Is a Security Primitive

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 12 Jan 2026 00:00:00 +0000

We discuss the foundational importance of time in PKI and security in general. This includes when things happen, the order in which things happen, and attacks based on time-spoofing. We drill down on certificates, roots, timestamping, Certificate Transparency, patching, audits, and PQC.

Root Causes 565: Our Response to QWAC Arguments - Part 3

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 8 Jan 2026 00:00:00 +0000

In our concluding episode on the topic, we scrutinize arguments made for and against QWACs, this time focused on "compliance and interoperability."

Root Causes 563: Our Response to QWAC Arguments - Part 1

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 5 Jan 2026 21:07:02 +0000

As a follow up to our episode 546, we break down the first of three sets of arguments about QWACs and examine their level of validity.

Root Causes 564: Our Response to QWAC Arguments - Part 2

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 5 Jan 2026 00:00:00 +0000

In our second of three episodes on the topic, we scrutinize arguments made for and against QWACs, this time focused on "governance and sovereignty."

Root Causes 562 : What Is a Side Oracle Attack?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 30 Dec 2025 00:00:00 +0000

You may have heard of side channel attacks. Now Jason explains what a side oracle attack is and how a side oracle attack in conjunction with AI could be effective against the HQC or Falcon PQC algorithms.

Root Causes 561: What Is Classic McEliece?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 23 Dec 2025 00:00:00 +0000

One of the NIST Round 3 PQC finalists that was never selected or eliminated is Classic McEliece. In this episode we explain in non-math terms how this algorithm works.

Root Causes 560: AI in 1000 Days - Small Language Models

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 18 Dec 2025 00:00:00 +0000

Continuing our examination of AI in 1000 days, we discuss the use of finely tuned small language models for highly specific use cases.

Root Causes 559: AI in 1000 days - Content Quality

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 16 Dec 2025 00:00:00 +0000

We discuss what happens when the quality gap between AI-generated and human-generated content drops to zero. We explore the consequences of this inevitable outcome.

Root Causes 558: AI in 1000 days - Human-in-the-loop Economy

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 15 Dec 2025 00:00:00 +0000

In our ongoing series on what AI will look like in 1000 days, we discuss the spread of a new business process, where AIs do the bulk of the work while humans sit in the loop for certain specific tasks and roles.

Root Causes 557: Top 5 PQC Laggards

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 12 Dec 2025 00:00:00 +0000

Following up on our list of top 5 PQC vanguards, in this episode we detail the top 5 PQC laggards.

Root Causes 556: Top 5 PQC Vanguards

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 10 Dec 2025 00:00:00 +0000

We describe the top five technology categories that are on the vanguard of driving PQC adoption. We describe what these categories have in common and how that results in early adoption of post quantum cryptography.

Root Causes 555: Perpretrators of Rogue Certificates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 8 Dec 2025 00:00:00 +0000

We detail the top ten groups inside the organization who introduce rogue certificates into IT organizations.

Root Causes 554: Disentangling Quantum

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 5 Dec 2025 00:00:00 +0000

Tech watchers tend to conflate the many quantum technologies under development right now. In this episode we go through these technologies and explain how they connect.

Root Causes 553: Connecting Quantum Clocks to Cryptography

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 3 Dec 2025 00:00:00 +0000

We discuss quantum clocks and their potential role in cryptography.

Root Causes 552: 2026 Predictions

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 1 Dec 2025 00:00:00 +0000

We share our PKI predictions for 2026. Topics include PQC, eIDAS 2, CT logging, ACME, passkeys, CA distrust, AI model poisoning, and new attack vectors.

Root Causes 551: PKI in a Swarm at 50 mph

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 24 Nov 2025 00:00:00 +0000

Jason explores the role cryptography and trust systems play in the command and control of groups of autonomous drone systems.

Root Causes 550: WebPKI Certificate Lifespan - How Low Can You Go?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 21 Nov 2025 00:00:00 +0000

Certificate maximum term is shrinking. In this episode we examine exactly how short they could get.

Root Causes 549: AI 1000 Days from Now - the Defeat of Voice Authentication

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 19 Nov 2025 00:00:00 +0000

In our ongoing series on AI in 1000 days, we describe the inevitable, complete distrust of voice printing as an authentication method, including why and what we think will happen.

Root Causes 548: AI 1000 Days from Now - Emotional Intelligence

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 17 Nov 2025 00:00:00 +0000

We begin a new series about what we expect from AI in the next three years. In this episode we discuss AI emulating emotional intelligence and its benefits.

Root Causes 547: Should We Do Mass Revocation Fire Drills?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 14 Nov 2025 18:19:07 +0000

In this episode we discuss the value for enterprises in running mass revocation drills and compare the merits of tabletop exercises versus voluntary revocation events.

Root Causes 546: New Research Codifies Arguments for and Against QWACs

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 11 Nov 2025 00:00:00 +0000

We are joined by guests Pol Holzmer and Johannes Sedlmeir to describe their recent research that documents and organizes public arguments made about QWAC certificates. You can find this research at https://orbilu.uni.lu/handle/10993/66334.

Root Causes 545: What Is MOSH?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 10 Nov 2025 00:00:00 +0000

The MOSH tool aids the use of SSH-secured sessions, especially across different systems. Jason unpacks the security of this system and how it uses encryption and shared secrets.

Root Causes 543: AI Finds a Zero Day

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 5 Nov 2025 00:00:00 +0000

We have seen the first known instance of an AI tool discovering a zero-day vulnerability. This could have vast implications on vulnerability detection and bug bounty programs. We discuss the implications.

Root Causes 544: What Is Chain of Lure?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 5 Nov 2025 00:00:00 +0000

Chain of lure is an attack method used to circumvent restrictions and boundaries placed on AIs. Jason explains this attack and its implications.

Root Causes 542: Use Cases for HQC

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 2 Nov 2025 00:00:00 +0000

In this episode we go over some of the reasons one might choose HQC over ML-KEM as a PQC key exchange algorithm for specific circumstances. And we discuss the future diversity of cryptography.

Root Causes 541: Introducing the HQC PQC Algorithm

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 31 Oct 2025 00:00:00 +0000

NIST recently selected a second Key Exchange Module (KEM) among the PQC algorithms, HQC. We explain this code-based algorithm.

Root Causes 540: Contextual CBOM

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 27 Oct 2025 00:00:00 +0000

We define Cryptographic Bill of Materials (CBOM), which is more than a list of your cryptography and where it is. A CBOM need also include information about the PQC readiness of environments, availability of updates, and the importance of secrets.

Root Causes 539: What Is the Two-QWAC Architecture?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 22 Oct 2025 00:00:00 +0000

A new kind of eIDAS QWAC (Qualifieid Website Authentication Certificate) is on the way. The "two-QWAC architecture" introduces a second certificate containing organization information to be displayed by the browser, to sit alongside but independent of the certificate that authenticates a domain. We explain what's coming and why.

Root Causes 538: What Is an Entropy Desert?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 20 Oct 2025 00:00:00 +0000

An environment in which credentials are extremely predictable could be described as an entropy desert. There are occurring at a global scale. We discuss concepts like measurable entropy availability and entropy by design.

Root Causes 537: The Thermodynamics of Privacy

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 17 Oct 2025 00:00:00 +0000

In this episode we build on our concept of entropy-aware guidance to explain how we might quantify privacy. We touch on GDPR, proof of work, and Landaur's principle.

Root Causes 536: Patent Blocker on ML-KEM

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 15 Oct 2025 00:00:00 +0000

A patent dispute in 2024 nearly blocked ML-KEM. But emerging thinking raises concern that the 2024 resolution did not guarantee full, clear access to all ML-KEM implementations. We explain.

Root Causes 535: The CPS Is a Superset of Actual Practices

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 12 Oct 2025 00:00:00 +0000

The CPS must always be a superset of actual practices in a properly running CA. We explain why this is a product of good design.

Root Causes 534: Signing the Machines That Think

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 10 Oct 2025 17:47:53 +0000

Imagine what happens if you use the wrong LLM, including a malicious model placed there to create mischief or crime. How do you know? Jason proposes that, the same way we sign our code, we should be signing our AI models as well.

Root Causes 533: Flexibility Through Multi-CA Trust Models

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 7 Oct 2025 14:37:29 +0000

We discuss how a static PKI structure can hurt corporate flexibility and resilience. Events like reorgs and M&A activity can cause intractable problems with the wrong PKI setup. Plus, Jason coins the term PKI archeology.

Root Causes 532: Introducing Offline PKI

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 2 Oct 2025 00:00:00 +0000

In this episode, Jason describes how we might use the principles of PKI in a purely offline scenario.

Root Causes 531: Benefits of Single-purpose Root Hierarchies

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 1 Oct 2025 00:00:00 +0000

Public certificates are transitioning from multi-purpose root hierarchies to single-purpose ones. We discuss why.

Root Causes 530: Introducing the AI Iceberg

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 29 Sep 2025 00:00:00 +0000

We compare AI in 2025 to Internet in 1995 and describe the AI iceberg, including the majority of applications which are below the waterline.

Root Causes 529: What Is a Common Mark Certificate?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 24 Sep 2025 18:30:27 +0000

Verified Mark Certificates (VMC) now have a companion product for logos that are not registered trademarks, called a Common Mark Certificate (CMC). We explain the differences.

Root Causes 528: Misissued SSL Certificate for 1.1.1.1

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 17 Sep 2025 00:00:00 +0000

A CA has incorrectly issued TLS certificates for the 1.1.1.1 and 2.2.2.2 IP addresses. We go into the details.

Root Causes 527: Key Dates for the Deprecation of Public mTLS

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 15 Sep 2025 00:00:00 +0000

Client authentication using public TLS server certificates is on the deprecation path. In this episode we go through the key dates in this deprecation.

Root Causes 526: Voice Biometrics Are Worthless

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 12 Sep 2025 00:00:00 +0000

Based on the ready availability of AI-based voice cloning, we declare voice biometric authentication to be utterly valueless.

Root Causes 525: The End of Email-based DCV

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 10 Sep 2025 00:00:00 +0000

A new CABF ballot proposal will eliminate all email- and phone-based DCV over the next few years. We go into the details.

Root Causes 524: How to Kill Three Birds with One Stone

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 8 Sep 2025 00:00:00 +0000

Three major changes are coming to the world of public certificates, all of which require major changes in how organizations deploy, renew, and manage their certificates. These are 47-day SSL, PQC, and the deprecation of mTLS. We describe the overlap between these efforts and how to combine them for better efficiency and project management.

Root Causes 523: Will Your Configuration Block MPIC DCV?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 3 Sep 2025 00:00:00 +0000

MPIC (Multi-perspective Issuance Corroboration) is soon to move into enforcement phase. In this episode we describe three configuration decisions that can force Domain Control Validation (DCV) to fail and tell you what to do about them before you have a problem.

Root Causes 522: How Prepared Are Enterprises for PQC? (Part 2)

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 27 Aug 2025 00:00:00 +0000

We complete our description and commentary on the results of Sectigo's survey of enterprise preparedness for Post Quantum Cryptography (PQC).

Root Causes 521: How Prepared Are Enterprises for PQC? (Part 1)

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 22 Aug 2025 00:00:00 +0000

We begin to go over the results of Sectigo's recent survey of enterprises and their preparedness and plans for adopting Post Quantum Cryptography (PQC).

Root Causes 520: How Prepared Are IT Teams for 47-day Certificates?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 20 Aug 2025 00:00:00 +0000

Sectigo has released the results of its survey of IT professionals in charge of certificates to measure their readiness and preparation for 47-day maximum certificate term. We go over the results.

Root Causes 519: AI Is the Room

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 18 Aug 2025 00:00:00 +0000

AI is not the elephant in the room. It is the room itself. Jason explains what he means by that.

Root Causes 518: NCSC Lukewarm on FIDO WebAuthn

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 13 Aug 2025 16:39:38 +0000

Britain's National Cyber Security Centre recently issued a lukewarm verdict on passkeys as an authentication solution. We explore the problems with WebAuthn, including account recovery, spotty availability, inconsistent implementation, and lack of Linux support.

Root Causes 517: The Cost of Quantum Factoring

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 25 Jul 2025 00:00:00 +0000

Jason walks us through an important recent paper from Google tracking the cost of quantum factoring.

Root Causes 516: PQC for ADCS

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 21 Jul 2025 00:00:00 +0000

Microsoft has finally announced that it will offer an update to Active Directory Certificate Services (ADCS, formerly MSCA) to support post quantum cryptography. We discuss Microsoft's checkered support for ADCS and offer some questions users should be asking.

Root Causes 515: What Is Entropy-aware Governance?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 18 Jul 2025 00:00:00 +0000

Jason coins the term "entropy-aware governance" to describe the idea of using the degree of entropy it contains to measure the strength of any given secret. This could be an objective, consistent metric that could be applied to standard practices and requirements.

Root Causes 514: Diary of an Online Firestorm

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 16 Jul 2025 00:00:00 +0000

Tim describes how the addition of an item to the CABF face-to-face meeting agenda blew up into a panicked and outraged online thread. We discuss what a more functional response would have looked like.

Root Causes 513: Is Revocation the Best Remedy for CPS Misalignment?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 14 Jul 2025 00:00:00 +0000

We continue our discussion of CPS misalignment by discussing the reasons for revocation as a remedy, its disadvantages, and the possibility of another solution that provides the same benefits at less cost.

Root Causes 512: CPS Versus Practices Misalignment

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 11 Jul 2025 00:00:00 +0000

We examine the circumstance where otherwise allowed practices are out of alignment with the stated practices in the relevant CPS. We discuss CA transparency and accountability, increased scrutiny of the CPS, and mass revocation.

Root Causes 511: The GoML Root Store

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sat, 5 Jul 2025 18:45:33 +0000

We follow up on our discussion of the Get off My Lawn (GoTM) browser with Jason's adventure in creating his own custom root store.

Root Causes 510: Introducing the GoML Browser

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 26 Jun 2025 00:00:00 +0000

We discuss Jason's code vibing journey to create the Get Off My Lawn! (GoTM) browser. We discuss SSL certificate information, EV indicators, and cookie handling.

Root Causes 509: What Is a CPS?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 25 Jun 2025 00:00:00 +0000

We define CPS (Certificate Practices Statement) and explain the role it plays in both the WebPKI and private CAs.

Root Causes 508: What Is Code Vibing?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 23 Jun 2025 18:49:44 +0000

"Code vibing" is using generative AI to create or improve working code. We share Jason's adventure using code vibing to create his own web browser.

Root Causes 507: First Distrust of 2025

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 19 Jun 2025 21:36:04 +0000

The first CA distrust event of 2025 comes with two simultaneous CA distrusts. We give you the details.

Root Causes 506: Recap of CABF Face-to-face #65

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 17 Jun 2025 15:18:35 +0000

For the first time ever, Jason and I record an episode from the floor of the CA/Browser Forum face-to-face meeting. We recap the themes of this meeting, and Jason gives his first impressions of a CABF Face-to-face.

Root Causes 505: Trust Now, Forge Later

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 13 Jun 2025 00:00:00 +0000

In this episode we explain the potential for future quantum computers to break files signed today with RSA or ECC, called "Trust now, forge later."

Root Causes 504: Jason Programs a Quantum Computer

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 10 Jun 2025 21:46:47 +0000

Jason describes his recent experience using Amazon Braket.

Root Causes 502: The PQC Game of Chicken

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 4 Jun 2025 00:00:00 +0000

In this episode Jason explains the fallacy of "playing chicken" with the Quantum Apocalypse. We discuss stack ranking and "eyes open" PQC risk decisions.

Root Causes 501: Why Increasing RSA Key Size Won't Solve the Quantum Problem

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 2 Jun 2025 00:00:00 +0000

In this brief episode we explain why the problem that Shor's Algorithm poses to RSA and ECC can't be solved simply by increasing key size.

Root Causes 500: OMG! 500 Episodes of Root Causes!

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 29 May 2025 00:00:00 +0000

Wow. It's episode 500 of Root Causes. Jason and Tim talk about how the podcast has evolved in the past six years, how it remains consistent, and the updates we're making to keep being a valuable resource for our listeners.

Root Causes 499: Don't Blame Signal

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 27 May 2025 14:21:21 +0000

The recent Signal controversy highlights the importance of understanding what protections an E2EE messaging app provides, and what it does not.

Root Causes 498: UK NCSC PQC Guidance

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 23 May 2025 00:00:00 +0000

The UK National Cyber Security Centre (NCSC) has released new PQC guidance. We take exception to the dates it gives and explain why.

Root Causes 497: PQC Update with Sofia Celi

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 21 May 2025 00:00:00 +0000

Guest Sofia Celi (IETF, Brave) returns to talk about important developments in post quantum cryptography. Sofia tells us about her candidate algorithm MAYO and what is happening with the NIST PQC onramp. We learn about KEM TLS and the status of PQC initiatives in IETF.

Root Causes 496: E2EE Gmail

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 18 May 2025 00:00:00 +0000

Gmail is now end-to-end encrypted for all recipients, regardless of the receiving client. We explain how Gmail accomplishes this trick.

Root Causes 495: Trust Models and Post Quantum Cryptography

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 16 May 2025 00:00:00 +0000

We build on our Trust Models discussion to explore how organizations can structure their PKI for the transition to post quantum cryptography (PQC).

Root Causes 494: Introduction to Trust Models

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 13 May 2025 00:00:00 +0000

We explain the basics of trust models and compare various models including WebPKI, private CA, and consortium models.

Root Causes 493: Disentangling Public and Private Certificate Use Cases

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 7 May 2025 00:00:00 +0000

Changing root store requirements mean CAs must separate their root hierarchies for different certificate types. We explain why enterprises should consider private CA for some use cases.

Root Causes 492: When Mandatory Security Training Sucks

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 6 May 2025 00:00:00 +0000

In this episode we get excited about errors we see in mandatory security trainings.

Root Causes 491: RSA's Non-quantum Threat

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 1 May 2025 00:00:00 +0000

We are rejoined by Dr. Michele Mosca to explore the potential threat of RSA being broken even in the absence of a quantum computing attack.

Root Causes 490: Chrome and Chromium

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 28 Apr 2025 00:00:00 +0000

We define Chrome versus Chromium, explaining what each is and the difference between the two.

Root Causes 489: Does AI Nullify E2EE?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 24 Apr 2025 00:00:00 +0000

Does AI kill end-to-end encryption? There is a contention that the presence of AI agents in the workstream will render your confidential information visible outside the encrypted communication channels and therefore that E2EE is pointless. We explore this argument.

Root Causes 488: CABF Face-to-Face Meeting Update

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 22 Apr 2025 00:00:00 +0000

We explain the major news items from the most recent CA/Browser Forum face-to-face meeting in Tokyo. Topics include MPIC, 47-day certificate term, and Temporary Restraining Orders.

Root Causes 487: Security 2030

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 16 Apr 2025 00:00:00 +0000

Jason and I take a peek forward at what we imagine IT security looks like in 2030. Topics include PQC, ZTNA, "green zones," deep fakes, IoT, connected cars, agentic AI, blockchain, and CLM.

Root Causes 486: 47-day Maximum Term Ballot Passes CABF

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 14 Apr 2025 00:00:00 +0000

Apple's ballot to step the maximum term for public SSL certificates down to 47 days has passed in the CA/Browser Forum. We explain.

Root Causes 485: What Is Open MPIC?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 13 Apr 2025 00:00:00 +0000

Guest Dmitry Sharkov joins us to describe Open MPIC, the open-source project to help public CAs support MPIC.

Root Causes 484: Multi Good Factor Authentication

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 9 Apr 2025 00:00:00 +0000

We define multi good factor authentication, which is the idea that not all authentication factors are equal. We discuss the importance of considering authentication strength and the contextual nature of trust.

Root Causes 483: Introducing the PQC Sandbox

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 7 Apr 2025 00:00:00 +0000

We are joined by repeat guest Bruno Coulliard of Crypto4A to introduce Sectigo's new post quantum cryptography (PQC) sandbox. The PQC sandbox allows you to get quantum resistant certificates in your hands to understand how they work with your systems.

Root Causes 482: Microsoft and PQC

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 2 Apr 2025 00:00:00 +0000

In this episode we explore the potential PQC future for Microsoft Active Directory Certificate Services, aka MSCA. We discuss potential paths for Microsoft to take and their consequences.

Root Causes 481: What Is Protocol Ossification?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 31 Mar 2025 00:00:00 +0000

Protocol ossification is the phenomenon whereby ecosystems fail to work correctly with the full range of options included in a protocol. This occurs when individual software components only partially support the capabilities that should be available. We define protocol ossification, explain how and why it occurs, give real world examples, and talk about potential remedies.

Root Causes 480: White House PQC Executive Order

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 24 Mar 2025 00:00:00 +0000

Many people believe that the Trump White House rescinded an important cybersecurity executive order from late days of the Biden administration. We set the record straight.

Root Causes 479: AI Adversarial Machine Learning

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 21 Mar 2025 00:00:00 +0000

In this episode we discuss the thinking on how adversaries can exploit the flaws in AI models to achieve unexpected and dangerous results. We explore some potential paths of defense against attacks of this sort.

Root Causes 478: Should We All Switch from RSA to ECC?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 17 Mar 2025 00:00:00 +0000

RSA is under attack. Even without the quantum threat, we face the possibility of smart new exploits reducing the viable RSA key space and rendering it unsafe. In this episode we discuss the merits of choosing ECC over RSA as soon as today.

Root Causes 477: Comparative Security Philosophies

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 12 Mar 2025 00:00:00 +0000

We discuss how various popular computing platforms approach security and highlight the differences between them.

Root Causes 476: The Need for Security KPIs

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 10 Mar 2025 00:00:00 +0000

Jason recounts a 2024 Black Hat talk about the need for objective measurements of our IT defenses and whether the good guys or bad guys are winning. Jason breaks down how to define and measure the impact of security measures.

Root Causes 475: Can Your AI Scheme Against You?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 5 Mar 2025 00:00:00 +0000

It's the stuff of science fiction! Interesting research shows how today's AI technology is capable of lying to and scheming against its human owners in service of its goals.

Root Causes 474: Explaining Shor's Algorithm

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 2 Mar 2025 00:00:00 +0000

We talk a lot about Shor's Algorithm in our discussion of post quantum cryptography (PQC). In this episode Jason explains Shor's algorithm for non-quantum physicists.

Root Causes 473: Does Security Software Lack Creativity?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 28 Feb 2025 00:00:00 +0000

Jason reports on a 2024 Black Hat keynote about how modern software development practices inhibit innovation and invention.

Root Causes 472: AI Offensive Modeling

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 26 Feb 2025 00:00:00 +0000

AI tools are now available to perform red-teaming activity for DevSecOps. Such tools are soon to be table stakes in the constantly escalating IT security arms race. Join us to learn more.

Root Causes 471: ACME for PQC

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 23 Feb 2025 00:00:00 +0000

In this episode, guest Alexandre Giron explains what is needed to support post quantum cryptography (PQC) with ACME.

Root Causes 470: The MFA False Equivalency Fallacy

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 19 Feb 2025 00:00:00 +0000

Not all forms of MFA are equally secure. In this episode we describe the differences between the more secure and less secure forms of MFA.

Root Causes 469: The All or Nothing Fallacy in Cybersecurity

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 17 Feb 2025 00:00:00 +0000

In this episode we explain the all-or-nothing fallacy in cybersecurity and how it's affecting debate in the WebPKI right now.

Root Causes 468: UK Demands New Backdoor from Apple

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 14 Feb 2025 00:00:00 +0000

A new demand from the UK seeks complete access to all Apple cloud data housed in the UK, regardless of the data owners' citizenship and residency. We unpack this latest development in Government versus Encryption.

Root Causes 467: Decoupling Public from Private Use Cases

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 12 Feb 2025 00:00:00 +0000

The past year has seen a great deal of focus on the use of public TLS certificates where private root certificates are actually the appropriate solution. In this episode we discuss the differences between these two use cases and what IT organizations can do about it.

Root Causes 466: Apple Moves 47-day Ballot to CABF Vote

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 9 Feb 2025 00:00:00 +0000

Apple is proceeding with a ballot that eventually will shorten SSL certificate maximum term to 47 days. Accompanying the ballot, Apple released a statement explaining its intent with the ballot. In this episode we unpack its statements.

Root Causes 465: Twelve Bugzilla Sins for CAs to Avoid

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 7 Feb 2025 00:00:00 +0000

In the wake of the Bugzilla Bloodbath, we list and describe twelve sins CAs commit on Bugzilla and its like, why they're detrimental, and how CAs should avoid them.

Root Causes 464: Defending Against Harvest and Decrypt

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 5 Feb 2025 00:00:00 +0000

Harvest and decrypt is a well-known attack vector against traditional cryptography prior to PQC. In this episode, we discuss what enterprises should be doing today to defend themselves against harvest and decrypt.

Root Causes 463: Cellular Networks Are Insecure

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 3 Feb 2025 00:00:00 +0000

In this episode we explain that all cellular networks, contrary to popular belief, are fundamentally insecure.

Root Causes 462: Crypto War 3.0

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 31 Jan 2025 00:00:00 +0000

In this episode we walk through the evolution of the war on cryptography, from the beginning up through today, terminating in what we call Crypto War 3.0.

Root Causes 461: Sectigo Acquires Entrust Public CA Business

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 29 Jan 2025 00:00:00 +0000

Sectigo today announced the acquisition of the Entrust public CA business. Entrust will go forward as a Sectigo reseller. Join us to learn the details.

Root Causes 460: The State of PQC with Michele Mosca

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 28 Jan 2025 00:00:00 +0000

In this episode we are joined by Dr. Michela Mosca. We discuss his pioneering work identifying the need for post-quantum cryptography, where PQC stands today, and what the future may hold.

Root Causes 459: 2024 Lookback - Shortening Certificate Lifespans & DCV

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 24 Jan 2025 00:00:00 +0000

2024 set in motion major changes for certificate lifespans and DCV. In this episode we discuss the Apple 47-day proposal, stepping down certificate term, public versus private CA use cases, DCV reuse periods, MPIC, WHOIS, and other topics.

Root Causes 458: Apple Extends Entrust Distrust to SMIME and VMC

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 19 Jan 2025 00:00:00 +0000

Apple has added itself to the Entrust distrust and has extended this distrust to S/MIME and VMC. We explain.

Root Causes 457: 2024 Lookback - Guests

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 17 Jan 2025 00:00:00 +0000

We had a remarkable year on the Root Causes podcast in terms of our guests. We look back at the extremely expert guests we were lucky to talk about in 2024.

Root Causes 456: 2024 Lookback - Bugzilla Bloodbath

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 14 Jan 2025 00:00:00 +0000

In this 2024 lookback episode, we give an overview of the firestorm of Bugzilla incidents that we refer to as the Bugzilla Bloodbath. The Bugzilla Bloodbath affected actions around the Entrust distrust, delayed revocation reform, 47-day SSL certificate maximum term, linting, and more.

Root Causes 455: PQC Standardization in IETF

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 8 Jan 2025 00:00:00 +0000

We talk with guest Sofia Celi of Brave Browser, who leads the IETF PQC standardization effort, about the process of setting standards for PQC-compatible digital certificates. We learn about expected timelines, hybrid strategies, the NIST PQC onramp's role, and more.

Root Causes 453: It Turns Out Monkeys Couldn't Type Shakespeare After All

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 2 Jan 2025 00:00:00 +0000

The old adage states that a monkey in front of a keyboard, given enough time, could randomly type the works of Shakespeare. Apparently, someone ran the numbers and said not so much. We break it down and explain why we're discussing this on a PKI podcast.

Root Causes 454: 2024 Lookback - Post quantum cryptography (PQC)

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 2 Jan 2025 00:00:00 +0000

2024 was an eventful year for post quantum cryptography (PQC). This includes FIPS standards, the PQC onramp, and the dawn of widespread interest among IT professionals.

Root Causes 452: 2024 Predictions Scorecard

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 26 Dec 2024 00:00:00 +0000

We go over our predictions for 2024 and score our ability as prognosticators.

Root Causes 451: A Year in CABF Ballots

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 26 Dec 2024 00:00:00 +0000

It was a crazy year for CA/Browser Forum activity, with nearly three times the normal number of ballots. Guest Martijn Katerbarg goes over the 32 CABF ballots from 2024.

Root Causes 450: 2025 Predictions

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 23 Dec 2024 00:00:00 +0000

We make our 2025 predictions. Topics include maximum certificate term, AI, post-quantum cryptography (PQC), deep fakes, and more.

Root Causes 449: What Is a Quantum-safe HSM?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 18 Dec 2024 00:00:00 +0000

Repeat guest Bruno Coulliard of Crypto4A joins us to define a quantum-safe (or PQC enabled) hardware security module.

Root Causes 448: The Privilege of Being a Public CA

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 17 Dec 2024 00:00:00 +0000

We go over Tim's September 2024 keynote speech at ENISA CA Day, "The Privilege of Being a Public CA."

Root Causes 447: NIST Deprecates RSA-2048 and ECC 256

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 13 Dec 2024 00:00:00 +0000

As part of its post-quantum cryptography (PQC) initiative NIST has released a draft deprecating RSA-2048 and ECC 256 by 2030 and disallowing them by 2035. We get into the details.

Root Causes 446: Sectigo Assumes Five CABF Offices

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 12 Dec 2024 00:00:00 +0000

Tim has stepped into the position of vice-chair of the CA/Browse Forum, and Sectigo now holds five chair or vice-chair positions in that body. We explain how leadership is chosen, the offices Sectigo holds today, and some of our vision for CABF in the next two years.

Root Causes 445: Seven Reasons to Shorten Certificate Lifespans

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 9 Dec 2024 00:00:00 +0000

We take a deep dive into the seven reasons shorter certificate lifespans are better.

Root Causes 444: What Happens to the WebPKI if Google Sells Chrome?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 5 Dec 2024 00:00:00 +0000

We discuss how a potential break of Chrome from Google would affect the WebPKI. We look at product changes, resourcing, post-quantum cryptography (PQC), innovation, moonshot initiatives, and other public CAs.

Root Causes 443: Is MSCA Going Away?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 1 Dec 2024 00:00:00 +0000

In this episode we discuss the challenges for enterprises using Microsoft Active Directory Certificate Services (ADCS).

Root Causes 442: Apple Proposal to Reduce SSL Lifespan Updated

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 25 Nov 2024 00:00:00 +0000

Apple has published an updated draft to its proposal for shortening the lifespan of SSL certificates, including a final maximum term of 47 rather than 45 days. We explain.

Root Causes 441: New White House Initiative Targets BGP

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 22 Nov 2024 00:00:00 +0000

A new White House initiative requires that federal agencies need to create plans to thwart BGP attacks. We discuss, including Resource PKI (RPKI) and Multi-Perspective Issuance Corroboration (MPIC).

Root Causes 440: Public Key Directories

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 18 Nov 2024 00:00:00 +0000

We talk about public key directories and complicating factors such as Tailscale, VPN, TOR, Cloudflare, and Zero Trust.

Root Causes 439: PQC Onramp Narrowed Down to 15 Candidates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 15 Nov 2024 00:00:00 +0000

NIST has narrowed its PQC onramp contest to 15 candidates. We go over who remains and the makeup of the remaining candidates.

Root Causes 438: PQC Is an Existential Requirement

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 12 Nov 2024 00:00:00 +0000

Repeat guest Bruno Couillard argues that cryptography is part of the foundational fabric of our lives and that the transition to PQC is an existential requirement.

Root Causes 437: Don't Blame the Linter

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 5 Nov 2024 00:00:00 +0000

Linters are essential tools for maintaining quality of certificate issuance. Public open-source linters are available to help CAs assure compliance. As a result, CAs have begun attributing gaps in coverage by public linters as the root cause for misissuance events. We explain why this is faulty reasoning.

Root Causes 436: Formal Proofs

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 29 Oct 2024 00:00:00 +0000

Formal proofs are critical to cryptography. We discuss how better processes and AI can accelerate formal proofs of cryptographic concepts.

Root Causes 435: The PQC "Q Day" Is Not That Simple

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 25 Oct 2024 00:00:00 +0000

The PQC community likes to debate when crypto relevant quantum computers will be available, which is sometimes called "Q day." In this episode we explain how radically oversimplified this concept is and dive into the nuances of what a "cryptographically relevant quantum computer" really will be.

Root Causes 434: Did Researchers Break AES Using Quantum Annealing?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 22 Oct 2024 00:00:00 +0000

News reports claim Chinese researchers broke AES with a quantum annealing computer. We clarify the details and talk about the implications of this reported discovery.

Root Causes 433: Will AI Eat All the Electricity?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 17 Oct 2024 00:00:00 +0000

We explore the question of whether or not we have enough electricity to fuel AI's expected growth.

Root Causes 432: Apple Floats New Short-lived Certificate Proposal

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 14 Oct 2024 00:00:00 +0000

Apple recently floated a draft CABF ballot for commentary that steps down maximum term for SSL certificates starting next year and eventually landing at 45 days in 2027. We share the details.

Root Causes 431: New Mozilla Proposal to Combat Delayed Revocation

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 11 Oct 2024 00:00:00 +0000

Deliberate delay of mandatory revocations has plagued the WebPKI in 2024. A new proposed policy from Mozilla stands to eliminate most of this behavior. In this episode we go over the proposal and explain its potential consequences.

Root Causes 430: How Does a TLS Handshake Work?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 9 Oct 2024 00:00:00 +0000

In this episode we give a high-level explanation of what happens in a TLS 1.3 handshake and then discuss what will happen when PQC is included.

Root Causes 429: ServiceNow Outage Due to Expired Root Certificate

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 8 Oct 2024 00:00:00 +0000

A ServiceNow private CA root expired, creating outages across hundreds of enterprises. We explain what appears to have gone on.

Root Causes 428: .MOBI Attack Puts WHOIS-based DCV into Question

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 4 Oct 2024 00:00:00 +0000

White hat researchers managed to take over WHOIS for the .mobi TLD. Among other things, this discovery foretells the death of WHOIS as a valid email source for Domain Control Validation (DCV).

Root Causes 427: Mapping CLM to NIST CSF 2.0

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 1 Oct 2024 00:00:00 +0000

In this episode we map the contributions of Certificate Lifecycle Management into the new NIST Cybersecurity Framework 2.0.

Root Causes 426: Expired Certificate Takes Down Bank of England

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 30 Sep 2024 00:00:00 +0000

A certificate expiration is now known to have created July's outage of Bank of England. Join us as we shake our heads in amazement yet again.

Root Causes 425: PQC Requirements for Voting Systems

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 27 Sep 2024 00:00:00 +0000

In honor of the upcoming US elections, we describe the six main requirements for a post-quantum voting system.

Root Causes 424: Using LoRA IoT Protocol for Clandestine Communications

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 25 Sep 2024 00:00:00 +0000

In this episode we describe the LoRA protocol, which allows IoT devices to communicate securely without using a cellular network, and how it can be used for secret communications.

Root Causes 423: Is a Certificate Software or a Service?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 20 Sep 2024 00:00:00 +0000

In this episode we discuss the dual nature of a public certificate as both a file and part of a holistic service that lasts until its expiration. We discuss revocation checking, CT logging, GAAP accounting, linters, certificate tracking tools, Certificate Lifecycle Management, standards bodies, post-quantum cryptography, and subscription models.

Root Causes 422: New Date for Entrust Distrust

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 19 Sep 2024 00:00:00 +0000

The Chrome root program has changed the date for the Entrust distrust. Join us to get the details.

Root Causes 421: FIDO 2 Implementation Problems

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 16 Sep 2024 00:00:00 +0000

White hat researchers have raised concerns about FIDO 2 (AKA WebAuthn). We explain.

Root Causes 420: New Side Channel Attack Against YubiKeys

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 13 Sep 2024 00:00:00 +0000

EUCLEAK, a newly revealed side channel vulnerability, can clone the contents of a YubiKey. We talk about the attack and its significance.

Root Causes 419: What Happens to Vendors Who Don't Support ACME When 90-day Certificates Come?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 8 Sep 2024 00:00:00 +0000

Though it is the closest thing to an industry-standard API, there are still products and operating systems that don't support ACME. In this episode we explore what happens to these products once 90-day SSL certificates become the requirement.

Root Causes 418: Moving from Cryptographic Homogeneity to Cryptographic Heterogeneity

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 6 Sep 2024 16:48:26 +0000

One seldom discussed consequence of quantum computers and PQC is the move from cryptographic homogeneity to cryptographic heterogeneity, with multiple KEMs and DSAs eventually expected as ongoing standards. We examine the consequences of this change.

Root Causes 417: Introducing pkimetal, the PKI Meta-linter

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 2 Sep 2024 00:00:00 +0000

We introduce pkimetal, an open source project from Rob Stradling that allows CA to write to many popular linters with a single integration. We explain the importance and pitfalls of linters and how pkimetal improves linter implementation.

Root Causes 416: SSL Subscriber Uses a Restraining Order to Prevent Revocation

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 29 Aug 2024 00:00:00 +0000

An enterprise SSL subscriber recently used a Temporary Restraining Order to prevent the proper revocation of misissued certificates. We explain what happened, why it's deeply problematic, and how the industry might consider responding.

Root Causes 415: What Can I Do with These New FIPS PQC Standards?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 27 Aug 2024 00:00:00 +0000

NIST recently released PQC algorithmic standards in FIPS-203, FIPS-204, and FIPS-205 (ML-KEM, ML-DSA, and SLH-DSA). We describe what is necessary for enterprises to begin using these algorithms.

Root Causes 414: What Are the Revocation Periods for Public Certificates?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 23 Aug 2024 00:00:00 +0000

In this episode we detail the mandatory revocation periods for leaf certificates and intermediates and explain when a 24-hour versus a 120-hour revocation deadline applies.

Root Causes 413: NIST Releases Standards for First Three PQC Algorithms

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 16 Aug 2024 00:00:00 +0000

On August 13, 2024, NIST released its first three standards for PQC algorithms, ML-KEM, ML-DSA, and SLH-DSA. We tell you where to find them and talk about what happens next.

Root Causes 412: Google Throws in the Towel on Eliminating Cookies

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 13 Aug 2024 00:00:00 +0000

Cookies are incredibly useful but also pose grave privacy concerns. We have in the past covered Chrome's initiatives to replace cookies. Now Chrome has announced that for the foreseeable future cookies will remain. We explain.

Root Causes 411: PQC Security Levels

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 9 Aug 2024 00:00:00 +0000

A popular belief is that Grover's algorithm will require that we double our AES key sizes. Repeat guest Bas Westerbaan of Cloudflare explains why this myth is incorrect and talks through the concept of "security levels" in post-quantum cryptography.

Root Causes 410: CrowdStrike, Automatic Updates, and Walled Gardens

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 6 Aug 2024 00:00:00 +0000

We examine one specific aspect of the recent CrowdStrike flaw. Microsoft blames the problem on the fact that it must, by European law, allow kernel updates to Windows. We unpack the challenges this poses.

Root Causes 409: Mozilla Distrusts Entrust

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 2 Aug 2024 00:00:00 +0000

This week Mozilla chose to follow Chrome in deprecating the Entrust trusted roots. We give you the details and explain why this action matters.

Root Causes 408: Takeaways from Recent Conversations with PQC Experts

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 29 Jul 2024 00:00:00 +0000

In the past three months we featured far-ranging conversations about post-quantum cryptography (PQC) with experts Bas Westerbaan of Cloudflare, Dustin Moody of NIST, and Bruno Coulliard of Crypto4A. In this episode we recap important takeaways from these conversations.

Root Causes 407: Whatever Happened to Passkeys?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 25 Jul 2024 00:00:00 +0000

WebAuthn arrived last year with great fanfare. But here we are in the latter half of 2024, and they are rarely used. In this episode we discuss why.

Root Causes 406: Certificate Discovery Is for Internal Certificates, Too

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 22 Jul 2024 00:00:00 +0000

When we discuss certificate discovery in CLM platforms, there is a common assumption that we're talking about public certificates exclusively. In this episode we explain the value of certificate discovery for internal PKI certificates also.

Root Causes 405: What Is an Adversarial Self-replicating Prompt?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 19 Jul 2024 00:00:00 +0000

In this episode we explain what an adversarial, self-replicating prompt, otherwise known as a prompt worm.

Root Causes 404: SCOTUS Ruling Will Change IT Security Regulation

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 16 Jul 2024 00:00:00 +0000

The US Supreme Court has struck down the Chevron Deferment, which greatly expanded federal agencies' power to interpret and enforce statutes. This monumental ruling stands to shift power considerably from agencies to courts and will put more pressure on legislatures to determine precise laws around tech. We explore the consequences of this ruling.

Root Causes 403: NIST PQC Contest Round 4 and Onramp with Dustin Moody

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 12 Jul 2024 00:00:00 +0000

We are joined again by Dustin Moody, who leads the NIST search for PQC algorithms. In this episode Dustin describes going-forward efforts, including Round 4 of the NIST contest and the Onramp. We discuss some of the candidate algorithms and the consequences of having multiple algorithms available for use.

Root Causes 402: New Social Engineering Powershell Attack

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 9 Jul 2024 00:00:00 +0000

A new social engineering exploit instructs victims to enter command line prompts to hack themselves on behalf of the hacker. We explain and discuss potential responses.

Root Causes 401: New SSH Remote Code Execution Vulnerability Revealed

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 5 Jul 2024 00:00:00 +0000

A newly revealed OpenSSH vulnerability can open enterprises to remote code execution. We explain what is happening, why you should care, and what to do about it.

Root Causes 400: French Court Orders DNS Poisoning

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 2 Jul 2024 00:00:00 +0000

To combat piracy of sporting event transmissions, a French court has ordered major tech companies including Google and Cloudflare to poison DNS settings. In this episode we provide some detail and generally marvel at this strange decision.

Root Causes 399: Entrust Distrusted

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 28 Jun 2024 00:00:00 +0000

On June 27, 2024 Google Chrome announced it was distrusting Entrust as a public CA starting November 1, 2024. We explain what to expect, go over Google's stated reasons, and share some of what lead up to this.

Root Causes 398: History of the NIST PQC Contest with Dustin Moody

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 27 Jun 2024 00:00:00 +0000

In this episode we are joined by Dr. Dustin Moody, leader of the NIST post-quantum cryptography contest. Dustin gives us an inside view of the background behind NIST's decision to run the contest and how we got to where we are today.

Root Causes 397: All Post Quantum Systems Are Terrible

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 24 Jun 2024 00:00:00 +0000

In this new conversation with Bas Westerbaan of Cloudflare, we reveal that all existing PQC systems present significant problems for incorporation into our existing ecosystems. We explain the problems with existing systems and some options for what to do about it.

Root Causes 396: The Trouble with Microsoft Recall

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 21 Jun 2024 00:00:00 +0000

Microsoft has proposed a feature called Recall that uses screen images to fuel AI-assisted capabilities. This has raised fears about the security decisions around this capability. We talk about why and how the proposed technology has resultingly changed.

Root Causes 395: Is Y2Q Like Y2K?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 18 Jun 2024 00:00:00 +0000

In this episode we compare the advent of cryptography relevancy of quantum computers (somestimes called Y2Q) to Y2K. We uncover similarities and differences and discuss how they govern decision making between now and Y2Q.

Root Causes 394: Snowflake, Ticketmaster, and MFA

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 14 Jun 2024 00:00:00 +0000

In this episode we drill down on one aspect of the loss of more than 500 million Ticketmaster users' data, which is the use of MFA for access to the Snowflake platform.

Root Causes 393: PQC-enabled Chrome Breaks Other Software

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 11 Jun 2024 00:00:00 +0000

Chrome's recent 124 release supports PQC algorithms from NIST. This has led to the discovery of software and systems that break under these circumstances. We explain what happened, why, and what to do about it.

Root Causes 392: Chromium Issues a Quality Ultimatum

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 7 Jun 2024 00:00:00 +0000

In the most recent CA/Browser Forum face-to-face meeting, the Google Chrome root program gave a presentation clearly defining its expectations for quality of incident reporting from CAs with an eye to where many CAs have been failing. We relate Chromium's statements and their significance.

Root Causes 391: 20 Percent of Web Visits Are PQC Enabled Today

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 4 Jun 2024 00:00:00 +0000

Cloudflare research engineer Bas Westerbaan joins us to share his observations about post-quantum cryptography and what it does in the real world. We talk about the pragmatic needs of moving the internet for PQC and speculate about timelines for availability of PQC certificates.

Root Causes 390: Chromium Boosts Its Distrust Agility with a New Root Trust Deprecation

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 31 May 2024 00:00:00 +0000

A root trust deprecation highlights new Chrome functionality that enables more agile and less disruptive distrust events. We explain the significant of this event.

Root Causes 389: 2024 RSA Conference Wrap Up

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 28 May 2024 19:00:40 +0000

Jason and I do our annual RSA wrap-up. Trending segments include AI, Trust Centers, MFA, PQC, and more.

Root Causes 388: What Is the WebPKI?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 22 May 2024 00:00:00 +0000

These days we frequently discuss "the WebPKI." But what does that really mean? In this episode we define the term and explain how this definition evolved over time. We give an inventory of a main components of the WebPKI and discuss what's required to become a CA.

Root Causes 387: What Is the Post-quantum Readiness of HSMs?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 16 May 2024 00:00:00 +0000

We take a deep dive with return guest Bruno Coulliard on HSMs and the role they play in post-quantum cryptography (PQC).

Root Causes 386: Meta Commits MITM Attack On Its Users

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 13 May 2024 00:00:00 +0000

Recent court documents reveal that in 2016 Meta (then Facebook) set up a system to get around encryption and spy on traffic between its users and competing social media platforms. We explain what happened.

Root Causes 385: Failed Revocation and Wildcard Certificates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 10 May 2024 00:00:00 +0000

We discuss misuse of wildcard certificates, failure to revoke on time, and how these two failures magnify each other.

Root Causes 384: So What Is a Senior Fellow Anyway?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 7 May 2024 00:00:00 +0000

Jason has a new title, Senior Fellow. In this episode Jason explains what his new focus will be and how this will be good for Root Causes.

Root Causes 383: Delayed Revocation Events by the Numbers

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 2 May 2024 00:00:00 +0000

An epidemic of delayed revocations has infected the public CA community. We track delayed revocations since the beginning of 2021, examine the trend line, and discuss root causes.

Root Causes 382: Mobile Phone Malware Steals Faces for Access

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 29 Apr 2024 00:00:00 +0000

New malware photographs users' faces to defeat authentication mechanisms. We explain the that biometrics are not "secrets" and discuss the continuing progression of attacks to steal biometrics.

Root Causes 381: Apple Chip Sideloading Attack Leaks Encryption Keys

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 26 Apr 2024 00:00:00 +0000

A newly revealed side channel attack enables theft of private keys from M-series Apple chips. We explain.

Root Causes 380: What If Quantum Supremacy Comes Earlier Than We Thought?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 22 Apr 2024 00:00:00 +0000

Repeat guest Bruno Coulliard gives us an update on the US government's migration to post-quantum cryptography (PQC). We talk about the challenges to migration, the possibility of a black swan event in achieving quantum supremacy, and what happens if we all respond by pressing the "panic button" at the same time.

Root Causes 379: AI-generated Fake IDS for KYC

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 18 Apr 2024 00:00:00 +0000

Inexpensive and easily obtained deepfake photographs of IDs, generated by AI, are available online. These pose a problem for KYC initiatives.

Root Causes 378: Why Are Forced Revocations So Difficult?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 15 Apr 2024 00:00:00 +0000

In the latest in our ongoing series of discussions of the Bugzilla Bloodbath, we delve deep into the problem of failure to revoke on time and the multiple causes that lead to this ongoing failure. And what to do about them.

Root Causes 377: Is CPS/Issuance Misalignment a Revocation Event?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 11 Apr 2024 00:00:00 +0000

If you issue public certificates that are fully compliant except that they do not reflect what your CPS says, are they misissued? Do they require revocation? This is a question with real stakes as we see multiple current instances of a CA denying revocation for that reason. In this episode we explore this issue.

Root Causes 376: Gartner's New CLM Framework

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 8 Apr 2024 00:00:00 +0000

Gartner has released a new framework for Certificate Lifecycle Management, called the Seven Core Functions of Certificate Automation. We walk through this framework and answer how it fits in with our own Five Pillars of CLM.

Root Causes 375: What Is Name Space Lifecycle Management?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 5 Apr 2024 00:00:00 +0000

In this guest episode we discuss name space hygiene with Geir Rasmussen, founder of NodeZro. CNAMEs, SPF, DMARC, name server entries, and other DNS identifiers, left unattended, can expose companies to identity-based attacks. We lay out the steps in addressing name space cleanup.

Root Causes 374: NIST Cyber Security Framework 2 Released

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 31 Mar 2024 00:00:00 +0000

NIST Cyber Security Framework version 2.0 is released. It includes guidance on identity management and authentication. In this first episode of a series, we describe this framework's basic structure and its effect on industry.

Root Causes 373: Massive Brand Hijack Subverts More Than 21,000 Domains and Subdomains

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 29 Mar 2024 00:00:00 +0000

A massive name space attack has hijacked more than 21,000 domains and subdomains, including a who's who list of major global brands. This huge and innovative attack takes advantage of inherited trust in abandoned domains. We explain what is happening.

Root Causes 372: Bugzilla Bloodbath

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 26 Mar 2024 00:00:00 +0000

It's a bloodbath on Bugzilla. Since March 9, more than 25 new Bugzilla bugs been written up, which is 10x the typical pace. And it's not over. In this episode we explain what is going on and why.

Root Causes 371: MPIC Rules Go to CABF Ballot

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 22 Mar 2024 00:00:00 +0000

A ballot for Multi-perspective Issuance Corroboration (MPIC), formerly known as MPDV, has entered a discussion period in the CA/Browser Forum (CABF). We explain the details of what it contains.

Root Causes 370: Drama on Bugzilla

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 19 Mar 2024 00:00:00 +0000

An evolving incident on Bugzilla has garnered a lot of attention and touches several important issues in the WebPKI ecosystem. We report what went on and unpack the issues involved.

Root Causes 369: iMessage to Be PQC Enabled

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 14 Mar 2024 00:00:00 +0000

Apple has announced that iMessage will employ post-quantum cryptography (PQC). We explain the implications of this announcement.

Root Causes 368: CRYSTALS-Kyber Is Now ML-KEM

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 13 Mar 2024 00:00:00 +0000

What has been known as CRYSTALS-Kyber now has the new official name of Module Lattice-based Key Encryption Module, or ML-KEM. We give an update on the state of the NIST round 3 winners.

Root Causes 367: Did an IoT Toothbrush Botnet Perform DDoS Attacks?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 7 Mar 2024 00:00:00 +0000

A story circulated earlier this year about a botnet composed of millions of IoT toothbrushes, which later was debunked. We tell you the whole tale.

Root Causes 366: What Is eIDAS?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 4 Mar 2024 00:00:00 +0000

eIDAS 2.0 has been making headlines recently with its proposed expansion to the European digital identity ecosystem. But what is eIDAS? What does it do, and why does it exist? In this episode we give you the basics.

Root Causes 365: What Is Subdomain Hijacking?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 26 Feb 2024 00:00:00 +0000

In this episode we explain subdomain hijacking, including dangling subdomains and how they can constitute vulnerabilities.

Root Causes 364: Video Conference Deepfake Enables $25 Million Theft

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 22 Feb 2024 00:00:00 +0000

Deepfakes continue to show themselves as part of the standard criminal toolkit. A recent deepfake spear phish enabled a $25 million Business Email Compromise (BEC). We explain what happened.

Root Causes 363: Defending Yourself Against Use of Stolen Privileges

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 18 Feb 2024 00:00:00 +0000

CloudFlare recently published details of an attack it suffered as a downstream effect of a November 2023 breach against Okta and what it did to nullify its success. We discuss the steps enterprises can take to protect themselves against malicious use of stolen access credentials.

Root Causes 362: When You're Attacked by a State Actor

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 12 Feb 2024 00:00:00 +0000

In this episode we share the details of a recent nation state actor attack on Microsoft and some of the lessons learned.

Root Causes 361: The Premise of on Premise

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 9 Feb 2024 00:00:00 +0000

In this episode we examine commonly held belief that on-premise systems give system administrators greater levels of control and that that is better for security or other reasons. We explore the pros and cons of extra control, to what degree it is a benefit, and if it's worth it.

Root Causes 360: Joe Biden Deepfake Plays in New Hampshire Primary

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 6 Feb 2024 00:00:00 +0000

A deepfake of Joe Biden's voice made an appearance in robocalls leading up to the New Hampshire primary. We discuss this latest development and its implications.

Root Causes 359: 90-day SSL Won't Affect Organization Validation Periods

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 2 Feb 2024 00:00:00 +0000

With maximum 90-day term coming for public SSL certificates and DCV reuse also moving to 90 days, we explain why we do not expect a similar reduction in the reuse period for organization validation.

Root Causes 358: Security Questionnaire Sins

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 30 Jan 2024 00:00:00 +0000

In this episode we present a catalog of "security questionnaire sins," which are avoidable problems and errors that frequently occur in the security questionnaires enterprises send to vendors. Categories include difficulty of access, poor technical implementation, poor policies, and poor questions.

Root Causes 357: Signed Digital Photographs

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 26 Jan 2024 00:00:00 +0000

Three major camera manufacturers have joined to create a standard for signed digital images from their cameras.

Root Causes 356: Will MPDV Eliminate Email-based DCV?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 22 Jan 2024 00:00:00 +0000

Multi-perspective Domain Validation (MPDV) is a necessary evolution of Domain Control Validation (DCV) to protect against Border Gateway Protocol (BGP) attacks. We explore how MPDV may affect accepted DCV methods, especially the email method.

Root Causes 355: Should a Managed PKI Provider Do Whatever the Customer Wants?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 19 Jan 2024 00:00:00 +0000

In this episode we explore whether a managed PKI provider should give complete control over PKI decisions to the end customer or if it should enforce certain minimum standards and principles regardless of what the customer asks for.

Root Causes 354: CyberSlash Attack Against CRYSTALS-Kyber

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 16 Jan 2024 00:00:00 +0000

A newly published attack against common implementations of CRYSTALS-Kyber illustrates how cryptographic implementations can be vulnerable even if the cyphers themselves remain sound.

Root Causes 353: Why Isn't PKI Everywhere?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 9 Jan 2024 00:00:00 +0000

Our hosts firmly believe that PKI is a necessary component of all digital interactions. And yet there are still gaps in PKI implementation. We discuss these gaps and why they persist.

Root Causes 352: FBI Vs. End-to-end Encryption in Meta Apps

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 4 Jan 2024 00:00:00 +0000

Meta is finally rolling out end-to-end encryption across its messaging apps. This is the latest chapter in the long story of government versus encryption. We rant a little about this.

Root Causes 351: 2024 Predictions

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 27 Dec 2023 00:00:00 +0000

We look forward to 2024 and predict trends for PKI, certificates, and digital identity. We discuss shortening certificate lifespans, Multi-perspective Domain Validation (MPDV), eIDAS 2.0, OCSP, post-quantum cryptography (PQC), Certificate Lifecycle Management (CLM), passwords, root stores, and government versus encryption. Plus, will Jason be sent to the gulag for not being Canadian enough?

Root Causes 350: Public Certificates and the GDPR Right to Be Forgotten

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 21 Dec 2023 00:00:00 +0000

GDPR provides a "right to be forgotten," whereby individuals can demand the removal of PII from IT systems. This can run directly contrary to the transparency and permanence built into the DNA of public PKI systems. We explore this conundrum.

Root Causes 349: 2023 Lookback - Overall Trends

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 18 Dec 2023 00:00:00 +0000

We look back at PKI in 2023. Trends include artificial intelligence, enterprise crypto agility, the fall of OCSP, PKI everywhere, the weakness of passwords, and government versus the internet. We also look at last year's predictions and compare them to the year's events.

Root Causes 348: What Is a Merkle Tree?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 15 Dec 2023 16:22:34 +0000

One foundational element of modern cryptographic systems is the Merkle tree. Merkle tree is an enabler of blockchain and CT logs, among other things. We explain this data structure, its properties, and its use cases.

Root Causes 347: 2023 Lookback - Shortening Certificate Lifespans

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 11 Dec 2023 00:00:00 +0000

90-day SSL certificates is only part of it! 2023 has been a year of certificate lifespans getting shorter. We review these trends.

Root Causes 346: Private Credentials In Public Code

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 8 Dec 2023 00:00:00 +0000

In this episode we uncover the epidemic of private credentials in public-facing code repositories, including why it occurs and what do to about it.

Root Causes 345: Apple Versus European Sideloading

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 5 Dec 2023 00:00:00 +0000

The European Union is applying pressure to Apple to allow sideloading of applications. We go over why this is occurring, the potential dangers, and Apple's response.

Root Causes 344: Introducing the PQC Onramp

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 29 Nov 2023 00:00:00 +0000

NIST's Round 3 competition has yielded winners for standardization. But NIST wants to continue finding additional potential algorithms, especially those using non-Lattice schemes. We explain the PQC "onramp" and what we should expect.

Root Causes 343: The EIDAS 2.0 Controversy

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 22 Nov 2023 00:00:00 +0000

ETSI is preparing to release specifications for eIDAS 2.0. One controversial aspect of this new standard is that it limits browsers' ability to determine their own trusted roots. In this episode we explain this limitation and the concerns surrounding it.

Root Causes 342: Don't Change Your Password for Two Years

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 17 Nov 2023 00:00:00 +0000

The CA/Browser Forum rules stipulate how often forced password changes for CA employees are to occur. They don't, however, specify a frequency at which these forced changes must occur. Rather, they set the MINIMUM time before forced password changes can happen. Join us to learn why.

Root Causes 341: The Trouble with Security Questionnaires

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 13 Nov 2023 00:00:00 +0000

The practice of sending security questionnaires to technology vendors is exploding, and with it dysfunctional behavior is on the rise. In this episode we describe how security questionnaires are changing and the pitfalls associated with this emerging practice.

Root Causes 340: Is This Podcast Canadian Enough?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 6 Nov 2023 00:00:00 +0000

Canada's Online Streaming Act will require internet content providers to provide a minimum percentage of content produced by Canadians or face fines. We explore this latest episode in the theme of governments attempting to control the free flow of information on the internet.

Root Causes 339: The ROI of CLM

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 31 Oct 2023 00:00:00 +0000

In this episode we describe at a high level how to calculate the Total Cost of Ownership (TCO) of CLM as opposed to manual installation and management of certificates.

Root Causes 338: CLM and Your Career as an IT Professional

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 23 Oct 2023 00:00:00 +0000

In this follow up to our episode on CLM and the IT skills gap, we now discuss how CLM matters to individual IT professionals and can help progress careers and improve work life.

Root Causes 337: CLM and the IT Skills Gap

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 10 Oct 2023 00:00:00 +0000

For decades industry has had more need for skilled IT employees than the workforce could provide. In this episode we discuss how Certificate Lifecycle Management and certificate automation can help mitigate the challenges posed by the IT skills gap.

Root Causes 336: Digitally Signing Images on Cameras

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 3 Oct 2023 00:00:00 +0000

A recent press release discusses efforts of camera manufacturers and the digital imagery supply chain to create an ecosystem for digitally signed images. We describe what such an ecosystem would do, where it could do in the future, and the advantages and limitations of these schemes.

Root Causes 335: When MFA Is Not MFA

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 29 Sep 2023 00:00:00 +0000

In this episode we describe a social engineering attack to steal a one-time password (OTP) to enable unauthorized access. This incident further exploited a cloud backup feature to extend the scope of the breach. We explain.

Root Causes 334: What Is Attestation on the Web?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 26 Sep 2023 00:00:00 +0000

Most people hate dealing with CAPTCHA, but it offers great benefits for web site operators. In this episode we discuss alternatives to CAPTCHA, how they work, and their pros and cons. Plus, the Get-Off-My-Lawn! browser returns.

Root Causes 333: Intel Side Channel Attack Steals Private Keys

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 20 Sep 2023 00:00:00 +0000

A newly revealed side channel attack can capture AES encryption keys from Intel chips. We explain this significant and powerful attack.

Root Causes 332: Acoustic AI-based Key Logging Attack

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 14 Sep 2023 00:00:00 +0000

Researchers have built an AI model that can interpret keystrokes based on the sound of keyboard use over a phone or video call. Among other things, this technique can be used to steal passwords when the sound of logging in can be overheard. Join us as we learn about this new breed of credential harvesting.

Root Causes 331: Microsoft Restores Trust to VeriSign Code Signing Root

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 13 Sep 2023 00:00:00 +0000

Recent erroneous behavior for certain applications on Windows has drawn attention to the Microsoft trusted root store. It turns out that Microsoft removed - and then re-added - a legacy VeriSign root in its trusted roots list. We give you the details of what went on and why.

Root Causes 330: End-to-end PQC in Use Today

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 5 Sep 2023 00:00:00 +0000

Our hosts are joined by IronCap CEO Andrew Cheung as he discusses commercially available PQC solutions today, including VPN, email, and crypto currency.

Root Causes 329: What Is Messaging Layer Security?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 29 Aug 2023 00:00:00 +0000

The recently published Messaging Layer Security (MLS) protocol establishes key exchange protocols for participants in a simultaneous communication session for three or more participants. We explain its significance and possible futures for this standard.

Root Causes 328: What Is the Debian Weak Key Flaw?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 23 Aug 2023 00:00:00 +0000

In 2008 the world of SSL was shocked by the discovery of a flaw in a popular operating system that limited the total set of possible private keys on this OS to about 32,000. We explain what happened, industry response, and its consequences.

Root Causes 327: What Is Multi-perspective Domain Validation?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 18 Aug 2023 00:00:00 +0000

In this episode we explain Border Gateway Protocol (BGP) attacks and how multi-perspective domain validation (MPDV, also known as multi-vantage point domain validation) can defeat them.

Root Causes 326: The Difference Between .ml and .mil

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 15 Aug 2023 00:00:00 +0000

A recent Financial Times article reveals that mistyped email addresses aimed at the US military frequently are sent to email addresses in Mali instead, to the tune of hundreds of thousands per year. Some of this includes sensitive military content.

Root Causes 325: Certificate Error Causes Sharepoint Outage

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 11 Aug 2023 00:00:00 +0000

A recent outage in Microsoft Sharepoint was caused by an error in certificate installation. We explain what happened and the lessons to be learned.

Root Causes 324: Apple Vs New UK Surveillance Bill

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 7 Aug 2023 00:00:00 +0000

The battle between government and encryption continues. The UK is attempting to build secret back doors into end-to-end encrypted services. In response, Apple has threatened to remove Apple services from the UK, including FaceTime and iMessage.

Root Causes 323: Update on Microsoft Key Compromise

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 2 Aug 2023 00:00:00 +0000

In this follow up to our episode 320, we describe Microsoft's actions to mitigate this attack and explain new understanding that shows its impact to be broader than originally thought. Anyone using the Microsoft stack needs to understand this new threat.

Root Causes 322: RIP Kevin Mitnick

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 31 Jul 2023 00:00:00 +0000

In July famous security researcher Kevin Mitnick passed away. We briefly pay tribute to Kevin and talk about his contributions to white hat hacking as a practice.

Root Causes 321: CABF Moratorium on New Certificate Consumer Members

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 26 Jul 2023 00:00:00 +0000

The CA/Browser Forum recently passed a temporary moratorium on new members of the Certificate Consumer class. We explain how Certificate Consumers have been admitted in the past and the pros and cons of creating stricter rules for Certificate Consumers.

Root Causes 320: Microsoft-signed Root Kit Attack

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 24 Jul 2023 00:00:00 +0000

A new root kit attack in the wild is code signed by a Microsoft certificate. We explain kernel-level attacks, how powerful they are, and how this attack occurred.

Root Causes 319: EU Digital Wallets

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 21 Jul 2023 00:00:00 +0000

A new agreement mandates that European countries will make digital wallets available to their citizens in 2024. We explain what's coming and some of its implications.

Root Causes 318: What Is ACME Renewal Information (ARI)?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 18 Jul 2023 00:00:00 +0000

ACME is a functional and widely supported protocol for certificate provisioning and installation. A new extension to the protocol will help automate renewals. In this episode we explain ACME Renewal Information (ARI).

Root Causes 317: New Automotive CAN Bus Attacks Demand PKI

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 13 Jul 2023 00:00:00 +0000

In this episode we describe how physically accessing the CAN bus wires in a modern automobile can allow a thief to take over key fob functionality to unlock the doors, start the engine, and ultimately steal the vehicle. We explain how PKI can defeat this attack and what is necessary to get there.

Root Causes 316: SquareSpace Acquires Google Domains

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 11 Jul 2023 00:00:00 +0000

SquareSpace recently acquired Google's domain registry business. We discuss what this move says about large technology trends.

Root Causes 315: Will the SEC Sue SolarWinds Executives?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 7 Jul 2023 00:00:00 +0000

The SEC has sent "Wells notices" to two senior executives from SolarWinds, with regard to the 2019 supply chain attack. In this episode we explain these notices and their implication.

Root Causes 314: AI-based Deepfakes in Real Crimes

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 5 Jul 2023 00:00:00 +0000

We have spoken in previous episodes about the potential for deepfakes in real-world crimes. In this episode we discuss a variety of real-world attacks in which deepfakes have played a role. These include fake kidnapping, "sextortion," and a range of spear phishing attacks and social media scams.

Root Causes 313: SSL Revocation Reason Codes

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 22 Jun 2023 00:00:00 +0000

In 2022 Mozilla added a root program requirement that CAs include Reason Codes when revoking public TLS certificates. In this episode we explain the reason codes, along with some explicitly forbidden reason codes, and go into the backstory behind this requirement.

Root Causes 312: You Shouldn't Roll Your Own Crypto

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 20 Jun 2023 00:00:00 +0000

Don't roll your own crypto. In this episode we describe the findings from 2021 research that investigating the root causes of problems in cryptographic systems. The results may surprise you.

Root Causes 311: What Is CCADB?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 16 Jun 2023 00:00:00 +0000

We describe CCADB, the Common CA Database. We explain the role of CCADB in the WebPKI and how this role is evolving.

Root Causes 310: Another AI Episode

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 13 Jun 2023 00:00:00 +0000

In this episode we continue to explore the capabilities of AI to replicate known people in deep fakes with AI-generated content.

Root Causes 309: What Is Key Attestation for Code Signing?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 7 Jun 2023 00:00:00 +0000

On June 1, 2023 new rules for delivery of code signing certificates went into effect, requiring the certificate be delivered by secure HSM. In addition to shipping a token by mail, certificates can be electronically delivered to Subscriber-owned hardware that supports key attestation. In this episode we explain key attestation, supporting hardware, and the pros and cons of this method.

Root Causes 308: E-Tugra Root Deprecation

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 5 Jun 2023 00:00:00 +0000

For the second time in under twelve months, a major browser is deprecating a CA's public trust. This time it's E-Tugra. Learn about the concerns raised about this CA, investigation of these concerns, and the ultimate deprecation decision.

Root Causes 307: OT Red Teaming Leads to Malware Attack

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 31 May 2023 00:00:00 +0000

In this episode we describe how tools from operational technology red team exercises are being repurposed for malware attacks.

Root Causes 306: Certificate Transparency Logs and Privacy

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 26 May 2023 00:00:00 +0000

Certificate Transparency (CT) logs do a lot of good for the WebPKI. They also, however, carry with them some privacy concerns. In this episode we explain those concerns.

Root Causes 305: The Fifth Pillar of Certificate Lifecycle Management

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 22 May 2023 00:00:00 +0000

In our episode 143 we introduced the Four Pillars of Certificate Lifecycle Management. Now, two years later, we introduce a fifth pillar of CLM.

Root Causes 304: Your 90-day SSL Certificates Checklist

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 18 May 2023 00:00:00 +0000

90-day maximum term for SSL certificates is coming. In this episode expert guest Henry Lam details his four-point checklist for preparing enterprises for these shorter-lived certificates.

Root Causes 303: A Return to Chrome and the Address Bar

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 16 May 2023 00:00:00 +0000

In our recent episode 300 we discussed Chrome's upcoming removal of the lock icon from its interface. In this follow up, we catch the listener up on Chrome's longstanding program to minimize the URL in its interface, even to the point of contemplating removing the address bar entirely.

Root Causes 302: Intel Secure Boot Private Key Leak

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 12 May 2023 00:00:00 +0000

Resulting from a recent ransomware attack, a private key from Intel has been exposed, affecting more than a hundred OEM components and an unknown number of end user products. We explain what happened and its possible implications.

Root Causes 301: The Difference Between Certificate Automation and CLM

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 9 May 2023 00:00:00 +0000

This podcast frequently discusses the concepts of certificate automation and Certificate Lifecycle Management (CLM). In this episode we discuss how CLM does not always entail automation and vice versa -- along with where this distinction occurs and why it matters.

Root Causes 300: Chrome Eliminates the Lock Icon

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 4 May 2023 00:00:00 +0000

Google Chrome has announced that it will eliminate the lock icon in September. We explain what Google will be doing, its stated rationale, and the pros and cons of this decision.

Root Causes 299: 2023 RSA Recap

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 2 May 2023 00:00:00 +0000

The 2023 RSA Conference just concluded. This week Tim recaps what he saw at the show and how it reflects on security industry trends. Our hosts discuss Zero Trust, PQC, blockchain, artificial intelligence, post-COVID tradeshow behavior, and more.

Root Causes 298: Moving Forward, Together - Promoting Automation

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 28 Apr 2023 00:00:00 +0000

The Google Chrome root store has communicated its plans for promoting automation. In this episode we explain Chrome's public plans for this initiative, which is anchored around ACME.

Root Causes 297: Certificate Expiration Creates Starlink Outage

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 26 Apr 2023 00:00:00 +0000

A recent outage in the Starlink internet service was caused by an unexpected certificate expiration. We discuss this ongoing problem and how 90-day maximum certificate term will exacerbate it.

Root Causes 296: SHOULD We or MUST We?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 21 Apr 2023 00:00:00 +0000

The CA/Browser Forum guidelines contain many prescribed requirements, with language containing the word SHOULD or MUST. In this episode we explain the specifying power of these two words, why they are used, and what they signal about the intent behind a guideline and how the rules might evolve.

Root Causes 295: Genesis Criminal Marketplace Taken Down

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 17 Apr 2023 00:00:00 +0000

A large, public criminal marketplace for stolen logins and other information was rolled up by law enforcement across seventeen countries. Genesis Marketplace offered not only traditional login credentials but also associated data needed to defeat MFA.

Root Causes 294: Root Causes Honored by Webby Awards

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 13 Apr 2023 00:00:00 +0000

The Root Causes podcast has received a Webby Honoree award. Jason and Tim briefly celebrate and discuss the challenge of operating a niche, homemade podcast while being directly compared to professionally produced podcasts on mainstream topics from media companies. Plus, Tim's new Root Causes t-shirt.

Root Causes 293: What Is Certbot?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 10 Apr 2023 00:00:00 +0000

Certbot is an important part of the ACME standard. This open source tool makes it easier for many IT administrators to use ACME to automate provisioning and installation of SSL / TLS certificates.

Root Causes 292: Validation Data Reuse for 90-day Certificates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 6 Apr 2023 00:00:00 +0000

As the industry explores the expected consequences of 90-day maximum term for SSL / TLS certificates, some are wondering if the allowed validation data reuse period stands to go down also. We explain today's data reuse rules and what the evidence indicates will be required for both domain control validation (DCV) and organization information validation.

Root Causes 291: CLM and SIEM

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 3 Apr 2023 00:00:00 +0000

We discuss how Certificate Lifecycle Management (CLM) interacts with Security Incident and Event Management (SIEM). The certificate world is chock full of events such as renewals, revocations, admin logins, and provisioning and removal of employee access. We talk about expected behaviors in the CLM and monitoring them.

Root Causes 290: What Are QGIS and QIIS?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 29 Mar 2023 00:00:00 +0000

In this episode we define Qualified Government Information Source (QGIS) and Qualified Independent Information Source (QIIS), which are critical to CABF-compliant organization validation. We explain how they fit into validation and the criteria for a reliable information source.

Root Causes 289: What Is a Cryptographic Center of Excellence?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 27 Mar 2023 00:00:00 +0000

In this episode we dig into an emerging idea, which is the cryptographic center of excellence. We discuss how such a center of excellence would work and the benefits it can bring to an enterprise.

Root Causes 288: ISARA Releases Patents on Hybrid Certificates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 22 Mar 2023 00:00:00 +0000

In this episode we are joined by Atsushi Yamada, CEO of ISARA. He explains how ISARA has put its patents on hybrid certificates into the public domain and why. We explain the role of hybrid certificates in PQC and ongoing crypto agility.

Root Causes 287: GoDaddy Private Key Breach

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 20 Mar 2023 00:00:00 +0000

In this episode we describe an incident in which a GoDaddy breach exposed customer private keys. We explain the expectations surrounding private key exposure and get into the interesting question of when an incident is or is not part of a large company's CA business.

Root Causes 286: PKI and PQC in New White House Cybersecurity Initiative

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 16 Mar 2023 00:00:00 +0000

A new White House cybersecurity initiative specifically calls out digital identity and post quantum cryptography (PQC) among its focal areas. We discuss what it says and the potential implications.

Root Causes 285: Can ChatGPT Write Malware?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 14 Mar 2023 00:00:00 +0000

In our ongoing exploration of the security implications of AI, in this episode we examine the suitability of ChatGPT as a malware-writing tool and possible future directions for AI in software creation.

Root Causes 284: 90-day SSL Certificates Are on the Way

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 10 Mar 2023 00:00:00 +0000

The Google Chrome root program recently announced its intention to reduce the maximum term for public SSL certificates to 90 days. In this episode we explain this announcement and its implications and speculate on timing for this reduction.

Root Causes 283: Google Optional OCSP Proposal Clarified

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 6 Mar 2023 00:00:00 +0000

In our episode 281 we reported on Google's proposal for optional OCSP. In this episode we correct some of our earlier reporting in that episode, including the use of CRL and the removal of any revocation requirement for SSL certificates of not more than ten days in term.

Root Causes 282: HSMs and Post Quantum Cryptography

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 2 Mar 2023 00:00:00 +0000

Repeat guest Bruno Couillard of Crypto4A joins us to explain where Hardware Secure Modules (HSMs) fit into the world of PQC. We discuss the issues surrounding how HSMs will work with post quantum algorithms and hybrid certificates and the process (and timelines) for defining how HSMs will incorporate PQC.

Root Causes 281: Google Proposes Optional OCSP

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 26 Feb 2023 00:00:00 +0000

In response to concerns about OCSP and privacy, Google has proposed removing the requirement for OCSP revocation checking for public SSL certificates meeting certain specific conditions. In this episode we go into the details of this proposal.

Root Causes 280: Did an AI Break CRYSTALS-Kyber?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 24 Feb 2023 00:00:00 +0000

Recent news reports might suggest that an AI-enhanced side attack has defeated the CRYSTALS-Kyber PQC algorithm. In this episode we clarify that Kyber has not been defeated to date and exactly what did occur. We define side channel attack, discuss the broader implications of this attack, and speculate on what would happen if Kyber actually were broken.

Root Causes 279: ChatGPT Watermarking

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 19 Feb 2023 00:00:00 +0000

ChatGPT presents the potential problem of ChatGPT content being used and attributed to another source, such as a professional writer or a student. In this episode we discuss the idea of "watermarking" ChatGPT content, including stenography, randomness, entropy, and how to destroy the watermarks.

Root Causes 278: Microsoft on Certificates and FIDO

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 17 Feb 2023 00:00:00 +0000

Recent public discussion of FIDO and digital certificates reveal details of Microsoft's approach to consumer digital authentication. We discuss secure elements, Windows Hello, and the differences between B2C, B2B, and B2E.

Root Causes 277: Privacy Sandbox

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 13 Feb 2023 00:00:00 +0000

In the latest continuation of the effort to create better protections for consumer privacy while still enabling targeted advertising, Google has announced the Privacy Sandbox. In this episode we describe this latest foray, including concepts like k-anonymity and differential privacy.

Root Causes 276: ChatGPT and Identity Reputation

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 9 Feb 2023 00:00:00 +0000

ChatGPT and similar AI tools are dominating the public's mind these days. In this episode we discuss the potential for people to attempt to use ChatGPT as a source of reputational analysis, KYC, and other information about individuals, companies, and other entities. These activities are potentially subject to both error and deliberate misdirection. In this episode we explain why.

Root Causes 275: No Fly List Stolen

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 6 Feb 2023 00:00:00 +0000

In a recently revealed security breach, an attacker gained a copy of the full 2019 TSA No Fly list, including subject PII. This breach was enabled by failures in digital identity and encryption. Join us in unpacking what happened and the lessons to be learned.

Root Causes 274: New Quantum Readiness Law

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 3 Feb 2023 00:00:00 +0000

The U.S. government has a new law requiring that government agencies create plans for migrating to post-quantum cryptography in response to impending threats from quantum computers. In this episode we are joined by guest Bruno Couillard of Crypto4A to discuss the law and its implications.

Root Causes 273: A Deep Dive on CA Agnostic

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 30 Jan 2023 00:00:00 +0000

The industry is seeing more and more attention spent on the idea of CA agnosticism. As with any buzzy technology term, it can be used to mean a variety of things. Join us as we catalog the various ways a Certificate Lifecycle Management (CLM) system can be "CA agnostic."

Root Causes 272: OCSP's Privacy Problem

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 27 Jan 2023 00:00:00 +0000

Concerns recently have been raised about OCSP real-time certificate checking and its potential to violate privacy. In this episode we unpack these concerns and discuss the alternatives to OCSP.

Root Causes 271: A Whole Fleet of Identity-based Automotive Hacks

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 23 Jan 2023 00:00:00 +0000

A white hat security researcher recently revealed a large number of identity-based vulnerabilities across many automotive manufacturers. In this episode we explain how a group of white hats exploited these manufacturers' dependence on non-secret "secrets" such as VIN or email address to force a raft of unacceptable behaviors across a large number of automotive brands.

Root Causes 270: What Is the Difference Between KEM and PKE?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 20 Jan 2023 00:00:00 +0000

One of the little known changes that has come to the world of TLS is that the secret handshake and key exchange updated from Public Key Exchange (PKE) to Key Encapsulation Methods (KEM). In this episode we explain the difference between the two methods and why this change is taking place.

Root Causes 269: Did a Patent Dispute Nearly Derail Post Quantum Cryptography?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 16 Jan 2023 00:00:00 +0000

On July 5, 2022 NIST announced its Round 3 PQC winners. What most people don't realize is that same day, the interested parties cleared a patent dispute that had the potential to prevent several of the winning primitives from moving forward. Join us as we explain who held that patent, what the potential impediment was, and how everything was resolved.

Root Causes 268: WAFs Subverted by JSON Bypass

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 12 Jan 2023 00:00:00 +0000

In this episode we discuss rising attacks that overcome the protections of Web Application Firewalls (WAF). We explain these attacks, why this bypass might effective against you even if think it doesn't, and what you should do to ensure you're safe.

Root Causes 267: Can Quantum Computers Break RSA Today?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 9 Jan 2023 00:00:00 +0000

Much has been made of Schor's algorithm and the inevitable defeat of RSA using quantum computers. But a new research paper suggests a quantum computer may be applied to the problem in a fundamentally different way, hastening RSA's demise beyond even our current expected timelines. In this episode we discuss this new research, reactions to it, and its potential implications.

Root Causes 266: End-to-end Encryption in the Apple Technology Stack

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 4 Jan 2023 00:00:00 +0000

Recent announcements from Apple lay out a set of expansions in the scope and capability of encryption throughout the Apple ecosystem. In this episode we detail the announced changes and some of their implications.

Root Causes 265: A Banner Year for Post-quantum Cryptography

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 28 Dec 2022 00:00:00 +0000

2022 was post-quantum cryptography's biggest year so far. Our hosts are joined by guest Bruno Couillard, CEO and CTO of Crypto4A. We go over many developments in PQC, including the announcement of the NIST round 3 winners, the defeat of several late candidate algorithms, isogeny-based cryptography, hybrid certificates, and the significance of April 14, 2030.

Root Causes 264: Crypto Agility for 2023

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 23 Dec 2022 00:00:00 +0000

We define the important needs and initiatives that are changing the crypto agility landscape. We discuss topics including CA independence, cryptography in public clouds, post-quantum cryptography (PQC) agility, hybrid certificates, and FIDO 2/WebAuthn.

Root Causes 263: Secure Connection Methods Roundup

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 20 Dec 2022 00:00:00 +0000

In this episode we discuss the three methods a user might choose for secure remote communications: VPN, SSH, and TOR. For each we discuss the reasons you might choose them and the pros and cons of each.

Root Causes 262: The Continuing Erosion of Online Identity

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 14 Dec 2022 00:00:00 +0000

In one of our 2022 wrap up episodes, we look back at the continued erosion of the idea of reliable online identity throughout the year. We discuss the rise of deep fakes, celebrity phishing, voice biometrics, AI-generated art, trust models, and the failure of Twitter blue check marks.

Root Causes 261: Why I Don't Say Spoof

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 12 Dec 2022 00:00:00 +0000

The word spoof is a security industry term used in the context of social engineering attacks. In this episode we explore the word's connotations in different walks of life and why its connotations may not serve us well when applied to security concerns.

Root Causes 260: CA TrustCor Deprecated

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 8 Dec 2022 00:00:00 +0000

Public CA TrustCor has had its roots deprecated by Microsoft and Mozilla, following a public dialog about TrustCor's suitability as a public CA. This entire investigation was prompted by a Washington Post article articulating a series of connections between this CA and spyware purveyors. In this episode we explain these connections, the public dialog and investigation that occurred, and the ultimate deprecation of TrustCor.

Root Causes 259: What Went Wrong with the Twitter Blue Check Marks

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 30 Nov 2022 00:00:00 +0000

The Twitter authenticated identity blue check marks made a big splash and then quickly went away. In this episode we explore the intent of these check marks and why they failed. In particular, we detail the challenges involved in authenticating and vouching for the identity of an individual or organization.

Root Causes 258: New S/MIME Baseline Requirements Ratified

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 21 Nov 2022 00:00:00 +0000

The CA/Browser Forum has passed new Baseline Requirements for S/MIME certificates, in effect late 2023. In this episode we explain the broad stipulations of the new S/MIME BRs, including the multiple available levels of authentication and use case profiles that will be allowed.

Root Causes 257: FTX Crypto Exchange Collapses

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 17 Nov 2022 00:00:00 +0000

"If you don't hold the keys, you don't hold the cheese." Crypto exchange giant FTX recently collapsed, causing ripples through the cryptocurrency world. In this episode we focus on the cryptographic difference between cryptocurrency exchanges and other exchanges and how specific FTX user experience decisions led to the loss of valuable digital assets for investors.

Root Causes 256: What Is Harvest and Decrypt?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 16 Nov 2022 00:00:00 +0000

As we prepare for the reality of quantum computers breaking RSA and ECC, a keenly important concept to understand is "Harvest and Decrypt." The practical impact of Harvest and Decrypt is that for secrets with a reasonable lifespan, the quantum computer threat is much closer than you might think, including as early as today. In this episode we explain why that's the case and how this attack is likely to roll out.

Root Causes 255: What Is a Privacy Browser?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 11 Nov 2022 15:02:20 +0000

In this episode we describe privacy browsers, which quite simply are browsers designed to pay special attention to the user's privacy, including some of the strategies they use to protect privacy and the pros and cons of this approach.

Root Causes 254: Toyota Symmetric Key Exposed on GitHub

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 8 Nov 2022 00:00:00 +0000

In a recently exposed error, key material for a popular automobile manufacturer's PKI has been discovered on GitHub, resulting in exposure of sensitive information. In this episode we explain the dual errors that led to this breach.

Root Causes 253: OpenSSL Vulnerability Explained

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 4 Nov 2022 00:00:00 +0000

Last week the OpenSSL project announced an upcoming critical patch, leading to a great deal of speculation about this flaw and its implications for SSL certificates. We explain what the flaw was, what you should do, and why it is that certificates are unaffected.

Root Causes 252: Sidestepping Microsoft Email Encryption

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 30 Oct 2022 00:00:00 +0000

A recently revealed vulnerability in Microsoft Exchange encryption can be used potentially to break the encryption on stored emails. In this episode we explain ECB (Electronic Code Book encryption and how this attack can occur.

Root Causes 251: What's Next for the NIST PQC Primitives?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 27 Oct 2022 00:00:00 +0000

NIST has announced its new post-quantum cryptography primitives. So now what? In this episode we discuss the next steps required by the technology industry for widespread adoption of these algorithms and what the enterprise can do starting today to ready itself for quantum-safe encryption.

Root Causes 250: 250 Episodes of Root Causes!

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 26 Oct 2022 00:00:00 +0000

It's Root Causes episode 250! In this episode Tim and Jason indulge themselves in podcasting about podcasting. Hear about setting up a podcast, choosing topics, why we don't rehearse, why we have so few guests, and how we reacted the first time someone asked us for a media kit.

Root Causes 249: What Is MFA Exhaustion?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 21 Oct 2022 00:00:00 +0000

Recent months have seen several high profile attacks that were enabled by defeating the MFA accompanying user name and password login. In this episode we explain the concept of MFA fatigue and why it is an enabler for these attacks.

Root Causes 248: Azure Code Signing Announced

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 18 Oct 2022 00:00:00 +0000

Microsoft has announced the upcoming availability of a Microsoft-run code signing solution inside the Azure platform. We explain this approach's advantages and what to expect from it.

Root Causes 247: Uber Breach Unpacked

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 13 Oct 2022 00:00:00 +0000

A recent high-profile breach of Uber's systems led to widespread data loss. Join our experts as we unpack the specifics of how this attack came about.

Root Causes 246: Google Chrome Root Program Announced

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 3 Oct 2022 00:00:00 +0000

Google Chrome recently announced the formation of its trusted root program. It may be surprising to learn that the world's most popular browser has existed for more than a decade without its own root program. In this episode we explain why that is the case, why Chrome is launching a root program now, and the implications of this announcement.

Root Causes 245: One Time Passcode as a Liability

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 29 Sep 2022 00:00:00 +0000

A recent article from Brian Krebs advances the idea that using OTP MFA may actually be a liability to security. In this episode we explain the reasoning behind this characterization.

Root Causes 244: PwC Survey Reports Cyber Security as Biggest Risk to Companies

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 26 Sep 2022 00:00:00 +0000

A recent survey from PwC reports that cyber threats are no longer solely the domain on the CISO but instead have become every senior executive's concern. We dive deep into these survey results and talk about they correlate with our own experiences, IT skills gaps, and feeding the podcasting beast.

Root Causes 243: Which Came First, the BRs or the EVGs?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 20 Sep 2022 00:00:00 +0000

Many people don't realize that the CA/Browser Forum's Baseline Requirements actually came LATER THAN the Extended Validation Guidelines. In this episode we explain how this seemly backward turn of events came about and what it says about how online trust has evolved over the past few decades.

Root Causes 242: Let's Encrypt Founder Peter Eckersley Passes

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 16 Sep 2022 18:47:20 +0000

Electronic Frontier Foundation member and Let's Encrypt co-founder Peter Eckersley passed away recently at a young age. In this episode we pay respect to Peter's memory and his many contributions, including ACME, Certbot, and Let's Encrypt.

Root Causes 241: Is China Outspending the West in Quantum Computing?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 12 Sep 2022 00:00:00 +0000

A December 2021 report appears to indicate that China as vastly outspending Western countries in quantum computing. In this episode we examine this claim, including the role of private industry as opposed to government funding, the importance of international cooperation, and the vast implications of winning the race for quantum computing.

Root Causes 240: Hyundai Production Private Key Found in How-to Manual

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 6 Sep 2022 00:00:00 +0000

A white hat researcher recently defeated a production automobile's PKI by searching for the private key on Google. Join us as we describe the implementation error making this possible and how it might have come about.

Root Causes 239: Post-quantum Cryptography Candidate SIKE Defeated

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 28 Aug 2022 00:00:00 +0000

NIST's round four post-quantum crypto candidate SIKE (Supersingular Isogeny Key Encapsulation) has been defeated and is now out of consideration. In this episode we explain isogeny cryptography, why NIST is seeking additional candidates, and why failures of this kind are expected and healthy for PQC.

Root Causes 238: Tim's Big Phishing Adventure

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 15 Aug 2022 00:00:00 +0000

In a personally unprecedented occurrence, Tim's identity as a Sectigo executive is being used in a "waterholing" phishing scam intended to raid job seekers' bank accounts. We describe what is going on, how we found out, and the challenges in combatting such an attack.

Root Causes 237: Why Mozilla Is So Important to CAs

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 10 Aug 2022 00:00:00 +0000

Mozilla is a highly important to the world of public certificates, with influence beyond what the Firefox browser market share would suggest. In this episode we examine the historical reasons for this influence and the mechanisms that maintain that influence today.

Root Causes 236: Active Directory Patch Knocks Out Non-MS Identity Consumers

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 4 Aug 2022 00:00:00 +0000

A recently revealed vulnerability in Active Directory made it possible for an attacker to escalate privileges inappropriately. Microsoft's responded with a patch in May 2022, which unfortunately has forced a difficult workaround for many common software components beyond Active Directory that will otherwise be incapable of working with AD identities. In this episode we explain what his happening, how it came about, and the broader lessons for PKI owners.

Root Causes 235: What Is Lattice-based Cryptography?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 26 Jul 2022 00:00:00 +0000

The recent winners of the NIST post-quantum cryptography contest are strongly focused on lattice-based encryption. In this episode we explain at a high level what this cryptographic approach entails and why lattice-based algorithms fared so well in the NIST search.

Root Causes 234: Report from the 2022 RSA Conference

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 22 Jul 2022 00:00:00 +0000

The RSA Security Conference is back. In this episode we talk about what happened in 2020 and how the first post-COVID RSAC compared to earlier years, along with some of the major themes this year.

Root Causes 233: CISA Recommendations for Post-Quantum Crypto

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 12 Jul 2022 00:00:00 +0000

In coordination with NIST's announcement of its new post-quantum cryptographic algorithm contest winners, the Cybersecurity and Infrastructure Security Agency released a bulletin listing six key actions for IT to commence now. We read out these six actions and put them in context.

Root Causes 232: NIST Announces Post Quantum Crypto Selections

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 8 Jul 2022 00:00:00 +0000

NIST has announced its winning algorithms for round 3 of its post-quantum cryptography "contest." Join us as we name the winning algorithms and why they were chosen. We discuss the continuing effort to arrive at additional algorithms, and we talk about the next steps coming out of this announcement.

Root Causes 231: What Is FIDO?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 6 Jul 2022 00:00:00 +0000

Recent announcements about consumer passwordless authentication build on standards like FIDO and WebAuthn. In this episode we explain device-centric authentication, the FIDO Alliance, and how it all works.

Root Causes 230: What Is Apple Passkey?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 30 Jun 2022 00:00:00 +0000

Apple recently announced its Passkey functionality, which will allow passwordless authentication between Apple devices and supporting web services through key exchange. In this episode we discuss how this works, the user experience, the significance of FIDO and WebAuthn, and implications for consumer-facing sites.

Root Causes 229: Browsing Collectives and the 80/20 Rule of Browser Privacy

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 8 Jun 2022 00:00:00 +0000

In this follow-on to our two previous podcasts, we elucidate additional potential schemes for preserving consumer privacy. We discuss data aggregation, the power of the default, decentralized blockchain identities, the death of cookies, browsing collectives, privacy browsers, and the 80/20 rule of browser entropy.

Root Causes 228: Getting the FLoC out of Here

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 31 May 2022 00:00:00 +0000

In a follow-up to our recent episode on cookies and browser tracking, we discuss Google's Federated Learning of Cohorts (FLoC) initiative, why it failed as a response, and other directions the industry is looking in.

Root Causes 227: Let's Talk About Cookies

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 27 May 2022 00:00:00 +0000

In this episode we explain the fundamentals of cookies and why, despite their obvious benefits, they present troublesome privacy concerns. We discuss the many ways web users can be tracked including cross-site cookies, tracking pixels, and browser fingerprinting.

Root Causes 226: The Six Benefits of SSH Certificates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 24 May 2022 00:00:00 +0000

In this third episode in our series on SSH keys, we identify the six main benefits of SSH certificates and how they mitigate the problems with SSH identified in earlier episodes.

Root Causes 225: The Difference Between Relying Parties and Certificate Consumers

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 19 May 2022 00:00:00 +0000

Despite the similarity in their names, in the world of digital certificates a Relying Party and a Certificate Consumer are very different things. In this episode we define the four main roles in the public trust ecosystem: CA, Subscriber, Certificate Consumer, and Relying Party, with real-world examples.

Root Causes 224: The Five Problems with SSH Keys

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 17 May 2022 00:00:00 +0000

In this follow-on to our earlier episode explaining SSH keys, we discuss the five problems SSH keys present to organizations using them. And we give a peek at how to solve these problems.

Root Causes 223: CT Log-Enabled Attacks on WordPress Sites

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 11 May 2022 00:00:00 +0000

Attackers are using CT logs to identify brand new WordPress sites and install malware before upcoming security measures are in place. This attack is novel in how it exploits Certificate Transparency information to identify likely targets. In this episode we explain what is happening and why it's noteworthy.

Root Causes 222: Consolidation and PKI Solutions

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 11 May 2022 00:00:00 +0000

Vendor consolidation is an important topic in IT security. As the scope and variety of threats continues to increase, we have seen a proliferation of point solutions and features, and a resulting desire to reduce that vendor footprint or at least facilitate using them together. In this episode we discuss this trend and how it specifically affects PKI and digital certificates.

Root Causes 221: What Are SSH Keys?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 4 May 2022 00:00:00 +0000

SSH (Secure Shell) keys are ubiquitous for authenticated access to Linux systems. In this first of three episodes we explain what these keys are and how they're used.

Root Causes 220: The Difference Between OTP and Passwordless

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 2 May 2022 00:00:00 +0000

"Passwordless" is a hot term in the industry, and as a result many technology vendors are attaching their solutions to this term. In this episode we clarify the difference between OTP services and passwordless authentication.

Root Causes 219: New Quantum Cryptography Legislation Introduced

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 26 Apr 2022 00:00:00 +0000

New proposed legislation in the US House of Representatives mandates that federal agencies must begin preparation for using the new quantum resistant cryptographic algorithms selected by NIST. This represents a major development in building a quantum safe digital world. In this episode we explain the proposed legislation and it's consequences.

Root Causes 218: PKI Nomenclature Oddities

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 20 Apr 2022 17:47:17 +0000

Every technology space has its jargon. In this episode we go over some of the interesting, ambiguous, or amusing terms that are specific to the PKI and digital certificates industry.

Root Causes 217: What's the Deal with the Recent Okta Security Breach?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 14 Apr 2022 00:00:00 +0000

In March the LAPSIS$ hacking group convincingly announced a breach of Okta systems, potentially exposing Okta customers to additional compromise. Despite Okta's initial statements to the contrary, it ultimately turned out that up to 366 Okta customers may be affected. Our hosts walk through the events of the attack, how it unfolded over time, and how this breach was revealed.

Root Causes 216: What Is crt.sh?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 10 Apr 2022 00:00:00 +0000

One of the foundational tools for monitoring and understanding public SSL certificates is crt.sh, created and maintained by Sectigo's own Rob Stradling. In this episode our hosts explain what crt.sh does and why it is so popular among SSL industry watchers.

Root Causes 215: Passwordless Authentication and Legacy Systems

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 8 Apr 2022 00:00:00 +0000

Organizations seeking to use passwordless authentication frequently must deal with legacy systems that cannot support this scheme. In this episode we explain why that occurs and detail the steps organizations can take to mitigate the effect of legacy systems.

Root Causes 214: New DUO MFA Flaw Explained

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 5 Apr 2022 00:00:00 +0000

A recent FBI warning cautions organizations about exploits based on misconfigured DUO MFA, which exploits weaknesses in Active Directory to provision credentials on DUO for malicious parties. This is an unusual story in several ways, including the fact that the exploit is based on a configuration error and that it's specific to a single, popular SaaS offering. Our hosts explain this exploit and why it is noteworthy.

Root Causes 213: 600-domain Phishing Attack

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 28 Mar 2022 00:00:00 +0000

In this episode we describe a recent phishing campaign noteworthy for its scale, encompassing a total of 600 unique domains. We discuss the implications of a campaign of this scale and high level of organization.

Root Causes 212: S/MIME Limited to Three Years

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 28 Mar 2022 00:00:00 +0000

On April 1 new root program requirements from Apple for S/MIME certificates go into effect, including a limitation of the allowable term to three years. This is contrary to Apple's stated intentions last year. In this episode the explain this change in policy and what certificate users can expect for the future.

Root Causes 211: Does CLM Make Wildcard and MDC Irrelevant?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sat, 12 Mar 2022 00:00:00 +0000

Wildcard and multi-domain certificates have traditionally made administration easier for IT departments. In this episode we weigh the degree to which Certificate Lifecycle Management (CLM) renders these benefits obsolete and if these certificate types continue to be worth the increased risk they carry.

Root Causes 210: Living off the Land

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 7 Mar 2022 00:00:00 +0000

Microsoft has deprecated support for the popular sysadmin tool WMIC. Join our hosts as they explain the security reasons behind this development and broader lessons we can learn.

Root Causes 209: One-Day Deployment of Certificate Lifecycle Management (CLM) Platforms

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 28 Feb 2022 00:00:00 +0000

For any Certificate Lifecycle Management platform to succeed, effective deployment is essential. Our hosts are joined by Sectigo SVP of Global Sales Jennifer Binet who describes the optimal onboarding process, step by step. Jennifer discusses adding use cases over time, streamlining the contracting process, and getting to full automation for all certificates.

Root Causes 208: Automotive Information Systems Bricked by HD Radio Error

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 24 Feb 2022 17:59:42 +0000

A major automobile manufacturer recently had a problem where its infotainment systems were permanently "bricked" by a flaw in local HD radio broadcasts. Our hosts describe what happened and explore the lessons we can learn from this incident.

Root Causes 207: Former Gartner Analyst David Mahdi Jumps on the Playing Field

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 21 Feb 2022 00:00:00 +0000

Gartner analyst David Mahdi recently left the analyst space for Sectigo. In this episode he joins our hosts to explain the reasons for his optimism about digital trust, including NFTs, Web3, blockchain, PKI, and Zero Trust.

Root Causes 206: What Is Web3?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 13 Feb 2022 00:00:00 +0000

Web3 refers to the concept that online content can be attributed to specific known publishers, regardless of web site or online channel. In this episode we discuss the fundamentals of Web3, including self-signing protocols, authorization of content, blockchain, definitive authorship, consensus algorithms, and meat from space.

Root Causes 205: Anatomy of an Encrypted Peer-to-Peer Mesh Network

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 9 Feb 2022 00:00:00 +0000

Secure online collaboration poses logistical and technical challenges under the best of circumstances. Now imagine you have no designated IT staff, no designated hardware, a small budget, and remote participants who are not deeply technical. In this episode Jason Soroko explains how he was able to quickly and easily create an encrypted communications mesh for use by him and his collaboration team.

Root Causes 204: PKI's Role in Passwordless

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 2 Feb 2022 00:00:00 +0000

In previous episodes we have defined passwordless identity authentication. In this episode our hosts explain PKI's specific role in passwordless authentication, along the way clarifying the difference between password-masking and true passwordless technologies.

Root Causes 203: What Is a Credential Vault?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 31 Jan 2022 00:00:00 +0000

Credential vaults are necessary for secure and functional secrets management for automated systems like DevOps or Robotic Process Automation (RPA). This episode explains how credential vaults work and details their benefits.

Root Causes 202 : What Is Certificate Transparency?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 27 Jan 2022 00:00:00 +0000

Certificate Transparency (CT) is essential to monitoring the public SSL certificates that are issued. In this episode we explain what CT logs are, how they work, and the uses we can put them to.

Root Causes 201: What Are the Baseline Requirements?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 24 Jan 2022 00:00:00 +0000

The CA/Browser Forum Baseline Requirements (BR) are hugely influential in the world of public-trust certificates. In this episode we explain what the Baseline Requirements are, how they are created, and why they matter.

Root Causes 200: Why Not to Copy and Paste Commands from Web Pages

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 19 Jan 2022 00:00:00 +0000

This episode describes newly revealed vulnerabilities where copying and pasting text from a web page can open the site visitor up to attack. Our hosts explain how this attack can occur and its potential consequences, along with how to defend yourself against this threat.

Root Causes 199: What Is Privileged Access Management?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 13 Jan 2022 00:00:00 +0000

In this episode we explain Privileged Access Management (PAM). We go on to explain some of the ways that networks using these techniques are still vulnerable to attack and what to do about it.

Root Causes 198: Deep Voice Fakes

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 11 Jan 2022 00:00:00 +0000

We are all familiar with phishing in its various forms. Many people feel that they can protect themselves from fraud by verbally confirming apparent commands from senior executes. In this episode our hosts explore deep voice fakes, computer generated audio that successfully passes for the voice of a known associate, and the risks they pose.

Root Causes 197: Tim's Digital Haircut

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 7 Jan 2022 00:00:00 +0000

In this episode our hosts describe the extreme degree to which all business has become digital business, even the most offline businesses you can think of, including food delivery, in-restaurant dining, bricks-and-mortar retail, and naturally, haircuts. We discuss the disparate, interconnected systems required to make this happen and the fragility of this new digital world.

Root Causes 196: What Is Certificate Agnostic?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 3 Jan 2022 00:00:00 +0000

In 2021 the certificate industry saw the emergency of the concept of "CA agnostic." However, that is only part of the story.

In this episode our hosts build on this concept to define the idea of certificate automation platforms being "certificate agnostic," meaning these platforms should handle all certificates regardless of type, configuration, physical location, environment, use case, and origin.

Root Causes 195: iOS App Privacy Audits

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 27 Dec 2021 00:00:00 +0000

The latest update of iOS includes new capabilities for app privacy auditing and permissions. Our hosts explain the controls available on iOS and Android and how a mobile device privacy audit can be beneficial.

Root Causes 194: Crypto Versus Cryptocurrency

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 20 Dec 2021 00:00:00 +0000

Exploding interest in cryptocurrency has caused the word crypto to take on new meanings that were not part of the public dialog even a few years ago. In this episode our hosts explore both the overlap and difference between today's cryptocurrency (and blockchain) and more venerable forms of cryptography.

Root Causes 193: 4 Positive Security Trends for 2022

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 16 Dec 2021 00:00:00 +0000

Our hosts look back at four positive security trends in 2021 that industry should continue in 2022.

Root Causes 192: 14 Security Fallacies We Still Have in 2021

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 13 Dec 2021 00:00:00 +0000

In this year-end lookback episode, our hosts describe 14 common fallacies that still haunt IT professionals in 2021 - and the negative effects those fallacies bring.

Root Causes 191: What Is Robotic Process Automation (RPA)?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 8 Dec 2021 00:00:00 +0000

An important trend sweeping enterprise IT is Robotic Process Automation. Our hosts define RPA and explain the importance of cryptographically secured digital identity in safely implementing RPA.

Root Causes 190: Phishing Coinbase

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 29 Nov 2021 00:00:00 +0000

In continuation of our ongoing exploration of blockchain and cryptocurrency, our hosts describe a recently discovered exploit where attackers use weaknesses in one-time-password-based MFA to steal Coinbase accounts.

Root Causes 189: What Is CA Agnostic?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 17 Nov 2021 00:00:00 +0000

Certificate Lifecycle Management (CLM) platforms can deal with certificates from a number of sources. A CLM that can provision certificates of all types from all CAs, private and public, would be described as "CA agnostic." In this episode we explain this idea and its significance along with the key criteria for choosing a CA agnostic CLM platform.

Root Causes 188: Introduction to Web Security

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 11 Nov 2021 00:00:00 +0000

Malware and other web site attacks are a frequent problem for small businesses and can result in reputational damage and site access being blocked or hindered by end user software and services. We are joined by web site protection expert JP Armenta, who explains how these attacks occur, their effects, and how site operators can protect themselves.

Root Causes 187: Apple Limits Term for S/MIME Certificates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 7 Nov 2021 00:00:00 +0000

Apple recently announced that it would be limiting the allowable term for public S/MIME certificates to 825 days. Our hosts explain the implications of this declaration.

Root Causes 186: Digital Signature SNAFU Costs Swiss Company 3 Billion Euro Contract

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 4 Nov 2021 00:00:00 +0000

In this episode our hosts explain how an esoteric digital signature error rendered a 3 billion Euro manufacturing contract with the Austrian government invalid.

Root Causes 185: EU Covid Passport Root Key Stolen

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 1 Nov 2021 00:00:00 +0000

The root certificates of the EU's Covid Passport program have suffered a private key compromise and counterfeit passports are now for sale on the black market. We explain the implications of this shocking revelation.

Root Causes 184: Popular College WiFi Vulnerability Revealed

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 26 Oct 2021 00:00:00 +0000

Recent research reveals that certificate misconfiguration in a commonly used college WiFi platform that can lead to exposure and theft of users' login credentials. Our hosts discuss WiFi authentication and the EAP protocol and explain how this vulnerability occurs.

Root Causes 183: New MSCA Attack Toolkits

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 21 Oct 2021 00:00:00 +0000

At this year's BlackHat, a talk and white paper detailed the threat of MSCA root key attacks, which can be used to create unauthorized certificates. This release includes a pair of offensive toolkits and a defensive toolkit. We explain the importance of this release and provide a clear action list for IT professionals in charge of Microsoft CA.

Root Causes 182: Let's Encrypt Root Expiration

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 18 Oct 2021 00:00:00 +0000

Let's Encrypt's recent root expiration caused widespread service outages and other hassles for online services and sites. Our hosts discuss this expiration, why so many problems resulted, and the recipe for avoiding these problems in the future.

Root Causes 181: Limitation of DCV Through Web Site Changes

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 29 Aug 2021 00:00:00 +0000

This December will see a meaningful change in how CAs are allowed to conduct Domain Control Validation (DCV) using the method known as https token or file authentication or agreed up on change to web site. This method will be removed as an option for "domain spaces" including wildcards and subdomains. Join our hosts as they explain how DCV works and how the rules are changing and why. And we clarify the available options for those changing their preferred DCV methods.

Root Causes 180: PetitPotam MSCA Attack

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 26 Aug 2021 00:00:00 +0000

The PetitPotam attack against Microsoft CA has garnered a lot of attention. Our hosts describe this attack and define related terms like Mimikatz, pass-the-hash, and NTLM Relay. The episode goes on to give a roadmap for mitigating this attack , including free resources available to help defend against PetitPotam.

Root Causes 179: Standards for Certificates Apart from SSL

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 23 Aug 2021 00:00:00 +0000

Regular followers of this podcast hear a great deal about SSL, the CA/Browser Forum, and the standards governing public SSL. But SSL is not the only regulated type of public digital certificate. There are also things like S/MIME, eIDAS, code signing, document signing, and SSH certificates. In this episode our hosts discuss these "other" certificate types and the rules and regulations governing them.

Root Causes 178: Stealing Cryptocurrency

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 20 Aug 2021 00:00:00 +0000

In this episode our hosts go through the various ways in which cryptocurrency can be stolen or lost, including private key compromise, security failures at cryptocurrency brokers, and theft of login credentials. Our hosts also discuss how manipulation of the public ledger could also lead to unfair distribution of cryptocurrency value.

Root Causes 177: What Is Passwordless?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 9 Aug 2021 00:00:00 +0000

A hot, new topic in the identity space is passwordless. Join our hosts as they explain credential form factors and offer a specific definition of passwordless, including the difference between PINs and passwords.

Root Causes 176: Introducing State-Locality Exclusivity

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 5 Aug 2021 00:00:00 +0000

Sectigo is implementing an important change to its public-facing SSL certificate business, which we call State-Locality Exclusivity. This change removes a the localityName field, a very common field in SSL certificates. In this episode our hosts explain what the localityName field is, why we are removing it, and how this change is to the benefit of SSL Subscribers and Relying Parties.

Root Causes 175: What Is a Linter?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 2 Aug 2021 00:00:00 +0000

Linters have been a standard programming tool for more than four decades. This venerable coding tool has recently taken on new significant in the world of public certificates. In this episode our hosts explain linters and how they are applied to SSL certificates.

Root Causes 174: Windows 11 and TPMs

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 27 Jul 2021 00:00:00 +0000

Microsoft has announced that its upcoming Windows 11 release will require TPM 2.0 support at a minimum. TPM 2.0 enables more modern hashing and encryption algorithms than previous versions. Our hosts discuss the implications of this announcement.

Root Causes 173: Whitelisting and Blocklisting

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 22 Jul 2021 00:00:00 +0000

Whitelisting and blocklisting are tried and true elements of the computer industry. In this episode our hosts define whitelisting and blocklisting and the pros and cons of either, with lots of examples from the real world. We discuss fuzzy entities, the scaling problem, layered defenses, and the trouble with active attackers.

Root Causes 172: What Is an NFT?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 13 Jul 2021 00:00:00 +0000

If you have paid any attention at all to popular media in the past few months, you will have heard about non-fungible tokens, or NFTs. NFTs are a method of uniquely identifying a digital asset using blockchain technology, and they are big news in the art and media world. Join our hosts as they explain the difference between fungible and non-fungible tokens, how NFTs work, and the significance of publicly asserting ownership for digital files.

Root Causes 171: The Off-by-One-Second Problem

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 8 Jul 2021 00:00:00 +0000

Today our hosts explore an esoteric but important error in public certificates that we call the off-by-one-second problem. We explain this problem, how it occurs, and its broader implications.

Root Causes 170: Why Is Canada So Good at Cryptography?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 1 Jul 2021 00:00:00 +0000

In celebration of Canada Day, our hosts discuss why Canada in particular offers a disproportionately large contribution to cryptography. We examine historic reasons and the real-world consequences of Canada being a center for cryptographic excellence.

Root Causes 169: Bitcoin and the Anonymity Fallacy

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 25 Jun 2021 00:00:00 +0000

In the developing story of the Colonial pipeline ransomware attack, the FBI recently recovered the ransom money, which had been paid in Bitcoin. In this episode we talk about how this recovery might have occurred.

Root Causes 168: The Difference Between e-Signing and Digital Signing

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 21 Jun 2021 00:00:00 +0000

In our technology discussions we frequently run into confusion about the relationship between electronic document signing and digital document signing. Despite the similarity in names, they are entirely different technological approaches to providing trustworthy electronic signed documents. In this episode we explain the two terms, their distinct definitions, and some of the pros and cons of each approach.

Root Causes 167: Colonial Pipeline Ransomware Attack

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 15 Jun 2021 00:00:00 +0000

The recent ransomware attack against the Colonial pipeline has captured the news cycles in recent weeks. In this first episode of two our hosts begin to unpack what it known about this attack and how digital identity and PKI fit in.

Root Causes 166: The Trouble with OU Fields

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 7 Jun 2021 00:00:00 +0000

Of all aspects of public SSL certificates, few are as controversial as the OU field. Standing for Organizational Unit, this field is beloved by a few enterprises and hated by security watchers. It's also under fire in the CA/Browser Forum. Join our hosts as they explain the history of the OU field and why it's an industry flashpoint, including their predictions for the future of the OU field.

Root Causes 165: Blockchain - Proof of Work Versus Proof of Stake

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 2 Jun 2021 00:00:00 +0000

In our ongoing examination of blockchain, we define proof of work and proof of stake as consensus algorithms for updating the public ledger. We explain their differences and get into the problems with proof of work and the reasons proof of stake is emerging as a promising new consensus algorithm. We touch on the consequences of these algorithms on other aspects of society as well.

Root Causes 164: Examining MFA Through out-of-Band Phone Calling

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 20 May 2021 00:00:00 +0000

In our ongoing series of episodes on MFA, we explore the plusses and minuses of out-of-band phone calling. Our hosts explain how this form of MFA works, what attacks it defends against successfully, and what attacks can circumvent it.

Root Causes 163: What Puts the I in PKI?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 12 May 2021 00:00:00 +0000

PKI stands for Public Key Infrastructure. In this episode we focus on the word infrastructure. Our hosts discuss the key qualities of credential form factors, how they are separate and distinct from the infrastructure surrounding them, and the minimum capabilities necessary to refer to a public-private key system as PKI.

Root Causes 162: What Is Sideloading?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 21 Apr 2021 00:00:00 +0000

In a recent interview Tim Cook took a strong stance against application sideloading as a danger to mobile devices. In this episode we explain sideloading, its potential dangers, and the underlying motivators behind the sideloading debate.

Root Causes 161: Consensus Algorithms and the Byzantine Generals Problem

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 15 Apr 2021 00:00:00 +0000

If you pay attention to blockchain and crypto currency, you are sure to hear the phrase consensus algorithm. This concept is fundamental to distributed trust systems like blockchain. In this episode our hosts explain consensus, proof of work, and the Byzantine Generals problem.

Root Causes 160: Purpose-built Quantum Computers for Breaking RSA

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 8 Apr 2021 00:00:00 +0000

A new academic paper has described how a purpose-built quantum computer could break RSA encryption in fewer qbits than commonly are thought necessary possible. In this episode our hosts summarize the basic argument in this highly technical paper and its potential implications on the Quantum Apocalypse.

Root Causes 159: Encrypted Communication Provider Indicted for Drug Trafficking and Money Laundering

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 31 Mar 2021 00:00:00 +0000

The CEO of Sky Global, a provider of encrypted data devices and services, has been indicted on RICO charges related to drug trafficking and money laundering. Our hosts discuss this highly unusual development and where it fits into the ongoing battle between law enforcement and encryption technology.

Root Causes 158: Exchange Server Vulnerabilities

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 23 Mar 2021 00:00:00 +0000

The ongoing Microsoft Exchange vulnerability is huge news in the IT world. In this episode our hosts discuss the reasons why on-premises services might present greater risk than providing the same capabilities in the cloud.

Root Causes 157: New Revocation Research

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 19 Mar 2021 00:00:00 +0000

A recently published study of public revocation information takes a numerical approach to revocation behavior from CAs. Our hosts give their first take on this paper and the idea of "revocation transparency."

Root Causes 156: Kazakhstan Root Attack Revisited

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 16 Mar 2021 00:00:00 +0000

In the summer of 2019 the Kazakh government attempted to force its citizens to trust its private root, enabling MITM attacks for a variety of potentially nefarious purposes. A recent research paper goes into previously unknown detail about who was targeted and how the regime sought to abuse this short-lived exploit.

Root Causes 155: What’s Good for Subscribers Is Good for Relying Parties

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 11 Mar 2021 00:00:00 +0000

In this episode we explore the relationship between Relying Parties (aka users of online services) and Certificate Subscribers (aka providers of these services). We discuss the common attitude that certificate requirements that negatively impact Subscribers are inconsequential. We explain the downstream effects of certificate incidents and why unthinkingly forcing rules on service providers without considering the full consequences is detrimental to everyone.

Root Causes 154: Did Claus Peter Schnorr Just Break RSA?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 8 Mar 2021 00:00:00 +0000

A recently published paper by a reputable German mathematician and cryptographer has garnered widespread attention for its claim to have destroyed the RSA algorithm. However, many people are skeptical. Join us as we discuss the paper's content, the proposed methodology, and the public discussion it has generated.

Root Causes 153: Too Many Roots

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 5 Mar 2021 00:00:00 +0000

Trust models in multi-vendor environments can be particularly tricky.
We are joined once again by Tom Tansy, Chairman of the SunSpec Alliance for a deep dive in the challenges and best practices in maintaining trusted roots in complex, global supply chain ecosystems.

Root Causes 152: Digital Certificates and the SunSpec Alliance

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 2 Mar 2021 00:00:00 +0000

The SunSpec Alliance is an important source of standards for clean energy infrastructure including solar and electric vehicles. To protect our electrical infrastructure and ensure proper functioning, digital identity and certificates are a necessity. Join us and guest Tom Tansy as we discuss how SunSpec employs PKI to this end.

Root Causes 151: What Is Rustls?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 22 Feb 2021 00:00:00 +0000

Rustls is an important emerging alternative to OpenSSL. In this episode we discuss the Rust programming language and the implications of the fact that is was designed with security in mind from the ground up. This includes how Rustls is protected against attack vectors that have been effective in the past, including Heartbleed. Join us to learn more.

Root Causes 150: This Podcast Is Not About Alan Turing

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 14 Feb 2021 00:00:00 +0000

Recent news of the discovery of abandoned Enigma machines on the ocean floor inspires our hosts to discuss history's most famous code system, how it was broken, and how that relates to cryptography today.

Root Causes 149: Municipal Water Poisoning Through Cyber Attack

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 11 Feb 2021 00:00:00 +0000

In past episodes we have discussed the possibility of cyber attack against civil infrastructure like utilities. That possibility recently became real with the attempted poisoning of a Florida city's water supply through online security breach. Learn more on this episode.

Root Causes 148: Can Australia Force Sites to Pay for Linking to Content?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 8 Feb 2021 00:00:00 +0000

A proposed law in Australia would require sites linking to news articles to pay for the right to link to these articles. While this law appears to be aimed at Google and Facebook, it has implications that are much bigger than these two news aggregators. Google has upped the ante by offering to cease operations in Australia before doing so. In this episode we discuss this ongoing development and where things go from here.

Root Causes 147: Google Titan Secure Key Attack

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 5 Feb 2021 00:00:00 +0000

Recent research reveals a possible attack that would allow the cloning of the Google Titan secure key. Join our hosts and guest Alan Grau as they describe this attack and its implications for Titan and other secure keys.

Root Causes 146 : Congolese ccTLD Takeover

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 1 Feb 2021 00:00:00 +0000

A white hat researcher recently took over .cd, the Democratic Republic of the Congo's ccTLD. The implications of taking over a top-level TLD are of course staggering. Join our hosts as we describe how this feat was accomplished and the many malicious activities that could occur under such circumstances.

Root Causes 145: Google Chrome to Distrust CA Camerfirma

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 28 Jan 2021 00:00:00 +0000

A few days ago Google announced that Chrome will distrust Spanish public CA Camerfirma in its upcoming build 90. Our hosts go over the history of browsers distrusting public CAs and explain the reasons for (and implications of) this decision.

Root Causes 144: Whatever Happened to the Green Address Bar?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 25 Jan 2021 00:00:00 +0000

For more than a decade browsers displayed the "green address bar" on sites that had undergone the high authentication required for EV SSL certificates. But in recent years the identity information in the browser has has shrunk, lost its color, and in some cases disappeared entirely. In this episode our hosts walk you through the history of how the green address bar came to be and how browsers gradually reduced and then removed it.

Root Causes 143: The Four Pillars of Certificate Automation

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 21 Jan 2021 00:00:00 +0000

In this episode our hosts explain the Four Pillars of Certificate Automation: deploy, discover, revoke/replace, and renew. They detail what these pillars entail and why they're important. They also discuss the umbrella capability of visibility, which affects all four pillars.

Root Causes 142: Removing Street Address and Postal Code from Public Certificates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 18 Jan 2021 00:00:00 +0000

On March 1 Sectigo will remove street address and postal/zip code information from its public certificates of all types. Our hosts explain the reasons for and advantages of this upcoming change, along with answers to some of the common questions we receive.

Root Causes 141: The Case for Shorter Certificate Lifespans

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 11 Jan 2021 00:00:00 +0000

Recent years have seen multiple reductions in the maximum term for public SSL certificates. Our hosts are joined by guest Nick France to discuss the benefits of shorter certificate lifespans for both public and private CAs.

Root Causes 140: SSL Attacks Using BGP (Border Gateway Protocol)

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 6 Jan 2021 00:00:00 +0000

BGP, or Border Gateway Protocol, controls traffic routing on the internet. Real and theoretical attacks over the years have been revealed against BGP with varying levels of success, including recent research on how BGP attacks can be used to improperly obtain DV certificates. Our hosts explain them along with recent industry actions intended to thwart such attacks.

Root Causes 139: Exposed Private Keys in CSR Submissions

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 3 Jan 2021 00:00:00 +0000

Public CAs recently have discovered a repeated error whereby certificate subscribers accidentally include the private key along with CSR submissions. Our hosts break down this phenomenon and its implications.

Root Causes 138: IoT Cybersecurity Improvement Act of 2020

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 27 Dec 2020 00:00:00 +0000

A new US law called the IoT Cybersecurity Improvement Act of 2020 creates security requirements for IoT devices sold into the US government. Join us as we explain these new requirements and why this law's reach is likely to extend further than the US governmental procurement process.

Root Causes 137: SolarWinds Supply Chain Attack and Digital Identity

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 21 Dec 2020 00:00:00 +0000

The SolarWinds Orion supply chain attack is making headlines throughout the tech press. This sophisticated attack includes some unusual manipulations of digital identity and certificates. In this episode we explain how certificates, keys, and identity play into the SolarWinds exploit.

Root Causes 136: 2020 Lookback - Quantum Safe Certificates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 17 Dec 2020 00:00:00 +0000

In the third of our year-end lookback episodes, we discuss 2020's progress in the quest for quantum-safe encryption. This includes narrowing the NIST candidate list down to fifteen algorithms, the availability of test hybrid certificates, and the trouble with long-lived IoT devices. Our hosts predict what 2021 will look like for quantum-safe certificates.

Root Causes 135: The Heartbleed Vulnerability

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 14 Dec 2020 00:00:00 +0000

In April 2014 a software vulnerability called Heartbleed was discovered in OpenSSL. Heartbleed made it possible for attackers to send commands to web servers and steal their private keys. Certificate subscribers around the world had to scramble to patch their servers and replace certificates by the millions. Guest Nick France joins us to explain this vulnerability, its consequences, and whether or not a Heartbleed-like vulnerability could occur today.

Root Causes 134: 2020 Lookback - SASE and Zero Trust Architecture

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 9 Dec 2020 00:00:00 +0000

2020 was a big year for SASE (Secure Access Service Edge). Our hosts define SASE, ZTNA (Zero Trust Network Architecture), and SDP (Software Defined Perimeter). Our hosts discuss how these technology principles gained momentum in 2020 and why they are poised for continued growth in 2021.

Root Causes 133: 2020 Lookback - COVID-19

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 7 Dec 2020 00:00:00 +0000

In 2020 the COVID-19 pandemic changed the way we work. IT departments had to gear up for near-ubiquitous work-from-home (WFH) requirements while maintaining productivity and security. Our hosts talk about the pandemic's affect on employee authentication and access, Zero Trust, IT enablement of retail, immunity passports, and more.

Root Causes 132: Examining MFA Through Soft Tokens

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 4 Dec 2020 00:00:00 +0000

In our ongoing examination of MFA, our hosts examine authentication through soft-token OTP (one-time passcode). They go over the potential benefits and pitfalls of soft tokens, and compare them to SMS tokens and hard tokens.

Root Causes 131: Apple OCSP Slowdown Explained

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 29 Nov 2020 00:00:00 +0000

The recent release of Apple's Big Sur OS appears to have driven a temporary slowdown in the company's OCSP responders, affecting code updates across all Apple operating systems. Guest Nick France joins us to explain what appears to have happened and why.

Root Causes 130: How to Get Rid of Password Breaches

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 24 Nov 2020 00:00:00 +0000

Massive password breeches have been so repeatedly prevalent for so many years that as an industry and a society we've just started to accept them as a fact of life. In this episode we discuss the weaknesses of passwords as a strategy and why they nonetheless are so common even today. We describe the roadmap for eventually weeding out passwords from most systems.

Root Causes 129: Examining MFA Through Hard Tokens

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 19 Nov 2020 00:00:00 +0000

Hard tokens are one of the oldest multi-factor authentication (MFA) form factors there is, and still in use today. In the latest in our series of explorations of MFA strategies, we examine the strengths and weaknesses of hard tokens as an MFA strategy.

Root Causes 128: What Is Total Certificate Agility?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 12 Nov 2020 00:00:00 +0000

First we had crypto agility, which is how we ensure our cryptography stays current with the needs of security. Expanding on this concept, industry leaders are now looking at certificate agility, which is building our systems so that all certificates are known, current, and immediately replaceable. Our hosts explain certificate agility, why it's important, and what you need to do to achieve it.

Root Causes 127: What Does a Chief Compliance Officer Do at a Public CA Do?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 4 Nov 2020 00:00:00 +0000

Our co-host Tim Callan has changed his title to Chief Compliance Officer. Join him and co-host Jason Soroko as they discuss what compliance means at a public Certificate Authority (CA) like Sectigo and what the Chief Compliance Officer does.

Root Causes 126: IoT Ransomware

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 28 Oct 2020 00:00:00 +0000

New research shows how ransomware attacks could be launched against IoT devices. Our hosts are joined by Alan Grau to understand these attacks and what can be done to defend against them, including technical controls such as strong identity and embedded firewalls.

Root Causes 125: Digital Identity Versus IAM

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 8 Oct 2020 00:00:00 +0000

Digital certificates and PKI provide digital identity and access. Identity and Access Management (IAM) is a huge technology category featuring major players like Okta, DUO, and Ping Identity. And despite the fact that they feature a lot of the same words in their descriptions, these two categories are entirely different spaces that do entirely different things. In this episode we explain the difference between digital identity certificates and IAM platforms and how they fit in together.

Root Causes 124: Biometric MFA

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 5 Oct 2020 00:00:00 +0000

As part of our ongoing series on the pros and cons of various forms of multi-factor authentication (MFA) in this episode we explore biometrics. Our hosts discuss their strengths and weaknesses and the idea that biometrics are more about proof of possession than identity authentication.

Root Causes 123: Asymmetric Versus Symmetric Encryption

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 1 Oct 2020 00:00:00 +0000

One of the cornerstones of the success of PKI and digital certificates is their dependence on an asymmetric encryption model. In this episode our hosts explain the difference between asymmetric and symmetric secrets and how they fit into encryption.

Root Causes 122: Passwordless Authentication for Apple OS

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 28 Sep 2020 00:00:00 +0000

Our hosts are joined by Joel Rennich of Jamf to talk about passwordless authentication and access for various Apple platforms. Joel explains the variety of user experiences that can qualify as passwordless access, with an eye to the specific needs and opportunities for Apple devices.

Root Causes 121 : What Is a Hardware Security Module?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 21 Sep 2020 00:00:00 +0000

A Hardware Security Module, or HSM, is a piece of hardware that securely stores secret material such as cryptographic keys. Join our hosts as they explain terms like HSM, Trusted Platform Module (TPM), Secure Enclave, TrustZone, and Hardware Secure Element (SE).

Root Causes 120: PKI and SASE

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 18 Sep 2020 00:00:00 +0000

SASE (Secure Access Service Edge) is a new term to describe the complexity of authenticating access across today's diverse and heterogeneous computing environments. Join our hosts as they discuss the role of digital identity and certificates in this paradigm.

Root Causes 119: What Is Crypto Agility?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 14 Sep 2020 00:00:00 +0000

Security industry insiders sometimes use the phrase "crypto agility." In this episode our hosts define crypto agility - or cryptographic agility. They explain why crypto agility is more important than ever, why the pace of cryptographic change is going up, and what certificate subscribers can do to improve their crypto agility.

Root Causes 118: Quantum Apocalypse - What Is a Hybrid Certificate?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 7 Sep 2020 00:00:00 +0000

As part of its quantum safe initiative, Sectigo is now offering its Quantum Safe Kit, which enables the creation of hybrid TLS certificates. In this episode our hosts are joined by guest Alan Grau to explain what hybrid certificates are, how they are essential to transitioning to quantum-safe crypto, and the ways enterprises can begin using them today.

Root Causes 117: Why Default Deny Matters to the CA/Browser Forum

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 4 Sep 2020 00:00:00 +0000

This year the CA/Browser Forum has put considerable discussion into the concept of "default deny." It's a philosophy for how to interpret potential ambiguities in existing guidelines for public certificates, and how you land on the default-deny question can have a significant impact on how you interpret the rules. Join our hosts as they describe this debate and its potential impact on public certificates.

Root Causes 116: Ripple20 Exposes TCP/IP Vulnerabilities for IoT

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 30 Aug 2020 00:00:00 +0000

Ripple20 is a recently announced set of documented vulnerabilities in the early Treck TCP/IP stack, a popular choice for early IoT devices. Our hosts are joined by guest Alan Grau, who explains the significance of these vulnerabilities, the difficulties in dealing with them, and how we can improve to avoid these problems in the future.

Root Causes 115: Signed HTTP Exchange (SXG) Certificates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 27 Aug 2020 00:00:00 +0000

Accelerated Mobile Pages, or AMP, is a Google standard for packaging web content for consistent and usable display on mobile devices. SXG certificates enable the display of the original publisher's authenticated URL in the mobile reader. Join us as we explain the potential benefits of SXG to readers and content publishers.

Root Causes 114: Is Quantum Computing a Threat to SHA-2?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 21 Aug 2020 00:00:00 +0000

Quantum computers' threat to standardized encryption algorithms RSA and ECC has been much discussed. But what about our hashing algorithms? Do quantum computers pose a similar threat to SHA-2? Join our hosts as they discuss the difference between Shor's Algorithms and Grover's Algorithm, which applies to each part of cryptography, and how significant quantum computing will be for each.

Root Causes 113: What Is Certificate Pinning?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 18 Aug 2020 00:00:00 +0000

Certificate pinning is the practice of coding software to demand the presence of a specific certificate brand or root in order to function correctly. Though once considered a legitimate security option, certificate pinning is widely discredited because it carries unacceptable certificate agility costs. Join our hosts as they explain what certificate pinning is, how it came about, and why nearly all developers should avoid certificate pinning today.

Root Causes 112: Introducing Sectigo Quantum Labs

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 13 Aug 2020 00:00:00 +0000

For more than a year Sectigo has been providing the market with information to understand what we all must do to change our cryptography to prepare for quantum computers. Now Sectigo has announced Sectigo Quantum Labs, a destination for education on quantum-safe certificates (QSC) and our Quantum-Safe Kit, which allows enterprises to create their own hybrid quantum-safe certs. Join us as we articulate what Sectigo Quantum Labs has to offer you.

Root Causes 111: Secure Data Interconnects

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 10 Aug 2020 00:00:00 +0000

Distributed data centers are extremely common in today's computing environments. Unencrypted replication of data across these centers leaves data open to theft. Nonetheless, existing systems and software leave that possibility open, and sometimes data replication occurs in the clear. Our hosts explain how this situation can come about and what to do about it.

Root Causes 110: Single-domain, Multi-domain, and Wildcard SSL Certificates

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 6 Aug 2020 00:00:00 +0000

When you obtain an SSL certificate, you can choose between single-domain, multi-domain, and wildcard certificates. Join our hosts as they explain the different domain spaces available with TLS certificates and the pros and cons of each approach.

Root Causes 109: Examining MFA Through Phone-based SMS

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 29 Jul 2020 00:00:00 +0000

SMS-based one time password (OTP) is a very commonly used form of multi-factor authentication (MFA). That's because it's fast and inexpensive to roll out to users. Unfortunately it is deeply vulnerable to a set of well-defined attacks. In this episode our hosts explain why SMS MFA became so popular and how this outdated MFA scheme fails to provide the security expected by those who use it.

Root Causes 108: Why Do Certificates Expire?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 24 Jul 2020 00:00:00 +0000

Root expirations occasionally make headlines by breaking systems, but it's a fact that certificates are expiring every day, each a potential outage waiting to happen. So why do certificates expire in the first place? Join our hosts as they discuss the reasons for expiration, its advantages over other mechanisms like revocation, and the right amount of time for a certificate to last.

Root Causes 107: IoT Security Baseline Requirements from ETSI

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 20 Jul 2020 00:00:00 +0000

ETSI has published its new Baseline Requirements for consumer IoT device security, which includes a number of provisions directly related to encryption, strong identity, and device software integrity. Join our hosts as they describe the PKI-related portions of the new ETSI requirements and why they are valuable for security.

Root Causes 106: Massive Intermediate Certificate Distrust Is on the Way

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 14 Jul 2020 00:00:00 +0000

A recently identified and widespread configuration error has created a situation where, with the wrong attack on certain public roots, certificates could become essentially unrevokable. As a consequence, 14 public CAs will have to revoke their OCSP certificates, many of which are also intermediates, and permanently discontinue use of their keys. That leaves millions of active TLS, S/MIME, code signing, and document signing certificates in need of immediate replacement or they will be distrusted. Join our hosts as they explain what the problem is and what messy cleanup will be required to address these problems.

Root Causes 105: TOR, How and Why

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 8 Jul 2020 00:00:00 +0000

Many people know that TOR is a browser used for anonymous online activity, but most of us don't know much more than that. In this episode our hosts explain how the TOR network operates, what its potential value is, and how TOR compares to a VPN.

Root Causes 104: 21 PKI Pitfalls to Avoid

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 6 Jul 2020 00:00:00 +0000

Our hosts often discuss the idea of errors in PKI implementations and the potential negative consequences for organizations. In this episode they categorize twenty-one PKI pitfalls to avoid according to five main categories of error: certificate problems, deployment problems, systemic security problems, governance problems, and visibility problems. Join us for a crisp description of these twenty-one pitfalls so you can be on the lookout for them.

Root Causes 103: Work-from-Home IT Impact Study

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 29 Jun 2020 00:00:00 +0000

The need to suddenly enable nearly 100% of information workers for secure, productive work-from-home was a curve ball for IT departments to deal with around the world. Sectigo recently released the results of a commissioned survey of 500 IT professionals about the impact of widespread WFH requirements on IT departments, roadmaps, security, and employee productivity. In this episode our hosts go over the biggest findings from this study.

Root Causes 102: Lawful Access to Encrypted Data Act

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 26 Jun 2020 00:00:00 +0000

A newly proposed US Senate bill called the Lawful Access to Encrypted Data Act would require service providers and device manufacturers to provide access to encrypted data based on a valid warrant. In this episode our hosts explain the bill's contents and some of the opportunities and pitfalls it presents.

Root Causes 101: Google RCS Chat with End-to-End Encryption

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 21 Jun 2020 00:00:00 +0000

Google has just announced the coming availability of end-to-end encryption for its chat service. In this episode our hosts describe the spectrum of potential protection within the capabilities we call end-to-end encryption, including forward secrecy and durability of keys.

Root Causes 100: OpenSSH Deprecates SHA-1

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 15 Jun 2020 00:00:00 +0000

Once widely used, SHA-1 is considered insecure today and has been deprecated from the most common PKI use cases. OpenSSH recently provided a roadmap to its eventual deprecation of SHA-1. Join our hosts as they discuss the long, complex process of sunsetting a widely used cryptographic practice, the factors that contribute to these practices continuing beyond their secure lifespans, and the importance of crypto agility.

Root Causes 99: AddTrust Root Expiration Explained

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Fri, 12 Jun 2020 00:00:00 +0000

The recent expiration of Sectigo's AddTrust legacy root caused some systems to stop working and forced some admins to keep working over the weekend until all was fixed. In this episode we explain roots, root expirations, why they are a non event for most users, and why sometimes an expiration can be more impactful.

Root Causes 98: DMARC and Verified Mark Certificates for Email

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 8 Jun 2020 00:00:00 +0000

A new kind of identity certificate is coming that will enable businesses to include their logos in official email they send in order to improve customer confidence and protect against phishing. It is called a Verified Mark Certificate (VMC) and is built upon the DMARC standard, which controls which senders are allowed to send email using any given From address. In this episode our hosts explain VMCs and DMARC and how they will be used and then discuss where they fit in with S/MIME email certificates.

Root Causes 97: Firefox to Deprecate Support for FTP

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 4 Jun 2020 00:00:00 +0000

Mozilla has announced its intention to remove support for FTP from the Firefox browser, citing concerns about security and the degree of effort required to keep this functionality current. Join our hosts as they discuss this announcement and its potential effects as well as the considerations that go into choosing when to drop support for outdated, unpopular, or sub-optimal capabilities in technology products.

Root Causes 96: Signal May Leave the USA to Protect Its End-to-End Encryption

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 1 Jun 2020 00:00:00 +0000

Congress's proposed EARN IT act has many industry observers worried about its potential effect on the integrity of encrypted communication. In recent news, secure communication app Signal has floated the idea of relocating outside the United States if that's what's required to retain its ability to offer end-to-end encryption without spying eyes interfering.

In this week's episode, we discuss this announcement and related issues surrounding the keeping of digital secrets and encryption.

Root Causes 95: Cryptographic Key Vaulting

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 28 May 2020 00:00:00 +0000

For PKI to be secure, private keys need to remain private. In this episode we explain "vaulting" for keys or other shared secrets. We touch on the vulnerabilities that secrets vaulting fights against and the common use cases for vaulting.

Root Causes 94: Revocation Checking Through OCSP and CRL

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Tue, 26 May 2020 00:00:00 +0000

One essential portion of the certificate lifecycle is the ability to revoke certificates. Public SSL certificates use a pair of mechanisms to communicate this revocation status to client machines, CRL and OCSP. In this episode we explain how these mechanisms work and some of their strengths and challenges.

Root Causes 93: Videoconferencing Phishing

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 21 May 2020 00:00:00 +0000

With the global workforce's massive shift to work-from-home, a clever new set of opportunistic social engineering attacks has sprung up to take advantage of our unfamiliarity with our new communication and collaboration applications and processes. In this episode our hosts describe these new attacks and what IT departments can do to combat them.

Root Causes 92: COVID-19 Immunity Passports

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 18 May 2020 00:00:00 +0000

As we plan our societal return to normalcy, a number of people and groups are discussing the concept of an electronic "immunity passport" that individuals can possess if they are known to be immune to COVID-19 (possibly through vaccination or prior infection). Today our hosts discuss the requirements for such an immunity passport, some of the opportunities and challenges in putting this kind of system in place, and how existing schemes and systems may fit into an immunity passport initiative.

Root Causes 91: Rabobank Banking App Outage

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Wed, 13 May 2020 00:00:00 +0000

Australia's Rabobank recently experienced an outage preventing its Android banking app from connecting to its servers. The root cause? An expired certificate. In this episode our hosts explain what happened and how it could have been avoided. They also discuss certificate pinning, how it came to be used with apps like this one, and its disadvantages.

Root Causes 90: An Analysis of Distributed PKI

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Sun, 10 May 2020 00:00:00 +0000

Distributed PKI is a new approach, with advocates saying it will eliminate many weaknesses they perceive with traditional, hierarchical PKI architecture. Guest Alan Grau joins our hosts at they explain how distributed PKI works, describe its proclaimed benefits, and take a hard look at whether or not these claims hold up.

Root Causes 89: PKI's Role in Zero Trust

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 7 May 2020 00:00:00 +0000

"Zero Trust" is an IT security philosophy that maximizes protection from threats by tightly controlling access and permissions for every individual, device, and process in the organization's environment. Learn how digital identity and certificates play a key role in operating a secure Zero Trust strategy.

Root Causes 88: PKI and Blockchain

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 4 May 2020 00:00:00 +0000

Many observers notice similarities between PKI and blockchain, including their applicability to secure digital systems and their ability to enable authentic information and non-repudiation in an electronic environment. Join our hosts and expert guest Alan Grau as they go over the similarities and differences between PKI and blockchain, explain the qualities of a good use case for each, and describe how they can complement each other.

Root Causes 87: Zoom's (Not) End-to-End Encryption

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 30 Apr 2020 00:00:00 +0000

With lockdowns and working from home the norm, a great deal of attention has been paid to video conferencing technology. In particular, Zoom has claimed to offer end-to-end encryption while in fact it does not, making headlines across media of all sorts. In this episode our hosts explain what end-to-end encryption is and why the distinction is important for a service like Zoom.

Root Causes 86: SSH Keys

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 27 Apr 2020 00:00:00 +0000

SSH keys are essential for controlling access to production infrastructure. Our hosts are joined by repeat guest David Colon to discuss how SSH keys are used in contemporary computing environments, what risks they carry with them, and tips for IT professionals to use SSH keys easily and securely.

Root Causes 85: Automotive Key Fobs and Cryptography

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 23 Apr 2020 00:00:00 +0000

Recent headlines have unveiled high profile attacks against automobile key fobs. Such an attack is potentially huge since successfully mimicking these fobs can yield complete access to an automobile's capabilities. Our hosts are joined by repeat guest Alan Grau as they describe the cryptographic architecture of a modern automotive key fob, how these attacks take place, and what automobile manufacturers can do about it.

Root Causes 84: What Is DNS over HTTPS?

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 20 Apr 2020 00:00:00 +0000

DNS over HTTPS is a capability whereby DNS lookups can be encrypted to defend against certain man-in-the-middle attacks as well as protecting information about web usage from being revealed to third parties. In this episode our hosts explain DNS over HTTPS, it potential uses, and how it works. They also explain some of the controversy and potential concerns that have been raised with this approach.

Root Causes 83: Quantum Apocalypse - Does COVID-19 Change the Z Date

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Thu, 16 Apr 2020 00:00:00 +0000

Lock downs and work-from-home requirements have disrupted the efficiency of operations in all walks of industry, including academics and advanced computing research. In this episode our hosts debate if and how the pandemic's disruptive nature might change the date on which quantum computers are able to defeat today's encryption.

Root Causes 82: The Death of the Hard Token

tim.callan@sectigo.com (Tim Callan and Jason Soroko) — Mon, 13 Apr 2020 00:00:00 +0000

People are working from home in unprecedented numbers, which means that companies need to find ways for them to connect securely. Some will consider hard tokens as an option. In this episode our hosts give a frank assessment of the difficulty that hard tokens present for the modern remote workforce, along with some of the other available options that are likely to serve the enterprise better.

Root Causes 81: What Is Embedded Firewall?

tim.callan@sectigo.com (Tim Callan) — Mon, 6 Apr 2020 00:00:00 +0000

Security for IoT devices depends not only on establishing strong identity mechanisms for devices and the services they connect to but also in ensuring the ongoing integrity of device operations. In this episode our hosts are joined by guest Alan Grau to explain what an embedded firewall is and how it aids security for connected devices.

Root Causes 80: The Pros and Cons of VPNs

tim.callan@sectigo.com (Jason Soroko) — Thu, 2 Apr 2020 00:00:00 +0000

With the sudden, meteoric increase in remote workers, many IT professionals are looking at VPN as a method of keeping them secure. Join our hosts as they discuss the advantages and disadvantages of VPNs, and what to look out for.

Root Causes 79: Firefox Reinstates Support for Deprecated TLS Versions

tim.callan@sectigo.com (Jason Soroko) — Mon, 30 Mar 2020 00:00:00 +0000

To enable broadest possible access to valuable information about the COVID-19 epidemic, Firefox has chosen to reinstate support for web sites using TLS 1.0 and 1.1. Join us to learn about this move, why Firefox has made it, and what that says about the state of web site security today.

Root Causes 78: Extended Validation Certificates and the Dark Web

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Thu, 26 Mar 2020 00:00:00 +0000

New research presented at RSA Security Expo indicates that at least one party is using online criminal marketplaces to sell a package of a newly-created business and at least one Extended Validation SSL certificate to go with it. Join our hosts as they explain what the research says and talk about the potential criminal use cases for a bundle like this one.

Root Causes 77: Certificates for Public Cloud

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Mon, 23 Mar 2020 00:00:00 +0000

As a convenience to customers and a competitive differentiator, public cloud services such as AWS offer TLS certificates for use in their environments. Join our hosts as they explain this practice, how these certificates can be used, and which use cases and environments will not work with TLS certificates from public cloud vendors.

Root Causes 76: Implications of COVID-19 for PKI

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 20 Mar 2020 00:00:00 +0000

COVID-19 is rocking all aspects of our daily and business lives. So what are the implications of lock-downs, office closures, and high employee absenteeism on the PKI world? Our hosts explore the implications of our new post-pandemic work culture on business continuity and security, and how PKI fits into this new way of working

Root Causes 75: Sectigo's COVID-19 Readiness

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Wed, 18 Mar 2020 00:00:00 +0000

As measures move into place throughout society to flatten the curve of COVID-19's spread, it is important to understand the potential effects of lock downs, school closures, and work-from-home mandates on the critical systems that keep our digital world running. Sectigo has conducted an internal audit of its business continuity and disaster recovery plans in light of the specifics of the ongoing pandemic, and we remain confident in our ongoing operation without material disruption through the present crisis. In this episode our hosts go over the results of Sectigo's COVID-19 readiness audit and what customers can expect in the months to come.

Root Causes 74: Device and Network Access

tim.callan@sectigo.com (Tim Callan) — Tue, 17 Mar 2020 00:00:00 +0000

Certificates can play a critical role in enabling and controlling access for users and devices to our sensitive business processes and data. Our hosts are joined once again by David Colon as we explore the role certificates play in providing network access and permissions, including some best practices.

Root Causes 73: Apple to Drop Support for Two-year SSL Certificates

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 13 Mar 2020 00:00:00 +0000

At the most recent Face-to-Face meeting of the CA/Browser Forum, Apple announced that as of September 1 it will distrust public TLS certificates issued with terms longer than thirteen months for all its technology products. Join our hosts as they discuss this change, its affect on the ecosystem, and what you need to do to prepare for one-year SSL certificates.

Root Causes 72: Future-proofing Your PKI

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 10 Mar 2020 00:00:00 +0000

Former CableLabs CIO and Kyrio President and General Manager Mitch Ashley joins our hosts to discuss how to set up a PKI system that will meet your needs for many years to come. Mitch is now CEO of Accelerated Strategies Group, a disruptive analyst firm focused on cybersecurity, devops and cloud. We discuss the differing attitudes, pain points, and processes of device manufacturers versus service providers. Mitch explains how the overall qualities of the ecosystem affect PKI, ensuring extensibility and auditability, and how to project your PKI needs into the future ten or twenty years from today.

Root Causes 71: Short Lived DevOps Certificates

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 6 Mar 2020 00:00:00 +0000

Repeat guest and DevOps expert David Colon joins us again to discuss identity for microservices, including the use of very short-lived TLS certificates. David and our hosts explore the unique properties of PKI in these environments and describe how to find the optimal term for a container certificate.

Root Causes 70: Identity Is the New Perimeter

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Wed, 4 Mar 2020 00:00:00 +0000

Modern architectures and development processes have shattered the old concept of an IT perimeter for the enterprise. In this world, attaching strong identity to every device, user, and process is essential to security. In this episode our hosts describe this challenge and discuss the pros and cons of various identity schemes.

Root Causes 69: Fundamentals of DevOps and PKI

tim.callan@sectigo.com (Jason Soroko, Tim Callan, David Colon) — Fri, 28 Feb 2020 00:00:00 +0000

In our ongoing series on DevOps and PKI, DevOps practitioner David Colon joins us to help describe the intersection of DevOps security and PKI. We explore how PKI fits in with orchestration engines like Kubernetes and some of the practical considerations in securely using keys in such environments.

Root Causes 68: Why SHA-1 Is No Longer Secure

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Mon, 24 Feb 2020 00:00:00 +0000

SHA-1 was a cornerstone of the early secure web. Now, 25 years later, this hashing function is no longer secure. Join our hosts to hear the history of SHA-1, its common use cases, and the properties of an effective hashing function. Learn about collision attacks and why they matter. Find out the reasons SHA-1 is still in use and why it is no longer secure in today's computing world.

Root Causes 67: Definition of DevOps and DevSecOps

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 21 Feb 2020 00:00:00 +0000

Our hosts are joined by senior DevOps engineer David Colon to explore what DevOps means in today's enterprise. They cover diverse aspects of the DevOps phenomenon, including cultural implications, "configuration drift," definition of release velocity, and DevSecOps. Plus of course how DevSecOps intersects with PKI.

Root Causes 66: Functional Versus Homomorphic Encryption

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Tue, 18 Feb 2020 00:00:00 +0000

Traditionally, file encryption is an all-or-nothing affair where data cannot be gleaned from the encrypted file without fully decrypting its contents. A new brand of cryptography called homomorphic encryption makes it possible for specific types of data to be read from a file while the rest of it remains encrypted. Join our hosts as they explain this new technology approach and its possible implications and use cases.

Root Causes 65: Quantum Key Distribution

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Mon, 10 Feb 2020 00:00:00 +0000

Quantum key distribution is a new technology that uses the principles of quantum physics to generate and distribute truly random keys for encrypted communication. Join us as we explain how quantum key distribution works, why it is not the same as quantum safe cryptography, and which cases it may be useful for.

Root Causes 64: What Is Digital Identity?

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Tue, 4 Feb 2020 00:00:00 +0000

The phrase "identity is the new perimeter" has gained in use of late, reflecting the reality that today's modern enterprise architecture is a mix of traditional and cloud, owned and rented and BYOD, all together in a complex mix. Under those circumstances identity is key to determine which digital entities have which permissions. But what do we mean when we say identity? Join our hosts as they explain the concepts behind digital identity, how they compare to our offline ideas around identity, and how these ideas shape computer security.

Root Causes 63: What Is CAA?

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Wed, 29 Jan 2020 00:00:00 +0000

CAA, which stands for CA Authentication, is the capability for the domain name owner to specify in DNS which CAs are allowed to issue SSL certificates for a specific domain. Join us to learn more about CAA, including how it works and its potential benefits to businesses.

Root Causes 62: Windows CryptoAPI Spoofing Vulnerability Explained

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Wed, 22 Jan 2020 00:00:00 +0000

On January 14 Microsoft announced a sweeping vulnerability that makes it possible to defeat the authentication of Elliptic Curve Cryptography (ECC) on Windows 10 and Windows Server systems, making it possible to create fake certificates on trusted roots that will fool these systems. Join our hosts and guest Nick France, CTO of SSL at Sectigo, as we explain this vulnerability, how it could be used in exploits, and what must be done to address it.

Root Causes 61: Anatomy of a Cryptocurrency

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Fri, 10 Jan 2020 00:00:00 +0000

In our ongoing series about blockchain, we explore the technology, process, and ecosystem needs for a successful cryptocurrency. Join our hosts along with expert guest Alan Grau as we discuss the technology and ecosystem specifics of cryptocurrencies, including blockchain and PKI.

Root Causes 60: Fundamentals of Blockchain

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Mon, 6 Jan 2020 00:00:00 +0000

Widely understood to be the technology behind popular crypto currencies, blockchain has become a household word. But what it blockchain really, and how does it work? Join our hosts and returning guest Alan Grau as they explain how blockchain functions, its strengths and weaknesses, and some of the other potential applications for this technology.

Root Causes 59: What Is Certificate Transparency?

tim.callan@sectigo.com (Tim Callan, Jason Soroko) — Mon, 30 Dec 2019 00:00:00 +0000

Certificate Transparency (CT) is a recent and important development in the world of SSL certificates. Popular browsers require trusted CAs to log all SSL certificates to publicly available CT Logs. Join our hosts to find out how various parties are using CT Logs to learn about CA behavior and SSL usage patterns and to improve the overall quality of public trust.

Root Causes 58: 2019 Lookback - One Year of Podcasting

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Mon, 16 Dec 2019 00:00:00 +0000

Nearly a year ago our hosts launched Root Causes to provide a forum for discussion of the issues surrounding the critically important PKI technology. Now at the end of 2019 we discuss how this podcast has taken shape, how that compares to our original expectations, and what we are looking forward to in 2020.

Root Causes 57: Quantum Random Number Generation

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 12 Dec 2019 00:00:00 +0000

Random number generation is an essential part of successful cryptography. Quantum computers offer to improve this niche technology industry. Join our hosts to learn what quantum random number generators (qRNGs) are, how they stand to improve cryptography and other computing functions, and how they tie into post-quantum cryptography (or don't).

Root Causes 56: 2019 Lookback - Evolving Cryptography

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Mon, 9 Dec 2019 00:00:00 +0000

2019 saw important changes in the world's cryptographic standards, including changes in browser treatment of SSL certificates, the removal of a public CA from trusted root stores, widespread serial number entropy problems across many CAs, and progress in building quantum-resistant PKI. Join our hosts as they detail these going-on and others and talk about what 2020 may hold in terms of evolving cryptography.

Root Causes 55: California's New IoT Security Law

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 5 Dec 2019 00:00:00 +0000

California Senate Bill 327 (SB-327) goes into effect January 1, 2020. This groundbreaking ordinance requires basic security measures for devices deployed in California. Join us to learn what SB-327 requires from device manufacturers, which threats it protects against, and how this ordinance is leading the way toward stronger IoT security practices.

Root Causes 54: 2019 Lookback - Infrastructure and IoT Security

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 3 Dec 2019 00:00:00 +0000

2019 was a highly eventful year for infrastructure and IoT security. The year saw the emergence of wholesale attacks on the world's energy infrastructure, an epidemic of ransomware incidents against municipalities, heightened attention to automotive identity and security, and a number of legislative measures to try to secure this whole set of systems and devices. Join our hosts as they talk about the trends in IoT and infrastructure security in 2019 and where these trends may go in 2020.

Root Causes 53: 2019 Lookback - Governments Try to Control PKI

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Mon, 25 Nov 2019 00:00:00 +0000

2019 has been an eventful year for PKI. In this episode, first in a series of four lookbacks at the year, our hosts discuss how governments sought to control encryption, certificates, and public trust in 2019.

Root Causes 52: New TLS Certificate Incident Research

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 22 Nov 2019 00:00:00 +0000

New research out of Indiana University Bloomington reviews nearly 400 "incidents" with public SSL certificates over the course of more than a decade. Join us as we go through the main findings from this piece of original research, including methodology, incident types and causes, and rogue certificates.

Root Causes 51: Blockchain vs. PKI

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 19 Nov 2019 00:00:00 +0000

In our industry interactions we frequently run into questions about how PKI and blockchain compare with each other. How do they work similarly or differently? Are they surrogates for each other? Are they complimentary? Join us this episode as we explain the details of how blockchain and PKI work, similarities and differences between them, and what use cases are appropriate for each.

Root Causes 50: Energy Infrastructure Cyber Attacks

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 8 Nov 2019 00:00:00 +0000

Global energy infrastructure continues to find itself under cyber attack from Advanced Persistent Threats (APTs). Join our hosts as we discuss recent attacks on power plants, why these attacks persist, and possible responses.

Root Causes 49: California Consumer Privacy Act

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Wed, 6 Nov 2019 00:00:00 +0000

The California Consumer Privacy Act (CCPA) has been described by some as California's GDPR. This act provides broad protections to consumers in California, and businesses must comply starting January 1, 2020. Join us as we discuss this act, what protections it provides, and what businesses must do to comply.

Root Causes 48: Weaknesses in MFA Authentication

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 31 Oct 2019 00:00:00 +0000

A recent FBI warning cautions of attacks that circumvent Multi-Factor Authentication (MFA). Join us as we describe contemporary attacks against MFA and how to defend against them.

Root Causes 47: Quantum Apocalypse - Quantum Resistant Cryptography for IoT

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 25 Oct 2019 00:00:00 +0000

Expert consensus states that we will need to update cryptography before quantum computers break our existing algorithms in the next ten or fifteen years. But what do we do about IoT devices, which may lack updating mechanisms and live in the field for decades with little available access. Our hosts are joined by repeat guest Alan Grau as we explore how IoT has specific requirements and challenges for quantum resistant crypto.

Root Causes 46: Criminals Are Patching Browsers for TLS Fingerprinting Attacks

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 22 Oct 2019 00:00:00 +0000

In a new variant on a known attack, a Russian Advanced Persistent Threat has begun applying patches to Chrome and Firefox to enable TLS fingerprinting even after the malware is removed from a system. To learn more about this new development, join our hosts as they explain how this attack works, its significance, and where the criminals may go from here.

Root Causes 45: What Is the CA/Browser Forum?

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 18 Oct 2019 00:00:00 +0000

SSL certificate practices are governed by the rules of the CA/Browser Forum. But what is the CA/Browser Forum, who is in it, and where do they get their authority? If you've ever wondered about questions like these join our hosts as they describe the origins of the CA/Browser Forum and how it operates.

Root Causes 44: Automotive Device Security

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 15 Oct 2019 00:00:00 +0000

The automobile is undoubtedly among today's most complex, commonplace, and security-sensitive IoT devices. Our hosts describe the cyber threats facing connected cars, including real attacks that already have been proven, new challenges that will come with increasingly advanced capabilities, and what manufacturers can do to protect drivers from harm.

Root Causes 43: Quantum Apocalypse - More on Mosca's Inequality

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 11 Oct 2019 00:00:00 +0000

In episode 35 our hosts explained Mosca's Inequality, a formula for calculating when we need to have post-quantum encryption in place to prevent the Quantum Apocalypse. In this episode our hosts embark on a nuanced exploration of the factors influencing this calculation and test whether popular estimates are credible.

Root Causes 42: Anatomy of a Botnet

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 8 Oct 2019 00:00:00 +0000

We talk about botnets a lot, but not everyone understands how they are built and used by the criminals who control them or how headless IoT devices have greatly added to their power. Expert guest Alan Grau (VP of IoT and Embedded Security, Sectigo) joins us to help dissect today's botnets.

Root Causes 41: What Is Blockchain's Killer App?

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 3 Oct 2019 00:00:00 +0000

Our hosts frequently run into the assumption that blockchain and PKI are extremely similar technologies and are possibly even competitive to each other. While the two approaches accomplish some related goals, they are very different in how they work and ultimately accomplish different ends. Join us as we explain what blockchain actually does and how it compares to PKI, including some examples of use cases that are appropriate for each of these technologies.

Root Causes 40: The Reports of RSA's Death Are Greatly Exaggerated

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 1 Oct 2019 00:00:00 +0000

Recently at Black Hat and on public YouTube videos security newcomer Crown Sterling has claimed to factor the RSA algorithm. It turns out the breathlessly discussed feats were already accomplished as early as 1999. Join our hosts as they debunk this fundamentally misleading rumor and discuss the reality of RSA encryption today.

Root Causes 39: New University Research on Phishing and Certificates

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 26 Sep 2019 00:00:00 +0000

The majority of all phishing sites now use SSL certificates to more closely imitate the behavior of legitimate sites. New research from RWTH Aachen, a large, German technical university, investigates the patterns behind this certificate usage. Join our hosts as we dig into the details of these findings to learn specifically which certificate types are more or less likely to appear on phishing sites - and some thoughts on why.

Root Causes 38: Interesting Breaches in August

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 24 Sep 2019 00:00:00 +0000

The month of August saw some unusual criminal activity when it comes to PKI and malware. Our hosts explain four August news stories including a SHA-1 enabled breach, stolen certificates and keys, and some interesting developments with malware-driven botnets.

Root Causes 37: Quantum Apocalypse - Will Quantum Annealing Break Cryptography?

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 10 Sep 2019 00:00:00 +0000

Quantum annealing is a special case of quantum computing for which the engineering challenges are lessened - and therefore we expect computers of this sort to achieve stability sooner. In this episode we examine the potential for the quantum annealing approach to break RSA-based cryptography sooner than most people have been expecting, and the difficulty of predicting the "Z date" at all.

Root Causes 36: Quantum Apocalypse - The Search for Quantum Resistant Crypto

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 3 Sep 2019 00:00:00 +0000

Finding the new quantum-resistant cryptography we will need to replace RSA and ECC is a difficult task requiring the coordinated effort of academics, industry, and government. NIST has stepped in to lead this volunteer community. Join us to learn about this project to discover and vet going-forward crypto candidates, where we stand in the process, and where we go from here.

Root Causes 35: Quantum Apocalypse - Mosca's Inequality, Mad Max, and Mohawks

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 29 Aug 2019 00:00:00 +0000

Quantum computers have the potential to defeat the RSA and ECC encryption underlying our digital world. We must swap out these algorithms before quantum computers reach that stage of maturity. But how long to we have? Join our hosts Tim Callan and Jason Soroko as they explain how to calculate the ominously named "Z date," the possible consequences of missing that deadline, and potential hairstyles for a post-apocalyptic world.

Root Causes 34: Shadow IT and PKI

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Mon, 26 Aug 2019 00:00:00 +0000

Shadow IT has become a fact of the modern enterprise. SaaS, BYOD, outsourced development, embedded IT, DevOps, and public cloud have all chipped away at the CIO's ability to oversee and control the enterprise's technology systems. This fragmentation leads to identity and access challenges that can affect security, governance, auditability, and compliance. Join our hosts as they discuss these challenges and what IT departments can do to address them.

Root Causes 33: Prepare for One-year Limits on SSL Certificates

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 20 Aug 2019 00:00:00 +0000

The CA/Browser Forum faces a proposed ballot to limit the maximum duration of an SSL certificate to 13 months. Even if this ballot fails, browsers such as Google Chrome have the ability to simply distrust certificates of longer duration, creating the same de facto situation. Our hosts discuss the trend to shorter certificates, the pluses and minuses of decreased maximum term, and automation as the only solution to fill the gap.

Root Causes 32: Why Do Browsers and Academic Research Say Different Things About EV SSL?

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 15 Aug 2019 00:00:00 +0000

Breaking research from two esteemed universities shows that sites with Extended Validation SSL certificates are much less likely to be engaged in criminal behavior like malware and phishing. And yet, leading browsers are reducing or removing EV information from the interface. Join our hosts as they explore the research results, this paradoxical browser behavior, and the effect it's likely to have on consumer security.

Root Causes 31: Using PKI to Authenticate Phone Callers

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 13 Aug 2019 00:00:00 +0000

Few people know that caller ID numbers have no identity value as they are completely self-reported. This fact enables the plague of robocalling scams sweeping our society right now. Join our hosts as they discuss public telephony systems and other environments that suffer from this problem, where this situation creates vulnerabilities, and what can be done about it.

Root Causes 30: When a Whole Country Has Its PII Stolen - Giant Breach Fines - Phishing with SSL

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 6 Aug 2019 00:00:00 +0000

Recently we have seen major news items in some of the common Root Causes themes. Join our hosts as they discuss new whopping breach fines from GDPR and the FTC, what happens when an entire country has its PII stolen, and phishing sites with SSL.

Root Causes Special Bulletin: Kazakhstan Weaponizes the Public CA

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Wed, 31 Jul 2019 00:00:00 +0000

The Kazakhstan government is taking measures to force citizens to trust its own root, enabling the widespread persecution of dissidents, journalists, and human rights advocates. Join our hosts to learn the long history of Kazakhstan's weaponization of PKI, what its effects may be, and the opportunities and challenges the browser community faces in fighting it.

Root Causes 29: Vulnerabilities in Cisco Routers and Other Device Integrity Controls

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 25 Jul 2019 00:00:00 +0000

Security flaws in the device integrity modules of Cisco routers and other devices have lately filled the headlines. Join our hosts and guest Alan Grau as they discuss what is happening with these flaws, why, and what to do about it.

Root Causes 28: SSL Certificate Automation Through ACME

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Mon, 22 Jul 2019 00:00:00 +0000

ACME is a new SSL certificate automation standard that is taking the world by storm. With support by 150 million web sites and more than 130 open source tools, ACME is a key tool in your digital certificate bag. Join our hosts and guest Abul Salek as they discuss this ACME, why it's important, and what's next for this hugely popular standard.

Root Causes 27: Pending Safe Browser Guidelines from Germany

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 18 Jul 2019 00:00:00 +0000

The German government has published a draft of its latest guidelines for safe browsers, which include requirements for how SSL certificates are supported and treated. Join our hosts as they discuss the German safer browser requirements and their potential impact on Germany, other governments, and industry worldwide.

Root Causes 26: The White House Wants to Prohibit End-to-end Encryption

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Sun, 14 Jul 2019 00:00:00 +0000

The White House is the latest government entity seeking to defeat widespread encryption technology through legislated "back door" access. Join our hosts as they explain why such an idea is essentially unworkable and would endanger the confidential online business and personal services upon which we all depend.

Root Causes 25: Entropy and Random Numbers

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 2 Jul 2019 00:00:00 +0000

One cornerstone of successful cryptography is entropy, or the ability to create genuinely unpredictable values. But it turns out that generating truly random numbers is harder than you might think. Join our hosts as they discuss the need for randomness, the lengths companies go to to generate random numbers, and the bad things that can happen when they fail.

Root Causes 24: Certificate Revocation

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 27 Jun 2019 00:00:00 +0000

Occasional certificate revocation is an essential part of the digital certificate lifecycle and any secure PKI scheme. Not only do certificate owners need the revoke their own certificates, but also CAs sometimes need to revoke certificates to keep trust high. Join our hosts as they discuss the whys and wherefores of revocation by the CA, especially as it relates to code signing and malware.

Root Causes 23: Global Energy Grids Under Cyber Attack

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 20 Jun 2019 00:00:00 +0000

The world's energy grids and other utilities have increasingly become targets for cyber attack, both state-sponsored and otherwise. Join our hosts as they discuss the latest developments, possible consequences of cyber war against energy grids, and what we can do about it.

Root Causes 22: Attacks on US Cities with EternalBlue Cyber Weapon

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 7 Jun 2019 00:00:00 +0000

A recent spate of ransomware attacks against US municipalities is noteworthy for being enabled by the stolen US cyber weapon EternalBlue. Join our hosts as we explain this attack, its similarities to earlier incidents, and the whole syndrome of government-sponsored cyber war.

Root Causes 21: New Texas Energy Grid Security Regulation

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Wed, 5 Jun 2019 00:00:00 +0000

The state of Texas is leading the way with new legislation requiring cyber protections for its energy grid. Join our hosts as we explain this legislation, why it comes now, and its potential impact on the greater energy industry.

Root Causes 20: 885 Million First American Financial Customer Docs Exposed

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 31 May 2019 00:00:00 +0000

It was recently revealed that First American Title Corporation had 885 million confidential customer financial documents discoverable in the clear on its online site. These documents contain all the most sensitive information necessary for identity theft, spear phishing, and other exploits against individuals. Join our hosts as they discuss the details of this exposure, how it may have come about, and its potential consequences.

Root Causes 19: Death of a Public CA

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 30 May 2019 00:00:00 +0000

Mozilla has decided to remove a public CA from its trusted root store. By doing so Mozilla renders public certificates from this CA essentially valueless for almost all use cases. Join our hosts as the examine the reasons for this decision, how CA rules are made and maintained, and why an action like this one ultimately is healthy for the internet as a whole.

Root Causes 18: SHA-1 Collisions - TLS Fingerprinting - Cisco Trust Anchor Flaw

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 23 May 2019 00:00:00 +0000

Recent news has revealed several important developments in PKI and cyber trust. Our hosts cover the latest SHA-1 collision attack and why it signals the inevitable death of this hashing algorithm. We explain TLS fingerprinting and how it enables malware to defeat firewall AI protections. And we walk through reports of a flaw in the implementation of secure elements on Cisco routers.

Root Causes 17: Sectigo Acquires Icon Labs

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 16 May 2019 00:00:00 +0000

Sectigo's recent acquisition of Icon Labs expands the company's capabilities in embedded OEM and device identity. Jason and Tim are joined by Icon Labs co-founder Alan Grau as our podcasters explore the needs and potential vulnerabilities for connected devices and the suite of technologies that can address these security requirements.

Root Causes 16: PKI for DevOps Environments

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 14 May 2019 00:00:00 +0000

DevOps as a software development and deployment methodology has radically transformed enterprise computing. This approach brings with it new architectures and tools such as containerization, Kubernetes, and multi-cloud. Learn how PKI plays a critical role in DevOps environments and how enterprises can best use certificates to keep their platforms safe.

Root Causes 15: Architecture for Enterprise Certificate Automation

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 7 May 2019 00:00:00 +0000

Automation of certificate deployment and management is a must for today's enterprise. Complexity, changing environments, fast time to market, and simply scale all dictate that the old manual management methodology is dying away. Join our hosts as they detail the whys and hows of enterprise certificate automation. A must-listen for anyone seeking to understand this rapidly emerging technology space.

Root Causes 14: P2P Vulnerability in IoT Devices

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 2 May 2019 00:00:00 +0000

Recent research reveals millions of consumer IoT devices that lack any level of authentication or encryption at all. Join our hosts as we discuss the nature of IoT-based botnets and their negative consequences on enterprises, consumers, and the internet at large, including DDoS, phishing, and more.

Root Causes 13: PKI for IoT

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 25 Apr 2019 00:00:00 +0000

The proliferation of Internet of Things (IoT) devices in many cases has outpaced security for those devices, leaving enterprises, end users, and the general public exposed. Learn how identity is an essential part of protecting any service involving IoT devices and how PKI is positioned to provide that identity.

Root Causes 12: PKI in the News

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 16 Apr 2019 00:00:00 +0000

It was a busy news week for PKI and authenticated identity, and our hosts run through four current stories to clarify them. Tune in to learn the latest about the Dragonblood WPA3 vulnerability, Russian spoofing of GPS/GNSS navigation signals, Know Your Customer (KYC) for social media sites, and a Chinese national's apparent attempt to install a USB rootkit somewhere in Mar-a-Lago.

Root Causes 11: Authentication Is Not for the Authenticated

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Thu, 11 Apr 2019 00:00:00 +0000

With so much debate about the role and importance of authentication in digital systems, it is important to remember the purpose of authenticated identity in our cyber interactions. Join us for a discussion of who benefits from known identity, what can go wrong when identity is obscured, and why ecosystems must include incentives for members to participate in identity authentication.

Root Causes 10: S/MIME Automated Deployment

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Wed, 3 Apr 2019 00:00:00 +0000

S/MIME certificates indicate the authentic identity of the sender and enable encryption for message content and attachments - providing strong defenses against a variety of email-based attacks. Nonetheless, adoption today is extremely small. Find out what the challenges to past adoption have been for this underutilized security technology and what the industry is doing to help enterprises secure their email today.

Root Causes 09: 63-bit Serial Numbers

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Mon, 25 Mar 2019 00:00:00 +0000

A recently discovered flaw in common practices reveals that potentially millions of active SSL certificates fall short of cryptographic requirements. Learn how it is that 64-bit certificate serial numbers might offer only 63 bits of entropy and what CAs have to do about it.

Root Causes 08: Free PKI Is Not Free

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Tue, 19 Mar 2019 00:00:00 +0000

The promise of a "free" Microsoft CA was alluring to enterprises in the 2000s, but today's increasingly open computing architectures and agile development methodology have outgrown your old fashioned Microsoft CA. Learn about the seven common use cases where your traditional CA no longer does the job.

Root Causes 07: Russian Disconnection from the Internet

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Sat, 9 Mar 2019 23:50:00 +0000

Russia has stated that it will disconnect from the internet as a trial exercise for full-blown cyber warfare. This idea presents many problems for Russian services, systems, and businesses, especially since they depend on global systems such as DNS and public Certificate Authorities. Join us to learn some of the problems facing Russia will face if indeed it disconnects.

Root Causes 06: Quantum-Resistant Cryptography

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Sat, 9 Mar 2019 23:00:00 +0000

The pending cryptographic Quantum Apocalypse requires that we replace the hashing and encryption algorithms used through the internet, enterprise networks, mobile service, and popular devices. Join our experts to learn more about the requirements for quantum-resistant algorithms to survive the Quantum Apocalypse.

Root Causes 05: Cryptographic Quantum Apocalypse

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Sat, 9 Mar 2019 22:00:00 +0000

Root Causes 04: Australia's New IT Security Back Door

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 8 Mar 2019 19:00:00 +0000

Australia now requires a back door to IT systems. Our hosts are skeptical that this idea will work. Join our PKI experts to learn about the dangers and pitfalls of such a system - and why they have failed in the past.

Root Causes 03: US Government Shutdown and Security Vulnerabilities

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 8 Mar 2019 15:00:00 +0000

The US government shutdown has taken its toll on IT systems. Services are going offline, and we are ill equipped to deal with a major security or service crisis. Tune in to learn more about the risks of the ongoing shutdown to the government's technical infrastructure.

Root Causes 02: O2 Outage and Equifax Breach

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 8 Mar 2019 14:00:00 +0000

In December users of O2, Softbank, and other mobile services experienced a day-long data outage affecting as many as 40 million people. In the summer of 2017 148 million Americans lost their personal data in the Equifax breach. The common thread? Both occurred due to certificate expirations. Join our hosts to learn more about this trending vulnerability.

Root Causes 01: Introduction

tim.callan@sectigo.com (Jason Soroko, Tim Callan) — Fri, 8 Mar 2019 00:00:00 +0000

Intro to the leading PKI and security podcast. Learn your hosts' qualifications and reasons for creating this podcast.