Not surprisingly, 2048-bit keys now protect 90% of the world’s TLS hosts. The use of 4096-bit keys have quadrupled, as a share of hosts, but we expect it to start shrinking again as Elliptic Curve Digital Signature Algorithm (ECDSA) gains favor.
That report was issued in 2017 however and I can find no newer report.
My question is… is there a more recent report that has more up-to-date stats?
I recently acquired a Microsoft Authenticode Code-signing certificate as a renewal of another one which will expire soon.
Obviously, the new certificate has no reputation attached to it, and will take some time and installs in order to be fully trusted.
My question is: If I sign an executable with both certificates, will the new one start building reputation?
I have already verified that the installer is trusted when it has both signatures.
The same computer I use for work in home, is the same for personal uses (gamimg, social medias) and of course, internet banking.
I’m back-end developer and recently, I started to work with fiddler to intercept requests coming from mobile apps to debug and API… And exploring the tool, I saw that fiddler has and configuration that use some of these certs and decrypt header and body of a request and response.
I’d like to know if it’s safe having these self signed certs installed in computer for some applications use, like Fiddler, Postman for instance, don’t they open security breaches?
I have an application which has been distributed looooong ago. That application offers https interface to clients with client certificate authentication. By the time the application was released, providing 1024 bits key length certificates was probably OK. Albeit we always advertised customers to uupdate the default cert with their own PKI most of them are just using the default one, so I have thousands of instance running like this. Now I need to write a client (in python) to query that application. This client will run on more modern linux distros where libs and client apps are compiled against openssl 1.1.1a. As a result I always get the error bellow when trying to access the https interface using the weak default client cert: OpenSSL error:
140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
running the same code on older distros (with older openssl) or using application compiled against gnutls works ok.
A few questions:
- Am I right thinking this is a limitation introduced for security reason in openssl?
- If so, when was it introduced?
- Is there a way to disable this check? (preerably without recompiling client libs)
It’s now 2019, and the web sure has come a long way. Nowadays, most providers have some built-in "free SSL" plugin to help enable and protec… | Read the rest of http://www.webhostingtalk.com/showthread.php?t=1748877&goto=newpost
I recently added a fourth SSL “COMODO RSA” cert to my IIS10 Server 2016.
This is a dev server so we have one IP address and use host headers for a variety of domains in IIS.
If i inspect bindings they are tied to the correct certificate and also the checkbox for “Require Server Name Indication” is on.
When the site is accessed the browse has a ssl warning and if inspect the cert it says “Issued to: localhost” .
I used mmc to look at the servers Local Computer \ Personal \ Certificates and they are there. I have restarted iis , restarted the server, reissued cert and the issue persists.
What else can i check?
The desired scenario is as the title suggests: Multiple Node.js servers/apps/websites, on separate domains, each with own SSL certificate, on a single server with a single IP address. So far I have tried:
A proxy catching all incoming requests and forwarding them to respective apps/servers, on separate, non-443 ports: Does not work, since the proxy server can only run on a single SSL certificate, which will throw an error for all but one of the domains.
Apps running on different ports and DNS pointing at these ports: Does not work, since an HTTPS connection, will always go to port 443. The SRV DNS record can’t change this, for ports 443 and 80.
Using a single SSL cert issued for an IP address: Is somehow possible, but after doing some research on this, it is not such a good idea.
Servers responding to specific hostnames:
Error: listen EADDRNOTAVAIL 123.456.789.000:443. This is where I expected the server to ignore all requests but those where hostname is the domain.name. But still, you can’t run multiple servers on a single port.
So back to square one: what I need is a proxy, which establishes a connection with an SSL certificate for the specific requested hostname, and forwards the request to an app/server running on a unique port. How?