27 September 2018
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.
The credit card company Visa operates a TLS certificate authority that is currently trusted by all major browsers. Visa doesn’t sell certificates to end users; the certificates are used for their own services and by some banks. Lately, questions have arisen about the operations of the Visa CA.
Mozilla’s Wayne Thayer started a discussion about this issue on the Mozilla policy list and created a Wiki page listing issues with the Visa CA. These issues include incomplete security audits that are required according to the Baseline Requirements, multiple violations in which Visa has issued certificates with substandard security (SHA1, 1024-bit RSA keys), and malformed certificates. In many instances, Visa has not revoked the certificates in a timely manner.
No representative from Visa has participated in the discussion on the Mozilla policy list, which is unusual. Certificate authorities are expected to explain how they will solve issues and prevent them from happening in the future if such issues are raised.
Google developer Ryan Sleevi thinks Visa’s inaction should have consequences: “Given the past issues, the recently identified issues (that appear to have been longstanding), and the new issues that Visa's PKI Policy team is actively engaging in, I believe it would be appropriate and necessary to consider removing trust in this CA.”
Visa has not responded to our requests for comments.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof SSL and TLS, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.