In light of all the discussions about maintaining a secure posture on trusted certificates, we oftentimes forget about the little guys. In this case, I’m talking about our mobile devices. We tend to forget that these devices are just as vulnerable as our desktop/laptops. Unfortunately, it’s not always easy to manage the certificates on these devices. But if you own an Android device and would like to take a little more control over what your device is trusting, here’s how you can do it.

Remove a CA Cert from Android System
The bouncycastle library will be required, you can grab it here:
BouncyCastle Library

You’ll need the Android-SDK as well in order to utilize ADB. It can be found here if you don’t already have it:
Android SDK
Read the rest of this entry »

edited September 2 with an update on Apple/Safari.

Another case of a certification authority (CA) issuing a certificate they never should have has surfaced. You may remember when we discussed the Comodo incident earlier this year. Now, a certificate issued by DigiNotar has surfaced in the wild, being valid for *.google.com – meaning it could be used to secure any transaction with any Google web property, including GMail. According to this pastebin post, this certificate “is being used in the wild against real people in Iran *right* now.” DigiNotar has issued a statement. Here is some information about why this is bad, and what steps you should take to remove this issuer from your trust lists. Read the rest of this entry »

As some of you know, a lot of my background is in the world of Public Key Infrastructure.  I’ve been involved in every phase of PKI, including developing certification authority and ASN.1/DER encoding/decoding software, developing automated registration authority components, creating certificate policies and certification practices statements, as well as designing and rolling out production PKIs for large organizations.

Increasingly, organizations are turning to the use of Active Directory Certificate Services, otherwise known as Microsoft Certificate Services.  The reasons are many: it’s included with the purchase of your Windows Server product, it’s easy to configure and use, and did I mention it doesn’t cost any (additional) money?  The Microsoft product is a fairly good one and provides for a lot of customization and configuration so that it can be useful in just about every environment.  We use this product for our company-issued certificates which are used to encrypt email.

Read the rest of this entry »