Wanted: Senior Software Engineer (Back-End) [Manila]

Title: Senior Software Engineer / Lead

Location: Manila

Languages: English

 

Who we are

GlobalSign was formed in 1996 as one of the Internet’s original trust service providers (you probably know us as a Certificate Authority). Over the years we have issued millions of digital certificates that have been used to secure commerce and communication on the Internet. Our solutions take the pain out of using cryptography and help organizations solve complex problems with increased productivity and peace of mind.

 

What we’re going to do

The web has changed a lot since 1996 but how we bootstrap trust on it has not changed much – we are going to fix that.

 

Who we’re looking for

We are building a small engineering team here in the Seattle area and another in Manila and need senior developers who are passionate about security and building technology for the modern web.

In this role you’ll write high-performance web services, core security subsystems, key management solutions, architect new solutions that make certificate and key management a breeze and interact with the open source community.

Most importantly, you’ll be a leader – writing groundbreaking code that continually changes and influences the industry.

 

Skills & Experience

  • Architecting, designing and implementing core services, processes and technologies that provide reliability, high availability, performance and scalability.
  • Extensive experience with database design and deployment.
  • Experience with applied cryptographic concepts such as certificates, certificate chains, and key management with a healthy interest in their XML and JSON counterparts.
  • Experience designing highly interactive web applications with performance, scalability, usability, and security in mind.
  • Experience developing software on Unix/Linux.
  • Love your version control (Git preferably).
  • Understanding of security risks and secure software development.
  • Enjoys prototyping and iterating stuff.
  • Bonus points for speaking Japanese.

 

Required Qualifications

  • 5 years dynamic / scripting language programming, with background in C/C++ systems programming preferred.
  • 5 years of experience with database administration, support, optimizations and monitoring.
  • 5 years of design and development of extremely high volume, high availability applications and systems.
  • 2+ years experience in Systems Engineering / Administration with firm understanding of *nix architecture.
  • Strong Computer Science fundamentals (data structures and algorithms).
  • Bachelor’s degree in Computer Science, or equivalent experience. Engineering or related discipline highly recommended.
  • Awesomeness trumps all other requirements.

 

If this sounds like it could be you, send us a CV and some examples of the work that you’re most proud of.

 

GlobalSign is an equal opportunity employer with locations all over the world. Aside from being a great place to work we offer an excellent benefit package that includes Health, Dental, 401k, Life Insurance, and a generous time off and holiday schedule.

All applicants will be considered without regard to race, color, religion, sex, national origin, age, marital or veteran status; medical condition, disability; or any other legally protected status.

 

Keywords: Authentication, Authorization, Fraud, TCP/IP, load balancing, reverse-proxies, production web scaling, high-availability, high-volume web services, distributed systems and programming language design, Openssl, Bouncy Castle

Wanted: Senior Software Engineer / Lead [Manila]

Title: Senior Software Engineer / Lead

Location: Manila

Languages: English

 

Who we are

GlobalSign was formed in 1996 as one of the Internet’s original trust service providers (you probably know us as a Certificate Authority). Over the years we have issued millions of digital certificates that have been used to secure commerce and communication on the Internet. Our solutions take the pain out of using cryptography and help organizations solve complex problems with increased productivity and peace of mind.

 

What we’re going to do

The web has changed a lot since 1996 but how we bootstrap trust on it has not changed much – we are going to fix that.

 

Who we’re looking for

We are building a small engineering team here in Manila and need a senior developer with leadership experience who is passionate about security and creating beautiful user experiences.

We want someone who feels someone who feels comfortable on both the front- and back-end, who loves learning new stuff, who’s entrepreneurial, a technical leader, a true creative problem solver.

As a Senior Software Engineer and lead, you’ll write help us recruit and manage new team members and build our engineering team to into a powerhouse. You’ll design and build high-volume web services, amazing user experiences and interact with the open source community.

 

Skills & Experience

  • HTML/CSS/Javascript (jQuery, AJAX, etc.) master with a healthy interest in HTML5, REST and JSON.
  • Experience with one or more server-side languages and frameworks especially Java, Node.js and PHP.
  • Experience designing highly interactive web applications with performance, scalability, usability, and security in mind.
  • Experience with relational database schema design and queries.
  • Experience developing software on Unix/Linux.
  • Love your version control (Git preferably).
  • Understanding of applied cryptographic concepts such as certificates, certificate chains, key management.
  • Understanding of security risks and secure software development.
  • Enjoys prototyping and iterating stuff.
  • Bonus points for speaking Japanese.

 

Required Qualifications

  • 5 years dynamic / scripting language programming, with background in Java and C++ programming preferred.
  • 2+ years experience in Systems Engineering / Administration with firm understanding of *nix architecture.
  • 2+ years experience as a technical lead / manager.
  • Strong Computer Science fundamentals (data structures and algorithms).
  • Bachelor’s degree in Computer Science, or equivalent experience. Engineering or related discipline highly recommended.
  • Awesomeness trumps all other requirements.

 

If this sounds like it could be you, send us a CV and some examples of the work that you’re most proud of.

 

GlobalSign is an equal opportunity employer with locations all over the world. Aside from being a great place to work we offer an excellent benefit package that includes Health, Dental, 401k, Life Insurance, and a generous time off and holiday schedule.

All applicants will be considered without regard to race, color, religion, sex, national origin, age, marital or veteran status; medical condition, disability; or any other legally protected status.

Wanted: IT Analyst [Tokyo]

Title: IT Analyst

Location: Tokyo, Japan

Languages: Japanese, written English.

 

Who we are

GlobalSign was formed in 1996 as one of the Internet’s original trust service providers (you probably know us as a Certificate Authority). Over the years we have issued millions of digital certificates that have been used to secure commerce and communication on the Internet. Our solutions take the pain out of using cryptography and help organizations solve complex problems with increased productivity and peace of mind.

 

Who we’re looking for

We are looking for an up-and-coming system administrator with a passion for security. For the right candidate this is an amazing opportunity to work with the IT manager to help design, build and support a global information technology program.

What they will do

  • Deploy and support of Windows and Apple based PCs.
  • Deploy and support of Windows and Unix based servers.
  • Set up end user accounts, permissions, and access rights in accordance within the documented security policy.
  • Maintain multiple applications, and systems, network infrastructure, and promoting industry best practices.
  • Follow up on requests, deployments & incidents/issues (including escalation) and ensure proper and timely closure.
  • Monitor server performance to determine whether adjustments need to be made, and to determine where changes need to be made in the future.
  • Scripting and general of automation of common tasks.
  • Respond to communications from end users about server, workstation, network, database, and hardware issues.
  • Create adhoc reporting as requested.

Skills & Experience

  • At least two years’ experience in a similar role within a small to medium enterprise.
  • A minimum of 1 year of prior experience working with IT Helpdesk or IT Technical support required.
  • Intermediate knowledge of Windows and Unix systems.
  • Intermediate ability to diagnose and troubleshoot performance, and reliability of all aspects of a desktop environment.
  • Basic ability to diagnose and troubleshoot basic server configuration issues.
  • Excellent global communication skills in both formal and informal settings with all organizational levels of employees.
  • Basic knowledge of scripting languages such as Python as well as some experience in web based and service oriented application delivery and a desire to learn more.
  • Ability to multi-task and work in a fast pace environment and possess a strong drive to succeed and take the initiative to perform tasks in a timely manner.
  • Ability to work in a team and individually.
  • Basic knowledge of Security concepts.
  • Must be flexible to work early or late office hours, weekends, when required
  • Must display the ability to remain calm under pressure.
  • Required to carry duty Mobile and response to urgent calls.

 

GlobalSign is an equal opportunity employer with locations all over the world. Aside from being a great place to work we offer an excellent benefit package that includes Health, Dental, 401k, Life Insurance, and a generous time off and holiday schedule.

All applicants will be considered without regard to race, color, religion, sex, national origin, age, marital or veteran status; medical condition, disability; or any other legally protected status.

 

Keywords:

Windows, Linux, Unix, System Administration, Account Management, Troubleshooting, Diagnosing, Patch Management, Antivirus, Firewalls

 

Wanted: Information Technology Manager [Tokyo]

Title: Information Technology Manager

Location: Tokyo, Japan

Languages: English and Japanese

 

Who we are

GlobalSign was formed in 1996 as one of the Internet’s original trust service providers (you probably know us as a Certificate Authority). Over the years we have issued millions of digital certificates that have been used to secure commerce and communication on the Internet. Our solutions take the pain out of using cryptography and help organizations solve complex problems with increased productivity and peace of mind.

 

Who we’re looking for

We are looking for a seasoned Information Technology manager with a background in security. For the right candidate this is an amazing opportunity to report directly to the CTO and build a small team chartered to design, build and manage a global information technology program.

 

What they will do

  • Create a clear technology roadmap connecting vision to technology including setting aggressive but realistic project schedules.
  • Identify, evaluate and select new and emerging technologies that can be assimilated within the company and significantly improve competitiveness.
  • Hire, manage and train a small team made up of one direct and several remote dotted-line professionals in offices in the United States, United Kingdom and the Philippines.
  • Build a team culture where growth is encouraged; you will both train and mentor your team and develop a positive team moral and culture.
  • Work closely with global business leaders across the company to direct technological research through awareness of organization goals, strategies, practices, and user projects.
  • Architect, deploy and manage the operation of secure, reliable and cost-effective IT and telephone infrastructure.
  • Author and maintain policy, processes and procedures to train staff and ensure the smooth delivery of IT services.
  • Regularly report on service availability, reliability and security.
  • Participate in disaster recovery and business continuity exercises.
  • Contribute technically for all aspects of system management, including troubleshooting when required.
  • Perform product and service evaluations to select best products to meet operational and budget requirements. As well as manage vendor relationships and negotiate associated contracts.
  • Establish, track and enforc organization, IT, and financial goals and metrics.

 

Skills & Experience

  • At least two years’ experience in lead or management role in a small to medium enterprise.
  • MCSE or similar certification is desirable.
  • Experience designing, deploying and managing Active Directory and DNS in a global environment.
  • Experience designing, deploying and managing secure network infrastructure including 802.1x, RADIUS, VLANs, Firewalls and remote access.
  • Experience with Anti-Virus, Back-Up and Security Suites.
  • Required to carry duty mobile and response to urgent calls.
  • Occasional travel to international offices.
  • Strong written and oral communication skills required.
  • Preference for experience using virtualization.
  • Strong preference for applicants with experience with security.

 

GlobalSign is an equal opportunity employer with locations all over the world. Aside from being a great place to work we offer an excellent benefit package that includes Health, Dental, 401k, Life Insurance, and a generous time off and holiday schedule.

All applicants will be considered without regard to race, color, religion, sex, national origin, age, marital or veteran status; medical condition, disability; or any other legally protected status.

 

Keywords:

Patch Management, Antivirus, Firewalls, IDS, IPS, AD, DNS, RADIUS, 802.1x, EAP, VPN, IPSEC, Active Directory, Smart Cards, Two Factor Login, Windows, Unix, Linux, Antivirus, Active Directory

 

 

Wanted: Network and System Specialist [Singapore]

Title: Network and System Specialist

Location: Singapore

Languages: English, Japanese is a plus.

 

Who we are

GlobalSign was formed in 1996 as one of the Internet’s original trust service providers (you probably know us as a Certificate Authority). Over the years we have issued millions of digital certificates that have been used to secure commerce and communication on the Internet. Our solutions take the pain out of using cryptography and help organizations solve complex problems with increased productivity and peace of mind.

 

Who we’re looking for

We are looking for an up-and-coming system administrator with a passion for security. For the right candidate this is an amazing opportunity to build and operate a high-availability secure system to power modern web applications

 

What they will do

  • Administration and maintenance of network and system infrastructure including: Maintain service availability, reliability, performance and facilitate incident response
    • Network equipment (Routers, Switches , Firewall / IPS).
    • Load balancers, proxy Servers and web servers.
    • Unix hosts (Redhat) and Databases (SQL).
  • Hardening and monitoring of security of hosts and network devices.
  • Ensure that the network is operating at optimum performance and with high availability by continually reviewing areas of improvement.Support disaster recovering and business continuity exercises.
    • Recommend the optimum or alternative solutions.
    • Monitor and maintain service availability.
    • Ensure procedures are documented.
    • Ensure compliance to policies and procedures.
    • Follow up on requests, deployments & incidents/issues (including escalation) and ensure proper and timely closure.
  • Ability to diagnose and troubleshoot performance, and reliability of all aspects of system.
  • Development and deployment of automation of common tasks.

 

Skills & Experience

  • At least two years’ experience in a similar role.
  • Ability to work in a team and individually.
  • Ability to multi-task and work in a fast pace environment
  • Prior experience maintaining up-to-date operation and procedure documentation.
  • Candidate able to work extended hours and weekends
  • Required to carry duty Mobile and response to urgent calls
  • Strong preference for applicants with experience with PKI and cryptographic key management.
  • Preference for experience using virtualization.
  • Preference for applicants with experience working in a high-availability environment with %99.999 up-time.

 

GlobalSign is an equal opportunity employer with locations all over the world. Aside from being a great place to work we offer an excellent benefit package that includes Health, Dental, 401k, Life Insurance, and a generous time off and holiday schedule.

All applicants will be considered without regard to race, color, religion, sex, national origin, age, marital or veteran status; medical condition, disability; or any other legally protected status.

 

Wanted: Software Engineer [Seattle/Manila]

Title: Software Engineer

Location: Greater Seattle Area and Manila

Languages: English

 

Who we are

GlobalSign was formed in 1996 as one of the Internet’s original trust service providers (you probably know us as a Certificate Authority). Over the years we have issued millions of digital certificates that have been used to secure commerce and communication on the Internet. Our solutions take the pain out of using cryptography and help organizations solve complex problems with increased productivity and peace of mind.

 

What we’re going to do

The web has changed a lot since 1996 but how we bootstrap trust on it has not changed much – we are going to fix that.

 

Who we’re looking for

We are building a small engineering team here in the Seattle area and another in Manila and need developers who feel comfortable on both the front- and back-end. People who love learning new stuff, self-starters — true creative problem solvers.

We want someone who feels knows behavior between and across browsers, best practices, and when and it and is not okay to use an OnClick event.

Someone who believes tested code is happy code, that when done right security can enable new scenarios, that APIs should be easy to consume and that a well thought out platform is significant part of a projects success.

 

Skills & Experience

  • HTML/CSS/Javascript (jQuery, AJAX, etc.) with a healthy interest in HTML5, REST and JSON.
  • Experience with one or more server-side languages and frameworks especially Java, Node.js and PHP.
  • Interest in developing highly interactive web applications with performance, scalability, and usability in mind.
  • Experience working with Linux, Apache, and relational databases. Bonus points for having written your own stored procedure before.
  • Experience developing software in a professional environment, including source control, bug tracking, unit testing
  • Understanding of security risks and secure software development.
  • Understanding of the similarities and differences across browsers (both young and old).
  • Love your version control (Git preferably).
  • Enjoys prototyping and iterating stuff.
  • Bonus points for speaking Japanese.

 

Required Qualifications

  • 2 years dynamic / scripting language programming, with background in Java and C++ programming preferred.
  • 1+ years experience in Systems Engineering / Administration with firm understanding of *nix architecture.
  • Bachelor’s degree in Computer Science, or equivalent experience. Engineering or related discipline highly recommended.
  • Awesomeness trumps all other requirements.

 

If this sounds like it could be you, send us a CV and some examples of the work that you’re most proud of.

 

GlobalSign is an equal opportunity employer with locations all over the world. Aside from being a great place to work we offer an excellent benefit package that includes Health, Dental, 401k, Life Insurance, and a generous time off and holiday schedule.

All applicants will be considered without regard to race, color, religion, sex, national origin, age, marital or veteran status; medical condition, disability; or any other legally protected status.

 

Wanted: Senior Software Engineer (Front-End) [Seattle]

Title: Senior Software Engineer (Front-End)

Location: Greater Seattle Area

Languages: English

 

Who we are

GlobalSign was formed in 1996 as one of the Internet’s original trust service providers (you probably know us as a Certificate Authority). Over the years we have issued millions of digital certificates that have been used to secure commerce and communication on the Internet. Our solutions take the pain out of using cryptography and help organizations solve complex problems with increased productivity and peace of mind.

 

What we’re going to do

The web has changed a lot since 1996 but how we bootstrap trust on it has not changed much – we are going to fix that.

 

Who we’re looking for

We are building a small engineering team here in the Seattle area and need a senior developer who is passionate about security and creating beautiful user experiences. In this role you’ll be able to use your experience to help us recruit new team members and build our engineering team to into a powerhouse.

We want someone who feels someone who feels comfortable on both the front- and back-end, who loves learning new stuff, who’s entrepreneurial, a technical leader, a true creative problem solver.

You’ll have experience with security technologies but your background will be focused on building experiences that bridge the gap between user needs and technology requirements. You’ll also have experience building fault-tolerant, high performance, and highly scalable systems.

 

Skills & Experience

  • HTML/CSS/Javascript (jQuery, AJAX, etc.) master with a healthy interest in HTML5, REST and JSON.
  • Experience with one or more server-side languages and frameworks especially Java, Node.js and PHP.
  • Experience designing highly interactive web applications with performance, scalability, usability, and security in mind.
  • Experience with relational database schema design and queries.
  • Experience developing software on Unix/Linux.
  • Love your version control (Git preferably).
  • Understanding of applied cryptographic concepts such as certificates, certificate chains, key management.
  • Understanding of security risks and secure software development.
  • Enjoys prototyping and iterating stuff.Bonus points for speaking Japanese.

 

Required Qualifications

  • 5 years dynamic / scripting language programming, with background in C/C++ systems programming preferred.
  • 2+ years experience in Systems Engineering / Administration with firm understanding of *nix architecture.
  • Strong Computer Science fundamentals (data structures and algorithms).
  • Bachelor’s degree in Computer Science, or equivalent experience. Engineering or related discipline highly recommended.
  • Awesomeness trumps all other requirements.

 

If this sounds like it could be you, send us a CV and some examples of the work that you’re most proud of.

 

GlobalSign is an equal opportunity employer with locations all over the world. Aside from being a great place to work we offer an excellent benefit package that includes Health, Dental, 401k, Life Insurance, and a generous time off and holiday schedule.

All applicants will be considered without regard to race, color, religion, sex, national origin, age, marital or veteran status; medical condition, disability; or any other legally protected status.

How to seed the CryptoAPI URL cache with an OCSP response

It is possible to “staple” an OCSP response into higher level protocols such as TLS. This concept has been supported in Windows since Windows VISTA, shortly after it was added to OpenSSL/Apache and soon it will also be in Nginx.

When “stapling” is used the subscriber (the web server in the TLS case) requests the status of his own certificate from the OCSP responder his CA operates to get a time valid OCSP response for his own certificate.

Since the OCSP response is signed by the CA it can be relayed by the web server for the duration in which that OCSP response is time valid to save the client of the web server (the relying party, aka the browser) the need to make an additional socket connection back to the CA.

This has both performance and privacy benefits.

You can apply the same concept to other PKI related protocols/applications as well, for example in a document signing application like Adobe Acrobat. In such an application the subscriber might sign the document, timestamp it using a timestamp protocol like RFC 3161 and then attach a time valid OCSP response to it so that the document is verifiable at a later date.

This scenario is important not only for its performance and privacy benefits but because it is a practical necessity because CAs do not typically maintain revocation information (OCSP responses and CRLs) for expired certificates.

By stapling the OCSP response to the signed and time-stamped document the relying party can verify the signature, the certificates and the revocation status of the certificates in the context of the timestamp that was attached to the document.

But how do you do that with CryptoAPI?

It’s actually pretty straight forward, as the relying party when you call CertGetCertificateChain to validate the associated certificate you need to:

  1. Once you have verified your timestamp is cryptographically valid and trusted, take the time it and pass it in as pTime.
  2. On the CERT_CONTEXT there is a CERT_INFO structure that contains an array of CERT_EXTENSION, here you create an extension of type CERT_OCSP_RESPONSE_PROP_ID and in there you put a basic signed OCSP response .

When CryptoAPI does the chain validation it will try to use the OCSP response you passed in, if it finds a problem with the provided response it may go online to get a new one that is “OK”.

This online behavior can be controlled by indicating to CertGetCertificateChain you do not want online revocation checking (see CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY).

Ryan

CryptoAPI, Revocation checking, OCSP and the Unknown certStatus

In CryptoAPI one can use the CertGetCertificateChain API to do the path building and basic chain validation, this validation may include revocation checking depending on which flags you pass via dwFlags; for example these flags control if revocation checking occurs, and if so, on which certificates:

  • CERT_CHAIN_REVOCATION_CHECK_END_CERT
  • CERT_CHAIN_REVOCATION_CHECK_CHAIN
  • CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT

Typically you would specify CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT which ensures the whole chain is checked (where possible – e.g. one shouldn’t bother asking the root if he considers himself revoked).

But in the context of OCSP what are the potential revocation related returns we might see?

  1. Revoked – I have received a signed response from the CA or have had policy pushed to me that tells me that this certificate is not to be trusted.
  2. Not Revoked – I have received a signed response from the CA that says this certificate was not revoked.
  3. Unknown – I have received signed response from the CA that says it doesn’t know anything about this certificate.
  4. Offline – I was unable to reach the responder to verify the status of the certificate.

Each of these cases are clearly represented in the API that is used by CertGetCertificateChain to perform the revocation check, this API is CertVerifyRevocation. The higher level CertGetCertificateChain however only has two possible returns: Revoked and Unknown outside the “not revoked” case.

One might assume the OCSP Unknown would get mapped into the Revoked state, this unfortunately is not the case, it is returned as unknown, as does the Offline error.

This means that if OCSP was used you cannot tell what the actual status was, this is especially problematic since IE and Chrome both default to modes where they ignore “Unknown” revocations due to concerns over Revocation responder performance and reliability.

It is possible to work around this platform behavior though — the problem is that it’s not documented anywhere, let’s take a quick stab at doing that here.

First since CertGetCertificateChain doesn’t tell us what method was used to do revocation checking we have to use heuristics to figure it out. Thankfully to enable OCSP stapling in higher level protocols like TLS the OCSP response is passed back to the caller if OCSP was used; to get that we need to know:

1. The CERT_CHAIN_ELEMENT in the returned CHAIN_CONTEXT points to the following revocation information:

  • PCERT_REVOCATION_INFO pRevocationInfo;
  • PCERT_REVOCATION_CRL_INFO   pCrlInfo;
  • PCCRL_CONTEXT           pBaseCrlContext;

2. For an OCSP response, the CRL_CONTEXT is specially created to contain the full OCSP response in the following critical extension szOID_PKIX_OCSP_BASIC_SIGNED_RESPONSE.

  • The presence of this extension indicates an OCSP response was used.
  • The Issuer name in the CRL is the name of the OCSP signer.
  • The signature algorithm is sha1NoSign.
  • ThisUpdate and NextUpdate contain the response validity period.

With this we can take the OCSP response from the CRL_CONTEXT and then look at the “ResponseData” within it, you will need to look within the “responses” here,  you will need to find the right “SingleResponse” based on its “CertID”.

NOTE: Some responders will return the status of multiple certificates in a response even if the status of only one was requested.

You now can determine what the responder said the status of the certificate was by inspecting “certStatus” element.

This is a fair amount of work unfortunately but it does enable you to do the right thing with authoritative “Unknown” responses.

Ryan

Serving OCSP on a CDN

So last week we moved our revocation repositories behind a CDN, this has a number of great benefits but it does have downsides though, for example.

  1. Cache misses result in a slower response – About a 110ms in my tests.
  2. OCSP clients that create POSTs get a slower response – This is because they are treated like a cache miss.

Our CDN provider mitigates much he first issue by having a pre-loader that ensures its cache is pre-populated based on request history.

Addressing the second issue requires the CDN provider to be aware of OCSP protocol semantics, specifically the fact that one can compute what a GET request would look like by simply Base64 encoding the binary body of the POST variation.

A CDN with knowledge of this can optimize out the POST derived cache miss, our CDN has done this the change has not yet propagated to all of their datacenters but where it has POST performs the same as a GET.

Hopefully this optimization will have propagated to all their datacenters by next week, when this logic is fully deployed the clients that generate POST based OCSP requests (without a nonce) will also have ~100ms response times.

I should probably ad that in our case almost all of the POST based OCSP requests we receive come from Firefox and do not contain a nonce, hopefully soon Firefox will move to using GET for requests without a nonce like other clients.