Articles about ssl

server

GCHQ's infosec crew plans to 'scale up' Web Check to improve uk.gov site security

Efforts to improve the UK.gov's secure server setup are being ramped up through an expansion of a scheme from the National Cyber Security Centre, the infosec folk at British crypto and intel agency GCHQ. Car crash DVLA denies driving licence processing site is a security 'car crash' READ MORE The web certificate set-up and …
John Leyden, 27 Mar 2018

Leading by example: UK.gov's secure server setup is patchy at best

The security of UK government websites is inconsistent, and local authorities are among the worst offenders. Ministers have for years spoken about making the UK "one of the most secure places in the world to do business in cyberspace", one component of which is making government services available online. The government also …
John Leyden, 20 Mar 2018
Broken chain graphic

23,000 HTTPS certs will be axed in next 24 hours after private keys leak

Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours. This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are …
John Leyden, 1 Mar 2018

UK.gov law resources now untrustworthy, according to browsers

The SSL certificate on the criminal justice and court listing site justice.gov.uk expired yesterday, causing browsers to now warn users that their information is at risk. The site can still be accessed if users click through their browser's warnings, and contains resources on courts, procedure rules and offenders. It is …
Man types something into Mac while sipping a glass of lemon water. Not a brilliant idea. Photo by SHutterstock

Oops: LinkedIn country subdomains SSL cert just expired

Updated LinkedIn's country subdomain SSL certificate has expired – apparently as of about noon GMT today. According to the sslscan certificate testing tool, us.linkedin.com and all its altnames were no longer valid at the time of publication. The certificate issuer is DigiCert SHA2 Secure Server CA. The certificate for the naked …
Andrew Silver, 30 Nov 2017
Dutch windmill with tulips

Mozilla devs discuss ditching Dutch CA, because cryptowars

Concerns at the effect of The Netherlands' new security laws could result in the country's certificate authority being pulled from Mozilla's trust list. The nation's Information and Security Services Act will come into force in January 2018. The law includes metadata retention powers similar to those enacted in other countries …
Soup Nazi

Scotiabank internet whizzkids screw up their HTTPS security certs

The team behind Scotiabank's Digital Banking Unit isn't impressing some customers, after forgetting to renew the security certificates for their own website. The DBU was set up last year to sell "world class digital solutions" to electronic banking customers around the world. But Jason Coulls, CTO of food safety testing …
Iain Thomson, 8 Sep 2017
Shutterstock Man in the Middle

ARM’s embedded TLS library fixes man-in-the-middle fiddle

ARM's "mbed TLS" software can be tricked into an authentication bypass and needs a patch. Created by PolarSSL, which was acquired in February by ARM, mbed is a crypto library designed to make it easy for embedded system developers to add SSL/TLS capabilities to their products. As well as client-server models (that is, an …
channel

123-reg resolves secure database access snafu

UK-based hosting and domains provider firm 123-reg has fixed an issue that meant access to some customers' databases ran over an unsecured link, creating a privacy risk in the process. A reader and 123-reg hosting customer got in touch over the issue after failing to get action directly from the hosting firm over the problem, …
John Leyden, 28 Jun 2017
Apple

Apple finally teaches Android music app to validate certificates

If you're so much an Apple fan that you run Apple Music on Android devices, there's an upgrade to patch against a man-in-the-middle vulnerability. Eight months ago, Canadian security researcher David Coomber discovered that Apple Music for Android 1.2.1 and older doesn't validate the SSL certificates presented when logging …

Are you undermining your web security by checking on it with the wrong tools?

Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent US-CERT advisory have warned. The issue comes with the use of HTTPS interception middleboxes and network monitoring products. They are extremely common and are used to check that nothing untoward is going on …
Kieren McCarthy, 17 Mar 2017
Cat in a small box photo via Shutterstock

One IP address, multiple SSL sites? Beating the great IPv4 squeeze

We're fresh out of IPv4 addresses. Getting hold of a subnet from your average ISP for hosting purposes is increasingly difficult and expensive, even the public cloud providers are getting stingy. While we wait for IPv6 to become usable, there are ways to stretch out the IPv4 space. There are several big problems with IPv6 that …
Trevor Pott, 1 Mar 2017
Bear attack

What do you give a bear that wants to fork SSL? Whatever it wants!

Into a world already crowded with big name alternatives to OpenSSL, an indy project could look like “yet another SSL implementation,” but Vulture South suspects there are good reasons to take a close look at the just-launched BearSSL. One is that its author, Thomas Pornin, has ignored the kinds of legacy protocols that occupy …

User danger declines as two thirds of Chromistas now use HTTPS

Two in three web pages served over the world's favourite web browser Chrome are now secured with HTTPS, Google says. The good news applies to Chrome on the desktop and signifies progress in the long-hoped-for decline of insecure cleartext browsing. Chrome security bods Adrienne Porter Felt and Emily Schechter say all …
Darren Pauli, 7 Nov 2016

GlobalSign screw-up cancels top websites' HTTPS certificates

Final update GlobalSign's efforts as a root certificate authority have gone TITSUP this afternoon – that's a total inability to support usual protocols. The result is that many websites big and small have had their HTTPS certificates incorrectly scrapped, meaning that for some people their browsers no longer trust websites and refuse or …

Intel's Crosswalk open source dev library has serious SSL bug

Developers using Intel's Crosswalk SSL library: it's time to patch and push out an upgrade. Crosswalk is a cross-platform library that supports deployment to Android, iOS and Windows Phone, but the bug is Android-specific. The library has a bug in how it handles SSL errors, and as a result, end users on Android could be …

WordPress pushes free default SSL for hosted sites

WordPress has deployed HTTPS for its hosted sites*, in what is a huge security boon for users. April statistics by W3techs found 26.3 percent of all content management systems run WordPress. Systems engineer Barry Abrahamson from WordPress' parent company Automattic says the roll out will be transparent and administrators …
Darren Pauli, 11 Apr 2016
Unlocked padlock

Security industry too busy improving security to do security right

The Payment Card Industry Security Standards Council (PCI SSC) has decided to delay the deadline for mandatory migration from Secure Sockets Layer (SSL) to Transport Layer Security (TLS). Earlier this year, the council decided the time to make the final cutover was June 2016. Now the council says it's just too hard for …
Simon Sharwood, 21 Dec 2015

Create a news alert about ssl, or find more stories about ssl.

Biting the hand that feeds IT © 1998–2018