Articles about ssl

Cobweb 'fesses up to failure to renew SSL certificate

Cloudy service provider Cobweb Solutions has 'fessed up to failing to renew its SSL certificate, leaving a number of its customers potentially exposed. The lack of a protocol for secure communication only came to light after one of Cobweb's customers got in touch to report the issue. Adrian Smith, security consultant, …
Kat Hall, 23 Oct 2015
shutterstock_192561857-cat-

O2 joins Virgin Media as member of weak crypto software club

It turns out that Virgin Media isn't the only telco still using the weak RC4 stream cipher on the more sensitive areas of its website. Step forward O2, which is also stuck on the broken SSL system. The mobile carrier, as spotted by Reg reader Stephen, still transfers customer bank details over the weak crypto algorithm. If …
Kelly Fiveash, 21 Oct 2015
Fake certificate

Faked NatWest, Halifax bank sites score REAL security certs

UK Banks Halifax and NatWest are among organisations targeted by fake sites that have won SSL certificates from certification authorities (CAs). Netcraft says certifiers who should know better – such as Symantec, Comodo, CloudFlare's certification partner GlobalSign and GoDaddy – have handed out certs to sites like …
Simon Sharwood, 13 Oct 2015

So how do Google's super-smart security folk protect their data?

It's a question that occurs to many of us: if digital security is such a minefield, how do you keep your personal data safe? One person who knows about the risks is Adam Langley. As a security engineer at Google, he makes key decisions about how your data is spread around the internet. He also has access to systems that would …
Kieren McCarthy, 24 Sep 2015

Symantec fires staff caught up in rogue Google SSL cert snafu

Symantec has fired some employees after Google engineers noticed rogue SSL certificates issued in the web goliath's name. Thawte, Symantec's certificate authority subsidiary, produced a small number of security certificates intended for internal testing. Worryingly, in the wrong hands, these certificates could have been used …
John Leyden, 21 Sep 2015

John McAfee launches cert authority but it's got a POODLE problem

Eccentric infosec man John McAfee is now the proprietor of a Certificate Authority named BlackCert. Fresh from a shootout friendly discussion with police over drug and firearm possession, the one-time anti-virus boss has made what is badged as a disruptive play into SSL. BlackCert will offer unlimited use of SSL certificates …
Darren Pauli, 13 Aug 2015
Compressed version of Log Jam

'Logjam' crypto bug could be how the NSA cracked VPNs

Updated A team led by Johns Hopkins crypto researcher Matthew Green* thinks they might have an explanation for how the NSA attacked VPN services: flaws in how TLS implements Diffie-Hellman crytography. In what's bound to be the next big branded bug, Green says servers that support 512-key “export-grade” Diffie-Hellman (DH) can be …

IETF updates TLS/SSL best practice guidance

Do: start rolling TLS 1.3, support TLS 1.2, and DTLS 1.2. Don't: negotiate sessions using TLS 1, TLS 1.1, SSL 2 or SSL 3. Those are the Internet Engineering Task Force's latest recommendations, set out in RFC 7525, Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). …
Reliance free internet from Internet.org

Zuck'ed up: Facebook opens up free internet in India – but bans HTTPS

Facebook's Internet.org has loosened the stranglehold on its free internet service in India and other countries. Now potentially any website can be accessed for free via the service as long as the site ditches HTTPS, JavaScript, and other things. The social network offers free mobile internet access to people in India, …
Shaun Nichols, 4 May 2015

Instagram's HTTPS cert expires, millions of crap photographers panic

Instagram's SSL certificate has expired, showing the urine-filled-swimming-goggles-vision site's supposed commitment to security seems to have been a bit of a filter-job. Instagram first rolled out HTTPS in 2014 when a vulnerablity was reported by InfoSec specialist Mazin Ahmed. Ahmed used Wireshark to captured unencrypted …

Man-in-the-Middle diddle hits 25,000 iOS apps

Some 25,000 iOS apps are exposed to man-in-the-middle attacks thanks to vulnerabilities in the popular AFNetworking library. The now-fixed Secure Sockets Layer (SSL) bug is the latest found in the library which has been patched three times since March. US firm SourceDNA says the flaw existed in code that was near a previous …
Darren Pauli, 28 Apr 2015
pipes

Web advertising giant (Google) to spew ads over web – using HTTPS

Google has vowed to serve ads over HTTPS from its massive advertising network. The move will make it easier for website owners to go fully SSL-protected, serving their webpages and ads over HTTPS rather than just the pages over HTTPS and mixing in ads over HTTP, which is insecure. It also means each ad and its link can't be …
Darren Pauli, 20 Apr 2015

Netflix's house of cards to be fortified with HTTPS appliance

Netflix will this year roll out HTTPS to keep customer's viewing habits secret. The streaming company's April earnings letter (PDF) says it will make the move because it "helps protect member privacy, particularly when the network is insecure, such as public wifi, and it helps protect members from eavesdropping by their ISP or …
Darren Pauli, 17 Apr 2015
The chinese characters for China as used in the new .中国  domain

Mozilla piles on China's SSL cert overlord: We don't trust you either

Firefox-maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC). This comes after a security biz in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, …
Great Wall of China

RAGING Google SLAPS naughty Chinese root cert kingpins CNNIC

Google has announced it will no longer recognise the Chinese Internet Network Information Centre (CNNIC) as a Root Certificate Authority, following an investigation into unauthorised certificates issued for several Google domains. Adam Langley, a security engineer at the Chocolate Factory, wrote that Google had become aware of …
Met Police cockup

Met Police in egg/face blunder as shop-a-crim site's SSL cert expires

The Metropolitan Police has allowed its SSL certificate to expire, possibly exposing users of its website to criminal snooping – and leaving victims and witnesses of crime vulnerable to exploitation. With shocking disregard for the most basic standards of web security, the Met have allowed their SSL certificate for https:// …

FREAKing hell: ALL Windows versions vulnerable to SSL snoop

Microsoft has confirmed that its implementation of SSL/TLS in all versions of Windows is vulnerable to the FREAK encryption-downgrade attack. This means if you're using the company's Windows operating system, an attacker on your network can potentially force Internet Explorer and other software using the Windows Secure Channel …
Darren Pauli, 6 Mar 2015

FREAK show: Apple and Android SSL WIDE OPEN to snoopers

Security researchers are warning of a flaw in OpenSSL and Apple's SecureTransport – a hangover from the days when the US government was twitchy about the spread of cryptography. It's a flaw that allows an attacker to decrypt your login cookies, and other sensitive information, from your HTTPS connections if you use a …
Iain Thomson, 3 Mar 2015

Create a news alert about ssl, or find more stories about ssl.

Biting the hand that feeds IT © 1998–2017