Articles about tls

Are you undermining your web security by checking on it with the wrong tools?

Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent US-CERT advisory have warned. The issue comes with the use of HTTPS interception middleboxes and network monitoring products. They are extremely common and are used to check that nothing untoward is going on …
Kieren McCarthy, 17 Mar 2017

GlobalSign screw-up cancels top websites' HTTPS certificates

Final update GlobalSign's efforts as a root certificate authority have gone TITSUP this afternoon – that's a total inability to support usual protocols. The result is that many websites big and small have had their HTTPS certificates incorrectly scrapped, meaning that for some people their browsers no longer trust websites and refuse or …

Unmasking malware in TLS connections? It can be done, say Cisco researchers

A group of researchers who work for Cisco* reckons malicious traffic in TLS tunnels can be spotted and blocked – without decrypting user traffic. That's good news in the corporate setting, because today's protection relies on the controversial approach of terminating the encryption to inspect the traffic. In this paper at …

One-third of all HTTPS websites open to DROWN attack

Security researchers have discovered a new technique for deciphering the contents of supposedly secure communications. The DROWN attack - it has already got a name, like recent high profile crypto attacks Lucky13, BEAST, and POODLE - is a “cross-protocol attack that can decrypt passively collected TLS sessions from up-to-date …
John Leyden, 1 Mar 2016
Crypto fingers

Gmail growls with more bad message flags to phoil phishers

Google's taking some of the user interface techniques it uses to flag insecure Web pages and applying them to email. The plan: to warn users of Gmail on the Web when they receive emails from people who aren't using encrypted connections, or if message authentication fails. The change is outlined on the Gmail blog. While a …
classroom_shutterstock_648

Supplier promises to nudge UK schools towards secure webmail

The HTTPS Everywhere campaign received a small boost this week with a commitment by a UK schools technology provider to roll out secure logins for a service used by many educational establishments. Reg reader and former school governor Paul F tipped us off about security shortcomings of the RM Easymail which he claimed were so …
John Leyden, 4 Feb 2016
Unlocked padlock

Security industry too busy improving security to do security right

The Payment Card Industry Security Standards Council (PCI SSC) has decided to delay the deadline for mandatory migration from Secure Sockets Layer (SSL) to Transport Layer Security (TLS). Earlier this year, the council decided the time to make the final cutover was June 2016. Now the council says it's just too hard for …
Simon Sharwood, 21 Dec 2015

Finding security bugs on the road to creating a verifiably secure TLS lib

Microsoft and French research organization Inria have jointly published the source code for a more secure implementation of TLS – a first step in hopefully increasing the security of millions online. The software library emerged from a project called MiTLS, whose website mitls.org is curiously missing in action at time of …
John Leyden, 25 Nov 2015

Sensitive Virgin Media web pages still stuck on weak crypto software

More than six months since The Register reported that Virgin Media had failed to move away from weak encryption software used on sensitive areas of its website – the ISP is yet to hit the upgrade button. In March, we flagged up security concerns to the Liberty Global-owned firm by pointing out that the RC4 stream cipher used …
Kelly Fiveash, 4 Oct 2015
Crypto fingers

Amazon just wrote a TLS crypto library in only 6,000 lines of C code

Amazon Web Services has released a new, open source library that implements TLS encryption – the standard behind the secure HTTPS web protocol – using far less code than the prevailing OpenSSL library. Dubbed s2n for "signal to noise," the new library comprises just over 6,000 lines of C code. By comparison, OpenSSL consists …
Compressed version of Log Jam

'Logjam' crypto bug could be how the NSA cracked VPNs

Updated A team led by Johns Hopkins crypto researcher Matthew Green* thinks they might have an explanation for how the NSA attacked VPN services: flaws in how TLS implements Diffie-Hellman crytography. In what's bound to be the next big branded bug, Green says servers that support 512-key “export-grade” Diffie-Hellman (DH) can be …

IETF updates TLS/SSL best practice guidance

Do: start rolling TLS 1.3, support TLS 1.2, and DTLS 1.2. Don't: negotiate sessions using TLS 1, TLS 1.1, SSL 2 or SSL 3. Those are the Internet Engineering Task Force's latest recommendations, set out in RFC 7525, Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). …

Netflix's house of cards to be fortified with HTTPS appliance

Netflix will this year roll out HTTPS to keep customer's viewing habits secret. The streaming company's April earnings letter (PDF) says it will make the move because it "helps protect member privacy, particularly when the network is insecure, such as public wifi, and it helps protect members from eavesdropping by their ISP or …
Darren Pauli, 17 Apr 2015
Unlocked padlock

Hawk like an Egyptian: Google is HOPPING MAD over fake SSL certs

Updated Google says security biz MCS Holdings has created unauthorized SSL certificates for some Google-owned websites. Anyone with these dodgy certificates could, in theory, set up a web server that masquerades as a legit Google site, and redirect people to the fake site by hijacking their DNS. Chrome and the latest Firefox web …
Iain Thomson, 24 Mar 2015

FREAK show: Apple and Android SSL WIDE OPEN to snoopers

Security researchers are warning of a flaw in OpenSSL and Apple's SecureTransport – a hangover from the days when the US government was twitchy about the spread of cryptography. It's a flaw that allows an attacker to decrypt your login cookies, and other sensitive information, from your HTTPS connections if you use a …
Iain Thomson, 3 Mar 2015

Zombie POODLE wanders in, cocks leg on TLS

Google might have taken POODLE to a distant country road, let it out and driven away fast, but according to Qualys, the vulnerability has returned, repurposed, as an attack on Transaction Layer Security (TLS). Designated CVE-2014-8730, the new attack vector exploits the same class of problem as POODLE: an error in the handling …
Random numbers

IETF takes rifle off wall, grabs RC4 cipher's collar, goes behind shed

The IETF is getting ready to finally kill off the venerable-but-vulnerable RC4 cipher. The group has issued a last call for comments before humming over a proposal that Internet-standard clients and servers need to quit using RC4 in Transport Layer Security (TLS). It's a simple enough change, but in the wide world of the …

Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority

A new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting next year. The move will make it even more easier for people to run encrypted, secure HTTPS websites. Let’s Encrypt aims to provide an easier way to obtain and use a digital …
John Leyden, 18 Nov 2014

Create a news alert about tls, or find more stories about tls.

Biting the hand that feeds IT © 1998–2017