Articles about tls

Zombie POODLE wanders in, cocks leg on TLS

Google might have taken POODLE to a distant country road, let it out and driven away fast, but according to Qualys, the vulnerability has returned, repurposed, as an attack on Transaction Layer Security (TLS). Designated CVE-2014-8730, the new attack vector exploits the same class of problem as POODLE: an error in the handling …
Random numbers

IETF takes rifle off wall, grabs RC4 cipher's collar, goes behind shed

The IETF is getting ready to finally kill off the venerable-but-vulnerable RC4 cipher. The group has issued a last call for comments before humming over a proposal that Internet-standard clients and servers need to quit using RC4 in Transport Layer Security (TLS). It's a simple enough change, but in the wide world of the …

Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority

A new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting next year. The move will make it even more easier for people to run encrypted, secure HTTPS websites. Let’s Encrypt aims to provide an easier way to obtain and use a digital …
John Leyden, 18 Nov 2014

Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat

Poodle If you're using the popular OpenSSL open source cryptography library, you have more to worry about than the recently disclosed POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability, project devs have warned. In addition to patching two POODLE-related bugs, new releases of OpenSSL issued on Wednesday also close …
Neil McAllister, 15 Oct 2014
3-rotor WWII Enigma

Microsoft thumbs nose at NSA, hardens crypto for Outlook, OneDrive

Microsoft has flipped the switch to activate stronger encryption on its OneDrive and Outlook.com cloud services as part of a broader effort to make it harder for the NSA and other spying agencies to snoop on its customers' data. Specifically, Outlook.com now supports TLS encryption on all connections to its servers, both …
Printed key

Net tech bods at IETF mull anti-NSA crypto-key swaps in future SSL

Standards stewards on the Internet Engineering Task Force (IETF) are planning to drop RSA key exchanges from TLS 1.3, the next revision of SSL. The technical body is instead eying up algorithms that use short-lived encryption keys, aka ephemeral keys, that can sidestep surveillance dragnets by the likes of the NSA. …
John Leyden, 8 May 2014

OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts

Updated Robin Seggelmann, the man who accidentally introduced the password-leaking Heartbleed bug into OpenSSL, says not enough people are scrutinizing the crucial cryptographic library. The Heartbleed flaw, which was revealed on Monday and sent shockwaves through the IT world all week, allows attackers to reach across the internet …
Chris Williams, 11 Apr 2014

Anatomy of OpenSSL's Heartbleed: Just four bytes trigger horror bug

Analysis The password-leaking OpenSSL bug dubbed Heartbleed is so bad, switching off the internet for a while sounds like a good plan. A tiny flaw in the widely used encryption library allows anyone to trivially and secretly dip into vulnerable systems, from your bank's HTTPS server to your private VPN, to steal passwords, login …

FTC: Do SSL properly or we'll shove a microscope up you for decades

The US Federal Trade Commission (FTC) has forged settlement deals with a pair of companies accused of botching their SSL encryption and leaving people vulnerable to identity thieves. According to the watchdog, Fandango and Credit Karma failed to implement basic safeguards when sending highly sensitive personal information over …
Shaun Nichols, 28 Mar 2014
Printed key

New design flaw found in crypto's TLS: Pretend to be a victim online

Security researchers have developed a new man-in-the-middle attack against the cryptographic protocol TLS – a protocol that is used to encrypt online banking and shopping, and other sensitive connections, to thwart eavesdroppers. The so-called Triple Handshake attack can, in certain conditions, outwit vital checks carried out …
John Leyden, 5 Mar 2014

Update your Mac NOW: Apple fixes OS X 'goto fail' SSL spying vuln

Apple has released OS X 10.9.2 which, you'll be delighted to know, improves the "accuracy" of the unread message count in Mail, and fixes the autofill feature in Safari among other little tweaks. It also just so happens to snap shut a gaping security vulnerability that potentially allowed hackers to hijack users' bank accounts …
Chris Williams, 25 Feb 2014
Apple product placement

Apple Safari, Mail and more hit by SSL spying bug on OS X, fix 'soon'

Apple has admitted a bug in Mac OS X 10.9.1 allows hackers to intercept and decrypt SSL-encrypted network connections – and has promised to release a fix "very soon." Sensitive information, such as bank card numbers and account passwords, sent over HTTPS, IMAPS and other SSL-protected channels from vulnerable Mac computers …
Chris Williams, 23 Feb 2014

Update your iThings NOW: Apple splats scary SSL snooping bug in iOS

Updated2 Apple has updated its mobile operating system iOS to patch a bug that blows apart the integrity of encrypted connections. Versions 7.0.6 and 6.1.6, available now for download, fixes a vulnerability that could allow "an attacker with a privileged network position" to "capture or modify data in sessions protected by SSL/TLS," …
Chris Williams, 21 Feb 2014
The NSA Unchained

Mandatory HTTP 2.0 encryption proposal sparks hot debate

Most Internet Engineering Task Force (IETF) debates pass unnoticed, because they're very dry and detailed. However, a suggestion that the HTTP 2.0 specification might mandate encryption – in a post-Snowden world – is too tasty an idea to go under the radar. The suggestion sparking the debate came from HTTPbis chair, Mark …
The Register breaking news

Gmail, Outlook.com and e-voting 'pwned' on stage in crypto-dodge hack

Black Hat 2013 Security researchers say they have developed an interesting trick to take over Gmail and Outlook.com email accounts - by shooting down victims' logout requests even over a supposedly encrypted connection. And their classic man-in-the-middle attack could be used to compromise electronic ballot boxes to rig elections, we're told …
John Leyden, 1 Aug 2013

Security damn well IS a dirty word, actually

Sysadmin blog An interesting feature popped up on Ars Technica recently; website journo Nate Anderson discusses how he learned to crack passwords. The feature is good; good enough for to me to flag it up despite that journalistic competition thing*. That said, the feature gently nudges – but does not explore – a few important points that …
Trevor Pott, 26 Mar 2013
The Register breaking news

HTTPS cookie crypto CRUMBLES AGAIN in hands of stats boffins

Fresh cryptographic weaknesses have been found in the technology used by Google and other internet giants to encrypt online shopping, banking and web browsing. The attack, developed by security researchers at Royal Holloway, University of London and University of Illinois at Chicago, targets weaknesses in the ageing but …
John Leyden, 15 Mar 2013
The Register breaking news

Unlucky for you: UK crypto-duo 'crack' HTTPS in Lucky 13 attack

Two scientists say they have identified a new weakness in TLS, the encryption system used to safeguard online shopping, banking and privacy. The design flaw, revealed today, could be exploited to snoop on passwords and other sensitive information sent by users to HTTPS websites. Professor Kenny Paterson from the Information …
John Leyden, 4 Feb 2013

Create a news alert about tls, or find more stories about tls.

Biting the hand that feeds IT © 1998–2017