Articles about tls

One-third of all HTTPS websites open to DROWN attack

Security researchers have discovered a new technique for deciphering the contents of supposedly secure communications. The DROWN attack - it has already got a name, like recent high profile crypto attacks Lucky13, BEAST, and POODLE - is a “cross-protocol attack that can decrypt passively collected TLS sessions from up-to-date …
John Leyden, 1 Mar 2016
Crypto fingers

Gmail growls with more bad message flags to phoil phishers

Google's taking some of the user interface techniques it uses to flag insecure Web pages and applying them to email. The plan: to warn users of Gmail on the Web when they receive emails from people who aren't using encrypted connections, or if message authentication fails. The change is outlined on the Gmail blog. While a …
classroom_shutterstock_648

Supplier promises to nudge UK schools towards secure webmail

The HTTPS Everywhere campaign received a small boost this week with a commitment by a UK schools technology provider to roll out secure logins for a service used by many educational establishments. Reg reader and former school governor Paul F tipped us off about security shortcomings of the RM Easymail which he claimed were so …
John Leyden, 4 Feb 2016
Unlocked padlock

Security industry too busy improving security to do security right

The Payment Card Industry Security Standards Council (PCI SSC) has decided to delay the deadline for mandatory migration from Secure Sockets Layer (SSL) to Transport Layer Security (TLS). Earlier this year, the council decided the time to make the final cutover was June 2016. Now the council says it's just too hard for …
Simon Sharwood, 21 Dec 2015

Finding security bugs on the road to creating a verifiably secure TLS lib

Microsoft and French research organization Inria have jointly published the source code for a more secure implementation of TLS – a first step in hopefully increasing the security of millions online. The software library emerged from a project called MiTLS, whose website mitls.org is curiously missing in action at time of …
John Leyden, 25 Nov 2015

Sensitive Virgin Media web pages still stuck on weak crypto software

More than six months since The Register reported that Virgin Media had failed to move away from weak encryption software used on sensitive areas of its website – the ISP is yet to hit the upgrade button. In March, we flagged up security concerns to the Liberty Global-owned firm by pointing out that the RC4 stream cipher used …
Kelly Fiveash, 4 Oct 2015
Crypto fingers

Amazon just wrote a TLS crypto library in only 6,000 lines of C code

Amazon Web Services has released a new, open source library that implements TLS encryption – the standard behind the secure HTTPS web protocol – using far less code than the prevailing OpenSSL library. Dubbed s2n for "signal to noise," the new library comprises just over 6,000 lines of C code. By comparison, OpenSSL consists …
Compressed version of Log Jam

'Logjam' crypto bug could be how the NSA cracked VPNs

Updated A team led by Johns Hopkins crypto researcher Matthew Green* thinks they might have an explanation for how the NSA attacked VPN services: flaws in how TLS implements Diffie-Hellman crytography. In what's bound to be the next big branded bug, Green says servers that support 512-key “export-grade” Diffie-Hellman (DH) can be …

IETF updates TLS/SSL best practice guidance

Do: start rolling TLS 1.3, support TLS 1.2, and DTLS 1.2. Don't: negotiate sessions using TLS 1, TLS 1.1, SSL 2 or SSL 3. Those are the Internet Engineering Task Force's latest recommendations, set out in RFC 7525, Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). …

Netflix's house of cards to be fortified with HTTPS appliance

Netflix will this year roll out HTTPS to keep customer's viewing habits secret. The streaming company's April earnings letter (PDF) says it will make the move because it "helps protect member privacy, particularly when the network is insecure, such as public wifi, and it helps protect members from eavesdropping by their ISP or …
Darren Pauli, 17 Apr 2015
Unlocked padlock

Hawk like an Egyptian: Google is HOPPING MAD over fake SSL certs

Updated Google says security biz MCS Holdings has created unauthorized SSL certificates for some Google-owned websites. Anyone with these dodgy certificates could, in theory, set up a web server that masquerades as a legit Google site, and redirect people to the fake site by hijacking their DNS. Chrome and the latest Firefox web …
Iain Thomson, 24 Mar 2015

FREAK show: Apple and Android SSL WIDE OPEN to snoopers

Security researchers are warning of a flaw in OpenSSL and Apple's SecureTransport – a hangover from the days when the US government was twitchy about the spread of cryptography. It's a flaw that allows an attacker to decrypt your login cookies, and other sensitive information, from your HTTPS connections if you use a …
Iain Thomson, 3 Mar 2015

Zombie POODLE wanders in, cocks leg on TLS

Google might have taken POODLE to a distant country road, let it out and driven away fast, but according to Qualys, the vulnerability has returned, repurposed, as an attack on Transaction Layer Security (TLS). Designated CVE-2014-8730, the new attack vector exploits the same class of problem as POODLE: an error in the handling …
Random numbers

IETF takes rifle off wall, grabs RC4 cipher's collar, goes behind shed

The IETF is getting ready to finally kill off the venerable-but-vulnerable RC4 cipher. The group has issued a last call for comments before humming over a proposal that Internet-standard clients and servers need to quit using RC4 in Transport Layer Security (TLS). It's a simple enough change, but in the wide world of the …

Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority

A new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting next year. The move will make it even more easier for people to run encrypted, secure HTTPS websites. Let’s Encrypt aims to provide an easier way to obtain and use a digital …
John Leyden, 18 Nov 2014

Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat

Poodle If you're using the popular OpenSSL open source cryptography library, you have more to worry about than the recently disclosed POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability, project devs have warned. In addition to patching two POODLE-related bugs, new releases of OpenSSL issued on Wednesday also close …
Neil McAllister, 15 Oct 2014
3-rotor WWII Enigma

Microsoft thumbs nose at NSA, hardens crypto for Outlook, OneDrive

Microsoft has flipped the switch to activate stronger encryption on its OneDrive and Outlook.com cloud services as part of a broader effort to make it harder for the NSA and other spying agencies to snoop on its customers' data. Specifically, Outlook.com now supports TLS encryption on all connections to its servers, both …
Printed key

Net tech bods at IETF mull anti-NSA crypto-key swaps in future SSL

Standards stewards on the Internet Engineering Task Force (IETF) are planning to drop RSA key exchanges from TLS 1.3, the next revision of SSL. The technical body is instead eying up algorithms that use short-lived encryption keys, aka ephemeral keys, that can sidestep surveillance dragnets by the likes of the NSA. …
John Leyden, 8 May 2014

Create a news alert about tls, or find more stories about tls.

Biting the hand that feeds IT © 1998–2018