Articles about tls

Unlocked padlock

Hawk like an Egyptian: Google is HOPPING MAD over fake SSL certs

Updated Google says security biz MCS Holdings has created unauthorized SSL certificates for some Google-owned websites. Anyone with these dodgy certificates could, in theory, set up a web server that masquerades as a legit Google site, and redirect people to the fake site by hijacking their DNS. Chrome and the latest Firefox web …
Iain Thomson, 24 Mar 2015

FREAK show: Apple and Android SSL WIDE OPEN to snoopers

Security researchers are warning of a flaw in OpenSSL and Apple's SecureTransport – a hangover from the days when the US government was twitchy about the spread of cryptography. It's a flaw that allows an attacker to decrypt your login cookies, and other sensitive information, from your HTTPS connections if you use a …
Iain Thomson, 3 Mar 2015

Zombie POODLE wanders in, cocks leg on TLS

Google might have taken POODLE to a distant country road, let it out and driven away fast, but according to Qualys, the vulnerability has returned, repurposed, as an attack on Transaction Layer Security (TLS). Designated CVE-2014-8730, the new attack vector exploits the same class of problem as POODLE: an error in the handling …
Random numbers

IETF takes rifle off wall, grabs RC4 cipher's collar, goes behind shed

The IETF is getting ready to finally kill off the venerable-but-vulnerable RC4 cipher. The group has issued a last call for comments before humming over a proposal that Internet-standard clients and servers need to quit using RC4 in Transport Layer Security (TLS). It's a simple enough change, but in the wide world of the …

Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority

A new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting next year. The move will make it even more easier for people to run encrypted, secure HTTPS websites. Let’s Encrypt aims to provide an easier way to obtain and use a digital …
John Leyden, 18 Nov 2014

Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat

Poodle If you're using the popular OpenSSL open source cryptography library, you have more to worry about than the recently disclosed POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability, project devs have warned. In addition to patching two POODLE-related bugs, new releases of OpenSSL issued on Wednesday also close …
Neil McAllister, 15 Oct 2014
3-rotor WWII Enigma

Microsoft thumbs nose at NSA, hardens crypto for Outlook, OneDrive

Microsoft has flipped the switch to activate stronger encryption on its OneDrive and Outlook.com cloud services as part of a broader effort to make it harder for the NSA and other spying agencies to snoop on its customers' data. Specifically, Outlook.com now supports TLS encryption on all connections to its servers, both …
Printed key

Net tech bods at IETF mull anti-NSA crypto-key swaps in future SSL

Standards stewards on the Internet Engineering Task Force (IETF) are planning to drop RSA key exchanges from TLS 1.3, the next revision of SSL. The technical body is instead eying up algorithms that use short-lived encryption keys, aka ephemeral keys, that can sidestep surveillance dragnets by the likes of the NSA. …
John Leyden, 8 May 2014

OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts

Updated Robin Seggelmann, the man who accidentally introduced the password-leaking Heartbleed bug into OpenSSL, says not enough people are scrutinizing the crucial cryptographic library. The Heartbleed flaw, which was revealed on Monday and sent shockwaves through the IT world all week, allows attackers to reach across the internet …
Chris Williams, 11 Apr 2014

Anatomy of OpenSSL's Heartbleed: Just four bytes trigger horror bug

Analysis The password-leaking OpenSSL bug dubbed Heartbleed is so bad, switching off the internet for a while sounds like a good plan. A tiny flaw in the widely used encryption library allows anyone to trivially and secretly dip into vulnerable systems, from your bank's HTTPS server to your private VPN, to steal passwords, login …

FTC: Do SSL properly or we'll shove a microscope up you for decades

The US Federal Trade Commission (FTC) has forged settlement deals with a pair of companies accused of botching their SSL encryption and leaving people vulnerable to identity thieves. According to the watchdog, Fandango and Credit Karma failed to implement basic safeguards when sending highly sensitive personal information over …
Shaun Nichols, 28 Mar 2014
Printed key

New design flaw found in crypto's TLS: Pretend to be a victim online

Security researchers have developed a new man-in-the-middle attack against the cryptographic protocol TLS – a protocol that is used to encrypt online banking and shopping, and other sensitive connections, to thwart eavesdroppers. The so-called Triple Handshake attack can, in certain conditions, outwit vital checks carried out …
John Leyden, 5 Mar 2014

Update your Mac NOW: Apple fixes OS X 'goto fail' SSL spying vuln

Apple has released OS X 10.9.2 which, you'll be delighted to know, improves the "accuracy" of the unread message count in Mail, and fixes the autofill feature in Safari among other little tweaks. It also just so happens to snap shut a gaping security vulnerability that potentially allowed hackers to hijack users' bank accounts …
Chris Williams, 25 Feb 2014
Apple product placement

Apple Safari, Mail and more hit by SSL spying bug on OS X, fix 'soon'

Apple has admitted a bug in Mac OS X 10.9.1 allows hackers to intercept and decrypt SSL-encrypted network connections – and has promised to release a fix "very soon." Sensitive information, such as bank card numbers and account passwords, sent over HTTPS, IMAPS and other SSL-protected channels from vulnerable Mac computers …
Chris Williams, 23 Feb 2014

Update your iThings NOW: Apple splats scary SSL snooping bug in iOS

Updated2 Apple has updated its mobile operating system iOS to patch a bug that blows apart the integrity of encrypted connections. Versions 7.0.6 and 6.1.6, available now for download, fixes a vulnerability that could allow "an attacker with a privileged network position" to "capture or modify data in sessions protected by SSL/TLS," …
Chris Williams, 21 Feb 2014
The NSA Unchained

Mandatory HTTP 2.0 encryption proposal sparks hot debate

Most Internet Engineering Task Force (IETF) debates pass unnoticed, because they're very dry and detailed. However, a suggestion that the HTTP 2.0 specification might mandate encryption – in a post-Snowden world – is too tasty an idea to go under the radar. The suggestion sparking the debate came from HTTPbis chair, Mark …
The Register breaking news

Gmail, Outlook.com and e-voting 'pwned' on stage in crypto-dodge hack

Black Hat 2013 Security researchers say they have developed an interesting trick to take over Gmail and Outlook.com email accounts - by shooting down victims' logout requests even over a supposedly encrypted connection. And their classic man-in-the-middle attack could be used to compromise electronic ballot boxes to rig elections, we're told …
John Leyden, 1 Aug 2013

Security damn well IS a dirty word, actually

Sysadmin blog An interesting feature popped up on Ars Technica recently; website journo Nate Anderson discusses how he learned to crack passwords. The feature is good; good enough for to me to flag it up despite that journalistic competition thing*. That said, the feature gently nudges – but does not explore – a few important points that …
Trevor Pott, 26 Mar 2013

Create a news alert about tls, or find more stories about tls.

Biting the hand that feeds IT © 1998–2017