Articles about ssl


It's a cert: Hundreds of big sites still unprepared for starring role in that Chrome 70's show

Hundreds of high-profile websites are still unprepared for the total disavowal of legacy Symantec-issued digital certificates that will kick in with the release of Chrome 70 next week. Boom across construction area with sign denying walkers access Symantec cert holdout sites told: Those Google Chrome warnings are not a good …
John Leyden, 9 Oct 2018
Shutterstock Man in the Middle

TLS developers should ditch 'pseudo constant time' crypto processing

More than five years after cracks started showing in the Transport Layer Security (TLS) network crypto protocol, the author of the "Lucky 13" attack has poked holes in the fixes that were subsequently deployed. Back in 2013, University of London Royal Holloway professor Kenneth Paterson popped the then-current version of TLS …
Woman says oops after data breach... or spome other mistake, possibly. Illustration by Shutterstock/sergey sobin

Cisco let an SSL cert expire in its VPN kit – and broke network provisioning brokers

If your inter-office Cisco-powered VPN suddenly isn't working properly, there's an upcoming update you may need to install. The issue is specific to Switchzilla's Application Policy Infrastructure Controller Enterprise Module (APIC-EM), which is its software-defined networking controller for enterprise networks. It relies on …

GCHQ's infosec crew plans to 'scale up' Web Check to improve site security

Efforts to improve the's secure server setup are being ramped up through an expansion of a scheme from the National Cyber Security Centre, the infosec folk at British crypto and intel agency GCHQ. Car crash DVLA denies driving licence processing site is a security 'car crash' READ MORE The web certificate set-up and …
John Leyden, 27 Mar 2018

Leading by example:'s secure server setup is patchy at best

The security of UK government websites is inconsistent, and local authorities are among the worst offenders. Ministers have for years spoken about making the UK "one of the most secure places in the world to do business in cyberspace", one component of which is making government services available online. The government also …
John Leyden, 20 Mar 2018
Broken chain graphic

23,000 HTTPS certs will be axed in next 24 hours after private keys leak

Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours. This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are …
John Leyden, 1 Mar 2018 law resources now untrustworthy, according to browsers

The SSL certificate on the criminal justice and court listing site expired yesterday, causing browsers to now warn users that their information is at risk. The site can still be accessed if users click through their browser's warnings, and contains resources on courts, procedure rules and offenders. It is …
Man types something into Mac while sipping a glass of lemon water. Not a brilliant idea. Photo by SHutterstock

Oops: LinkedIn country subdomains SSL cert just expired

Updated LinkedIn's country subdomain SSL certificate has expired – apparently as of about noon GMT today. According to the sslscan certificate testing tool, and all its altnames were no longer valid at the time of publication. The certificate issuer is DigiCert SHA2 Secure Server CA. The certificate for the naked …
Andrew Silver, 30 Nov 2017
Dutch windmill with tulips

Mozilla devs discuss ditching Dutch CA, because cryptowars

Concerns at the effect of The Netherlands' new security laws could result in the country's certificate authority being pulled from Mozilla's trust list. The nation's Information and Security Services Act will come into force in January 2018. The law includes metadata retention powers similar to those enacted in other countries …
Soup Nazi

Scotiabank internet whizzkids screw up their HTTPS security certs

The team behind Scotiabank's Digital Banking Unit isn't impressing some customers, after forgetting to renew the security certificates for their own website. The DBU was set up last year to sell "world class digital solutions" to electronic banking customers around the world. But Jason Coulls, CTO of food safety testing …
Iain Thomson, 8 Sep 2017
Shutterstock Man in the Middle

ARM’s embedded TLS library fixes man-in-the-middle fiddle

ARM's "mbed TLS" software can be tricked into an authentication bypass and needs a patch. Created by PolarSSL, which was acquired in February by ARM, mbed is a crypto library designed to make it easy for embedded system developers to add SSL/TLS capabilities to their products. As well as client-server models (that is, an …

123-reg resolves secure database access snafu

UK-based hosting and domains provider firm 123-reg has fixed an issue that meant access to some customers' databases ran over an unsecured link, creating a privacy risk in the process. A reader and 123-reg hosting customer got in touch over the issue after failing to get action directly from the hosting firm over the problem, …
John Leyden, 28 Jun 2017

Apple finally teaches Android music app to validate certificates

If you're so much an Apple fan that you run Apple Music on Android devices, there's an upgrade to patch against a man-in-the-middle vulnerability. Eight months ago, Canadian security researcher David Coomber discovered that Apple Music for Android 1.2.1 and older doesn't validate the SSL certificates presented when logging …

Are you undermining your web security by checking on it with the wrong tools?

Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent US-CERT advisory have warned. The issue comes with the use of HTTPS interception middleboxes and network monitoring products. They are extremely common and are used to check that nothing untoward is going on …
Kieren McCarthy, 17 Mar 2017
Cat in a small box photo via Shutterstock

One IP address, multiple SSL sites? Beating the great IPv4 squeeze

We're fresh out of IPv4 addresses. Getting hold of a subnet from your average ISP for hosting purposes is increasingly difficult and expensive, even the public cloud providers are getting stingy. While we wait for IPv6 to become usable, there are ways to stretch out the IPv4 space. There are several big problems with IPv6 that …
Trevor Pott, 1 Mar 2017
Bear attack

What do you give a bear that wants to fork SSL? Whatever it wants!

Into a world already crowded with big name alternatives to OpenSSL, an indy project could look like “yet another SSL implementation,” but Vulture South suspects there are good reasons to take a close look at the just-launched BearSSL. One is that its author, Thomas Pornin, has ignored the kinds of legacy protocols that occupy …

User danger declines as two thirds of Chromistas now use HTTPS

Two in three web pages served over the world's favourite web browser Chrome are now secured with HTTPS, Google says. The good news applies to Chrome on the desktop and signifies progress in the long-hoped-for decline of insecure cleartext browsing. Chrome security bods Adrienne Porter Felt and Emily Schechter say all …
Darren Pauli, 7 Nov 2016

GlobalSign screw-up cancels top websites' HTTPS certificates

Final update GlobalSign's efforts as a root certificate authority have gone TITSUP this afternoon – that's a total inability to support usual protocols. The result is that many websites big and small have had their HTTPS certificates incorrectly scrapped, meaning that for some people their browsers no longer trust websites and refuse or …

Create a news alert about ssl, or find more stories about ssl.

Biting the hand that feeds IT © 1998–2018