Articles about tls

PayPal logo and credit cards

PayPal reminds users: TLS 1.2 and HTTP/1.1 are no longer optional

PayPal has reminded merchants that they must support TLS 1.2 and HTTP/1.1 by June 30. The reason? That's the date the PCI Council mandated for those standards to come into effect. In this notice, PayPal warns: “You will need to verify that your environment supports TLS 1.2 and HTTP/1.1 and if necessary make appropriate …

It's time for TLS 1.0 and 1.1 to die (die, die)

As TLS 1.3 inches towards publication into the Internet Engineering Task Force's RFC series, it's a surprise to realise that there are still lingering instances of TLS 1.0 and TLS 1.1. The now-ancient versions of Transport Layer Security (dating from 1999 and 2006 respectively) are nearly gone, but stubborn enough that Dell …
server

GCHQ's infosec crew plans to 'scale up' Web Check to improve uk.gov site security

Efforts to improve the UK.gov's secure server setup are being ramped up through an expansion of a scheme from the National Cyber Security Centre, the infosec folk at British crypto and intel agency GCHQ. Car crash DVLA denies driving licence processing site is a security 'car crash' READ MORE The web certificate set-up and …
John Leyden, 27 Mar 2018
Hangover progress bar

Hurrah! TLS 1.3 is here. Now to implement it and put it into software

The ink has dried, so to speak, on TLS 1.3, so it's time for work developing software to implement the standard to begin in earnest. As we reported last week, now that the protocol's received the necessary consensus in the IETF, implementation “will require people to put in some effort to make it all work properly.” Vulture …
It's beer o clock for sysadmins. Photo by SHutterstock

World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved

A much-needed update to internet security has finally passed at the Internet Engineering Task Force (IETF), after four years and 28 drafts. Internet engineers meeting in London, England, approved the updated TLS 1.3 protocol despite a wave of last-minute concerns that it could cause networking nightmares. TLS 1.3 won …
Kieren McCarthy, 23 Mar 2018
grave

OpenSSL alpha adds TLS 1.3 support

Developers working with OpenSSL can finally start to work with TLS 1.3, thanks to the alpha version of OpenSSL 1.1.1 that landed yesterday. Getting TLS 1.3 into users hands and working with infrastructure has been a long, slow process: the first version of its Internet-Draft dates back to April 2014, it reached version 23 in …

Let's Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers' domains

Let's Encrypt – a SSL/TLS certificate authority run by the non-profit Internet Security Research Group (ISRG) to programmatically provide websites with free certs for their HTTPS websites – on Thursday said it is discontinuing TLS-SNI validation because it's insecure in the context of many shared hosting providers. TLS-SNI is …
Thomas Claburn, 13 Jan 2018
Pixellated Facebook thumb

Facebook helping devs keep up with TLS certificates

Facebook has expanded its year-old certificate transparency project to make it easier for developers to watch for dodgy certs. The Social Network™ first started offering tools so people didn't have to comb through transparency logs themselves. As the company noted in this post, the monitoring tool offered a search engine that …

Microsoft Dynamics 365 sandbox leaked TLS certificate's private parts

Another day, another credential found wandering without a leash: Microsoft accidentally left a Dynamics 365 TLS certificate and private key where they could leak, and according to the discoverer, took 100 days to fix the bungle. Matthias Gliwka, a Stuttgart-based software developer, discovered the slip while working with the …
Woman says oops after data breach... or spome other mistake, possibly. Illustration by Shutterstock/sergey sobin

IBM figures out it takes longer than a week to re-wire software

IBM has announced it will again try to wean its cloud off the known-to-be-insecure TLS 1.0 and 1.1, but will also keep them available for some services. Big Blue has to try again because its first attempt gave users just a week to prepare. Users quickly complained that was nowhere near enough time to set their houses in order …
Simon Sharwood, 29 Nov 2017
panic

F5 DROWNing, not waving, in crypto fail

If you're an F5 BIG-IP sysadmin, get patching: there's a bug in the company's RSA implementation that can give an attacker access to encrypted messages. As the CVE assignment stated: “a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) …
Double thumbs up photo via Shutterstock

SSL spy boxes on your network getting you down? But wait, here's an IETF draft to fix that

The Internet Engineering Task Force (IETF) has just put out a new draft for a standard that would enable folks to effectively bypass surveillance equipment on their networks to maintain secure connections. The working draft from three Cisco employees notes that so-called middleboxes – which intercept and decrypt connections – …
Shutterstock Man in the Middle

ARM’s embedded TLS library fixes man-in-the-middle fiddle

ARM's "mbed TLS" software can be tricked into an authentication bypass and needs a patch. Created by PolarSSL, which was acquired in February by ARM, mbed is a crypto library designed to make it easy for embedded system developers to add SSL/TLS capabilities to their products. As well as client-server models (that is, an …

Internet's backroom boffins' big brainwave: Put people first in future

The Internet Engineering Task Force is being asked to formally adopt its informal philosophy that when it comes to new standards and protocols, end users' needs must come first. The "best current practice" drawn up by Internet Architecture Board (IAB) member Mark Nottingham – currently in its fifth draft – states simply that …
Cat with a surprised expression. Photo by Shutterstock

Wait. What? The IBM cloud's APIs use insecure TLS1 crypto?

An email has gone out from IBM about its Bluemix cloud: after next Tuesday, the SoftLayer APIs will no longer accept connections encrypted with the ancient TLS 1.0. It's not quite a surprise that the 1990s-era protocol was still accepted: a great many services are still midway through their deprecation plans. To give just one …

Are you undermining your web security by checking on it with the wrong tools?

Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent US-CERT advisory have warned. The issue comes with the use of HTTPS interception middleboxes and network monitoring products. They are extremely common and are used to check that nothing untoward is going on …
Kieren McCarthy, 17 Mar 2017

GlobalSign screw-up cancels top websites' HTTPS certificates

Final update GlobalSign's efforts as a root certificate authority have gone TITSUP this afternoon – that's a total inability to support usual protocols. The result is that many websites big and small have had their HTTPS certificates incorrectly scrapped, meaning that for some people their browsers no longer trust websites and refuse or …

Unmasking malware in TLS connections? It can be done, say Cisco researchers

A group of researchers who work for Cisco* reckons malicious traffic in TLS tunnels can be spotted and blocked – without decrypting user traffic. That's good news in the corporate setting, because today's protection relies on the controversial approach of terminating the encryption to inspect the traffic. In this paper at …

Create a news alert about tls, or find more stories about tls.

Biting the hand that feeds IT © 1998–2018