ssl

Chrome will distrust SSL certificates generated by Symantec

I reviewed the headers of my IT Security News website https://www.itsecuritynews.info/ in order to add HSTS. This is what I can see in the headers.   The certificate used to load https://www.itsecuritynews.info/ uses an SSL certificate that will be distrusted in an upcoming release of Chrome. Once distrusted, users will be prevented from loading this resource. See https://g.co/chrome/symantecpkicerts for more information.   Source: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html Checking the article, I see some disturbing news:   Information For Site Operators Starting with Chrome 66, Chrome will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Chrome 66 is currently scheduled to be released…


Quoted in ECommerceTimes: Gmail to Warn Users of Unencrypted Email

Gmail to Warn Users of Unencrypted Email Author: Richard Adhikari   Quotes: The warning “will help in cases where hackers try to perform DNS poisoning while trying to infect or phish users visiting well-established websites,” security consultant Sorin Mustaca said.   Going with TLS is not necessarily the answer because “many emails would not reach their destination if the destination servers don’t support TLS,” security consultant Mustaca told the E-Commerce Times. Emails continue to be delivered because of opportunistic encryption. “Servers first try to establish a TLS connection and, if they don’t succeed, they continue communicating on unencrypted connections,” he explained.


No Picture

The mysterious OpenSSL vulnerability has been patched

No, it doesn’t have a name like Heartbleed or POODLE, it was “just” a denial-of-service. “Just” is by no means something to be ignored, but it is less dangerous with the previous vulnerabilities. All users of OpenSSL 1.0.2 should upgrade immediately to version 1.0.2a. In the advisory published on their website the OpenSSL vulnerability is called “ClientHello sigalgs DoS (CVE-2015-0291)”. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. According to OpenSSL’s Security Policy, a “high…


No Picture

FREAK: All Windows versions are affected too

UPDATE on the FREAK vulnerability in SSL: it affects not only Android and iOS but all Windows versions too.   I wrote about the new SSL vulnerability called FREAK – Factoring RSA Export Keys – affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains, according to computer scientists at the University of Michigan. Android, iOS and a lot of embedded devices that make use of the affected SSL clients (including Open) are in danger of having their connections to vulnerable websites intercepted. The two most used operating systems for smartphones, tablets,…


No Picture

How to prevent SSL sniffing through fake certificate injection attack?

SSL stands for Secure Socket Layer and is an encryption protocol used to secure the communication on a network. SSL is used to encrypt the segment of network connections and it uses several methods to encrypt the data, depending on the goal which needs to be achieved: asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. A certificate injection attack misuses the first type of cryptography algorithms: asymmetric cryptographic algorithms. Asymmetric cryptography  system requires two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither…


No Picture

Quoted in the IT Business Edge

http://www.itbusinessedge.com/cm/blogs/poremba/trustworthy-ssl-certificates/?cs=42832 As Sorin Mustaca, manager of international software development at Avira, explained to me: A Certificate Authority is, by common understanding, an entity having a trust level beyond any doubt. This means that in the case of digital certificates, a CA can generate certificates which are trusted by all parties involved in a communication. Any entity, private or corporate, is allowed to request such a digital certificate, the only proof required is an official identification document. This means that such a certificate can only guarantee that the entity you are communicating with is who she pretends to be. It doesn’t…


By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close