Convergence

(get it in RSS or Atom)

Turkish Certificate Authority screwup leads to attempted Google impersonation

shutterstock_brokenpadlock250

Another Certificate Authority has been caught out having issued certificates that were being used to impersonate Google. Does the SSL padlock not mean we are safe anymore?

SSL certificate safety bolstered by standards that lessen dependence on CAs

SSL certificate safety bolstered by standards that lessen dependence on CAs

Two new proposals have been submitted to the IETF attempting to fix some of the trust problems inherent in the current SSL certificate system used to secure our online communications.

SSL authenticity evolution

GrrCONMoxie250

After attending the annual GrrCON in Grand Rapids, Michigan I thought I would share my thoughts on the keynote address delivered by Moxie Marlinspike. Moxie detailed the problems with the existing certificate authority system and proposed his ideas for a solution.

Operation Black Tulip: Fox-IT's report on the DigiNotar breach

CCPhotography_GalBlackTulip245

A preliminary report was released today by Fox-IT, the security team investigating the attack against certificate authority DigiNotar. Many interesting details are included about the hack, including more indications that it primarily affected Iranian users.

Falsely issued Google SSL certificate in the wild for more than 5 weeks

Close-up of a lock icon on a computer keyboard button.  Blue-toned.

A rogue certificate was found in the wild more than a month after it was issued allowing someone to masquerade as SSL enabled Google services. Where did this certificate come from, who was using it and what can you do to protect yourself?

DEFCON 2011: SSL and the future of authenticity

CCMoxie-JoeShlabotnik245

Moxie Marlinspike proposed a solution to the ongoing trust problems in the SSL protocol. Marlinspike's solution, Convergence, uses a series of notaries to provide a framework for detecting man-in-the-middle attacks while eliminating the need to purchase digital certificates or rely on certificate authorities.

SSCC 70 - Patch Tuesday, insulin pump hacking, Android patching, ChromeOS hacking, archiving our digital past

Sophos Security Chet Chat 41

Vanja Svajcer joins Chester Wisniewski to discuss the papers and demos they attended at last week's Black Hat and DEFCON conferences. Topics covered include Android patch cycles, Fixing the SSL CA problem, insulin pump hacking, Google ChromeOS flaws and archiving our digital past.