SSL

(get it in RSS or Atom)

Facebook survives, Apple patches, and Naked Security wins! 60 Sec Security [VIDEO]

2014-03-01-hoaxes-250

How harmless is that "Facebook shutting down on 29 February" hoax?

Is system reimaging really a security tool?

Find out this and more! 60 Sec Security - 01 Mar 2014

SSCC 136 - Apple's "goto fail", Neiman Marcus's logfiles, and Adobe's double update [PODCAST]

sscc136-thumb-250

Chester ducks out of booth duties at the RSA 2014 conference in San Francisco to bring you this week's Chet Chat.

From Apple's SSL bug to Adobe's second-in-a-month emergency Flash update, Chet and Duck once again help you to learn from others' mistakes.

Apple ships OS X 10.9.2 - delivers on promise to patch SSL/TLS hole "very soon"

osx-250

Forget my unofficial patch for OS X!

Apple has done what it said, and delivered the latest update to Mavericks, numbered OS X 10.9.2, "very soon."

Anatomy of a "goto fail" - Apple's SSL bug explained, plus an unofficial patch for OS X!

gotofail-250

Apple just patched an SSL/TLS bug in iOS - but the flaw is not yet fixed in OS X.

Paul Ducklin comes to the rescue with explanations, mitigations, and even an unofficial patch! (For educational purposes only, you understand.)

Just how secure is that mobile banking app?

https-tablet-250

Security researcher Ariel Sanchez recently published a fascinating report on the sort of security you can expect if you do your internet banking on an iPhone or iPad.

The answer, sadly, seems to be, "Very little."

Patching by Microsoft, spoofing Google and launching nukes - 60 Sec Security [VIDEO]

2013-12-14-missile-250

How fast is fast enough for a patch? Should you trust the French Treasury? How many zeros launch a missile?

Watch 60 Sec Security and find out!

Serious Security: Google finds fake but trusted SSL certificates for its domains, made in France

ff-ssl-warn-250

Google just announced the discovery of a bunch of fake SSL certificates for some of its own domains. The bogus certificates were apparently signed by the certificate authority of the French Treasury.

Paul Ducklin looks at how this sort of blunder happens, and how spot if ever it happens to your company...

Twitter joins the "forward secrecy" club for added resistance to surveillance

padlock-250

Twitter is the latest high-traffic social networking site to announce that it has added an extra layer of protection known as "forward secrecy" to its web servers.

And the company didn't say "surveillance" or "NSA" once in its statement.

Yahoo (finally!) to make SSL encryption the default for webmail

Yahoo (finally!) to make SSL encryption the default for webmail

In January this year, after a head-scratchingly long time, Yahoo Mail finally rolled out the option of protecting users' privacy with HTTPS. It's now confirmed it'll make it the default setting on 8 January 2014.

Cheeky Lavabit *did* hand over crypto keys to US government after all - printed in a 4-point font

ec-250

Just under two months ago, we wrote about the mysterious closure of Edward Snowden's secure email service, Lavabit.

With the unsealing of US court documents, a fascinating (and cheeky) cryptographic tale has emerged...

Anatomy of a cryptographic oracle - understanding (and mitigating) the BREACH attack

breach-250

A whole lot has been talked, over the past week, about BREACH, a newly-documented attack against HTTPS.

Paul Ducklin digs into the theory, shows how it works in practice, and suggests how to soften the blow...

Monday review - the hot 22 stories of the week

dow-250

Did you miss anything in the past week?

Here's a recap of the hot 22 stories of the past seven days, so you can catch up quickly!

Ruby + OpenSSL && sprintf() == 2009-style Man-in-the-Middle?

ruby-250

If you have web-facing code written in Ruby, and you support SSL (which you do, right?), be sure to patch as soon as you can, to avoid falling victim to what seems very much like a four-year-old flaw...

Google's certificate announcement contains a hidden surprise for Windows XP users

Google's certificate announcement contains a hidden surprise for Windows XP users

Are you an IT administrator still caring for Windows XP computers that are running Internet Explorer?

Google's latest announcement brings another good reason to upgrade your systems or switch to an alternative browser.

Anatomy of a change - Google announces it will double its SSL key sizes

3-bits-for-8-250

Google just announced that its secure web pages will be ditching 1024-bit RSA keys in favour of 2048 bits.

We look at the lessons to be learned from whats, the whys and the wherefores of this change...

Monday review - the hot 32 stories of the week

Monday review - the hot stories of the week

It's that time of the week again - here's your roundup of everything we wrote in the last seven days.

Has HTTPS finally been cracked? Five researchers deal SSL/TLS a biggish blow...

ts-cracked-250

Cryptographers have once again put SSL/TLS (that's the padlock in HTTPS) in their gunsights and opened fire.

This time, they've done some severe damage.

Paul Ducklin takes a detailed look...

SSCC 102 - Probably the best 15 minute security podcast you'll hear today

Sophos security Chet Chat podcast 102

Have your joined thousands of others, and become a loyal listener to the "Chet Chat" yet?

Here's the latest Naked Security podcast, Sophos Security Chet Chat 102, discussing a range of recent and newsworthy topics from the world of computer security.

Boffins 'crack' HTTPS encryption in Lucky Thirteen attack

The security of web transactions is again in the spotlight as a pair of UK cryptographers take aim at TLS.

Like 2011's much-talked-about BEAST attack, it has a groovy name: Lucky Thirteen.

Do programmers understand the meaning of PRIVATE?

Public-key encryption relies on a pair of cryptographic keys, one public and the other private.

You'd think that programmers would be able to tell which one to keep private and which one to make public, wouldn't you?