In January this year, after a head-scratchingly long time, Yahoo Mail finally rolled out the option of protecting users' privacy with HTTPS. It's now confirmed it'll make it the default setting on 8 January 2014.
Just under two months ago, we wrote about the mysterious closure of Edward Snowden's secure email service, Lavabit.
With the unsealing of US court documents, a fascinating (and cheeky) cryptographic tale has emerged...
A whole lot has been talked, over the past week, about BREACH, a newly-documented attack against HTTPS.
Paul Ducklin digs into the theory, shows how it works in practice, and suggests how to soften the blow...
Did you miss anything in the past week?
Here's a recap of the hot 22 stories of the past seven days, so you can catch up quickly!
If you have web-facing code written in Ruby, and you support SSL (which you do, right?), be sure to patch as soon as you can, to avoid falling victim to what seems very much like a four-year-old flaw...
Are you an IT administrator still caring for Windows XP computers that are running Internet Explorer?
Google's latest announcement brings another good reason to upgrade your systems or switch to an alternative browser.
Google just announced that its secure web pages will be ditching 1024-bit RSA keys in favour of 2048 bits.
We look at the lessons to be learned from whats, the whys and the wherefores of this change...
It's that time of the week again - here's your roundup of everything we wrote in the last seven days.
Cryptographers have once again put SSL/TLS (that's the padlock in HTTPS) in their gunsights and opened fire.
This time, they've done some severe damage.
Paul Ducklin takes a detailed look...
Have your joined thousands of others, and become a loyal listener to the "Chet Chat" yet?
Here's the latest Naked Security podcast, Sophos Security Chet Chat 102, discussing a range of recent and newsworthy topics from the world of computer security.
The security of web transactions is again in the spotlight as a pair of UK cryptographers take aim at TLS.
Like 2011's much-talked-about BEAST attack, it has a groovy name: Lucky Thirteen.
Public-key encryption relies on a pair of cryptographic keys, one public and the other private.
You'd think that programmers would be able to tell which one to keep private and which one to make public, wouldn't you?
It has taken Yahoo a ridiculously long time, but it is finally rolling out an option that will help protect users' privacy when accessing their web-based email - HTTPS.
Was the TURKTRUST SSL fiasco an abortive attempt at secret surveillance, or a blundering crisis of convenience?
Paul Ducklin takes stock of the situation...
Thumbs up to Facebook, which has announced it is finally enabling HTTPS by default for its users.
We celebrate by giving away some T-shirts..
The FTC has settled with web analytics company Compete, Inc. over poor security. Compete has agreed not to do it again, and to audit itself every two years for 20 years.
What do you think? Is that a stiff enough penalty? Have your say in our comments section...
Microsoft will be shipping an update as part of October's Patch Tuesday that will invalidate RSA certificates weaker than 1024 bits. If you are using old or weak certificates now is the time to upgrade them to a more appropriate strength.
Trust is crucial for financial web transactions, which is why it is so important that legitimate organisations don't get sloppy with best practice.