SSL

(get it in RSS or Atom)

Do programmers understand the meaning of PRIVATE?

Public-key encryption relies on a pair of cryptographic keys, one public and the other private.

You'd think that programmers would be able to tell which one to keep private and which one to make public, wouldn't you?

Using Yahoo Mail? You should turn on this privacy option as soon as possible

Yahoo (finally!) to make SSL encryption the default for webmail

It has taken Yahoo a ridiculously long time, but it is finally rolling out an option that will help protect users' privacy when accessing their web-based email - HTTPS.

The TURKTRUST SSL certificate fiasco - what really happened, and what happens next?

The TURKTRUST SSL certificate fiasco - what happened, and what happens next?

Was the TURKTRUST SSL fiasco an abortive attempt at secret surveillance, or a blundering crisis of convenience?

Paul Ducklin takes stock of the situation...

Monday review - the hot 17 stories of the week

OK, these aren't just the hot 17 stories of the past week, but of the two weeks before that, too.

If, like us, you've been enjoying some downtime over the Christmas and New Year holidays, here's your quickest way to get back up to speed with Naked Security...

Facebook finally enables HTTPS by default, we give away free T-shirts to celebrate

Facebook finally enables HTTPS by default, we give away free T-shirts to celebrate

Thumbs up to Facebook, which has announced it is finally enabling HTTPS by default for its users.

We celebrate by giving away some T-shirts..

FTC smacks down security sloppiness by web analytics company Compete

ftc-250-blue

The FTC has settled with web analytics company Compete, Inc. over poor security. Compete has agreed not to do it again, and to audit itself every two years for 20 years.

What do you think? Is that a stiff enough penalty? Have your say in our comments section...

Microsoft says "No!" to insecure certificate practices

Microsoft says "No!" to insecure certificate practices

Microsoft will be shipping an update as part of October's Patch Tuesday that will invalidate RSA certificates weaker than 1024 bits. If you are using old or weak certificates now is the time to upgrade them to a more appropriate strength.

Police penalty-payment website makes amateurish coding errors

police

Trust is crucial for financial web transactions, which is why it is so important that legitimate organisations don't get sloppy with best practice.

Sophos Techknow - Understanding SSL

techknow-logo-250-150

To many of us, SSL isn't much more than "the padlock in the browser." But how does it work? Who verifies SSL certificates? How do we know we can trust them? What happens if we realise we can't?

Duck and Chet discuss all this, and more, in this episode of the Techknow podcast.

Russian hacker's App Store fraud site adds Mac support

Russian hacker's App Store fraud site adds Mac support

ZonD Eighty, the Russian hacker who brought App Store fraud to unjailbroken iPads and iPhones, has extended his "service" to OS X users.

Mac owners can now join their iDevice brethren in ripping off developers.

Apple's App Store bypassed by Russian hacker, leaving developers out of pocket

Apple's App Store bypassed by Russian hacker, leaving developers out of pocket

A Russian hacker has created a website you can use to make fraudulent in-app purchases on your iPad or your iPhone.

This is a pretty big blow to Apple - especially at a time when it is facing criticism for some of the stuff it lets into the App Store in the first place.

SSL certificate safety bolstered by standards that lessen dependence on CAs

SSL certificate safety bolstered by standards that lessen dependence on CAs

Two new proposals have been submitted to the IETF attempting to fix some of the trust problems inherent in the current SSL certificate system used to secure our online communications.

Researchers take another crack at SSL

Researchers take another crack at SSL

Just how unique is is your private key?

Is there a chance that someone else, without any malice aforethought, might unexpectedly end up with a key pair that is identical or at least dangerously similar to yours?

HTTPS enabled by default - nice one Twitter!

HTTPS enabled by default - nice one Twitter!

Twitter announces that it has enabled HTTPS/SSL by default - a great step for protecting users' privacy.

Another certificate authority issues dangerous certficates

iStock_VoidStamp250

Mozilla has revoked the signing privileges of another certificate authority for issuing weak and incomplete SSL/TLS certificates.

SSCC 74 - fighting hi-tech crime, Kelihos botnet, iCode for USA, Amazon Silk tablet, Mac malware and the BEAST

Sophos Security Chet Chat

This week, Chet and Paul Ducklin discuss the interesting and important topics of the past week: fighting hi-tech crime, tackling the Kelihos botnet, taking on zombified home users, examining the risks of Amazon's new Silk tablet, and understanding the BEAST!

Amazon Kindle Fire's Silk browser sounds privacy alarm bells

KindleFire250

Amazon announced their new Kindle Fire tablet today, including a new accelerated web browser Silk. Can making the web faster threaten our privacy?

SSL authenticity evolution

GrrCONMoxie250

After attending the annual GrrCON in Grand Rapids, Michigan I thought I would share my thoughts on the keynote address delivered by Moxie Marlinspike. Moxie detailed the problems with the existing certificate authority system and proposed his ideas for a solution.

Secure web browsing cracked by BEAST

Trogdor

A pair of researchers have unveiled a serious new attack on web browser security.

The ability to crack encrypted web traffic removes the safety net that protects you when you're doing sensitive online tasks like banking or using credit cards.

Apple fakery, DNS hack, DigiNotar, Linux, Wikileaks - 60 Sec Security

60ss-20110913-250

Lots of readers said they'd like to see our 'news-with-a-conscience' videos more than once a month.

So here you go. 60 Second Security, once every two weeks.