TLS

(get it in RSS or Atom)

Move over Heartbleed - here comes another SSL/TLS bug

buff-250

Which widely used open source SSL/TLS cryptographic library just recently fixed a critical bug caused by a buffer overflow?

(Hint. The software isn't OpenSSL and the vulnerability isn't Heartbleed.)

Apple ships OS X 10.9.2 - delivers on promise to patch SSL/TLS hole "very soon"

osx-250

Forget my unofficial patch for OS X!

Apple has done what it said, and delivered the latest update to Mavericks, numbered OS X 10.9.2, "very soon."

Anatomy of a "goto fail" - Apple's SSL bug explained, plus an unofficial patch for OS X!

gotofail-250

Apple just patched an SSL/TLS bug in iOS - but the flaw is not yet fixed in OS X.

Paul Ducklin comes to the rescue with explanations, mitigations, and even an unofficial patch! (For educational purposes only, you understand.)

Just how secure is that mobile banking app?

https-tablet-250

Security researcher Ariel Sanchez recently published a fascinating report on the sort of security you can expect if you do your internet banking on an iPhone or iPad.

The answer, sadly, seems to be, "Very little."

Serious Security: Google finds fake but trusted SSL certificates for its domains, made in France

ff-ssl-warn-250

Google just announced the discovery of a bunch of fake SSL certificates for some of its own domains. The bogus certificates were apparently signed by the certificate authority of the French Treasury.

Paul Ducklin looks at how this sort of blunder happens, and how spot if ever it happens to your company...

SSCC 125 - Happy hour, forward secrecy, $300 extortions and LG unrepentant [PODCAST]

sscc-125-thumb-250

Chet and Duck dig into the good and bad of the week's news, from the amusing "Happy Hour Virus", through Twitter's implementation of forward secrecy, to LG's data-grabbing TVs and the company's unamusingly casual attitude...

Twitter joins the "forward secrecy" club for added resistance to surveillance

padlock-250

Twitter is the latest high-traffic social networking site to announce that it has added an extra layer of protection known as "forward secrecy" to its web servers.

And the company didn't say "surveillance" or "NSA" once in its statement.

Microsoft leads the way, setting new cryptographic defaults

ts-cracked-250

Microsoft is upping its game with regards to cryptographic standards. By discontinuing support for the older, weak RC4 cipher and putting Certificate Authorities on note to migrate to SHA-2, it seems to be leading the way to be ready for the future, rather than reacting.

Anatomy of a cryptographic oracle - understanding (and mitigating) the BREACH attack

breach-250

A whole lot has been talked, over the past week, about BREACH, a newly-documented attack against HTTPS.

Paul Ducklin digs into the theory, shows how it works in practice, and suggests how to soften the blow...

Monday review - the hot 32 stories of the week

Monday review - the hot stories of the week

It's that time of the week again - here's your roundup of everything we wrote in the last seven days.

Has HTTPS finally been cracked? Five researchers deal SSL/TLS a biggish blow...

ts-cracked-250

Cryptographers have once again put SSL/TLS (that's the padlock in HTTPS) in their gunsights and opened fire.

This time, they've done some severe damage.

Paul Ducklin takes a detailed look...

SSCC 102 - Probably the best 15 minute security podcast you'll hear today

Sophos security Chet Chat podcast 102

Have your joined thousands of others, and become a loyal listener to the "Chet Chat" yet?

Here's the latest Naked Security podcast, Sophos Security Chet Chat 102, discussing a range of recent and newsworthy topics from the world of computer security.

Boffins 'crack' HTTPS encryption in Lucky Thirteen attack

The security of web transactions is again in the spotlight as a pair of UK cryptographers take aim at TLS.

Like 2011's much-talked-about BEAST attack, it has a groovy name: Lucky Thirteen.

Sophos Techknow - Understanding SSL

techknow-logo-170-of-250-at-0250x0250

To many of us, SSL isn't much more than "the padlock in the browser." But how does it work? Who verifies SSL certificates? How do we know we can trust them? What happens if we realise we can't?

Duck and Chet discuss all this, and more, in this episode of the Techknow podcast.

SSL certificate safety bolstered by standards that lessen dependence on CAs

SSL certificate safety bolstered by standards that lessen dependence on CAs

Two new proposals have been submitted to the IETF attempting to fix some of the trust problems inherent in the current SSL certificate system used to secure our online communications.

Researchers take another crack at SSL

Researchers take another crack at SSL

Just how unique is is your private key?

Is there a chance that someone else, without any malice aforethought, might unexpectedly end up with a key pair that is identical or at least dangerously similar to yours?

Another certificate authority issues dangerous certficates

iStock_VoidStamp250

Mozilla has revoked the signing privileges of another certificate authority for issuing weak and incomplete SSL/TLS certificates.

SSCC 74 - fighting hi-tech crime, Kelihos botnet, iCode for USA, Amazon Silk tablet, Mac malware and the BEAST

Sophos Security Chet Chat

This week, Chet and Paul Ducklin discuss the interesting and important topics of the past week: fighting hi-tech crime, tackling the Kelihos botnet, taking on zombified home users, examining the risks of Amazon's new Silk tablet, and understanding the BEAST!

Secure web browsing cracked by BEAST

Trogdor

A pair of researchers have unveiled a serious new attack on web browser security.

The ability to crack encrypted web traffic removes the safety net that protects you when you're doing sensitive online tasks like banking or using credit cards.

Operation Black Tulip: Fox-IT's report on the DigiNotar breach

CCPhotography_GalBlackTulip245

A preliminary report was released today by Fox-IT, the security team investigating the attack against certificate authority DigiNotar. Many interesting details are included about the hack, including more indications that it primarily affected Iranian users.