(get it in RSS or Atom)

The OpenSSL "CVE-2015-1793" certificate verification bug - what you need to know


OpenSSL announced on Monday that it had a "high severity" update arriving in three days' time.

That's today, and the update is out. Paul Ducklin tells you what you need to know...

Anatomy of a certificate problem - the "PrivDog" software in the spotlight

The bug's now fixed, but when software offers to make your secure transactions more secure... don't expect things to work the other way around!

Serious Security: Google finds fake but trusted SSL certificates for its domains, made in France


Google just announced the discovery of a bunch of fake SSL certificates for some of its own domains. The bogus certificates were apparently signed by the certificate authority of the French Treasury.

Paul Ducklin looks at how this sort of blunder happens, and how spot if ever it happens to your company...

The TURKTRUST SSL certificate fiasco - what really happened, and what happens next?

The TURKTRUST SSL certificate fiasco - what happened, and what happens next?

Was the TURKTRUST SSL fiasco an abortive attempt at secret surveillance, or a blundering crisis of convenience?

Paul Ducklin takes stock of the situation...

Android developers - just how much can we trust them to do web security properly?

Android developers - just how much can we trust them to do web security properly?

Six German academics have taken on the question, "Just how well-informed are Android developers, and how much can we trust them to do web security properly?"

It seems the answer is, "Not enough."

Sophos Techknow - Understanding SSL


To many of us, SSL isn't much more than "the padlock in the browser." But how does it work? Who verifies SSL certificates? How do we know we can trust them? What happens if we realise we can't?

Duck and Chet discuss all this, and more, in this episode of the Techknow podcast.

Apple fakery, DNS hack, DigiNotar, Linux, Wikileaks - 60 Sec Security


Lots of readers said they'd like to see our 'news-with-a-conscience' videos more than once a month.

So here you go. 60 Second Security, once every two weeks.

Firefox 6.0.2 fixes yet more DigiNotar certificate fallout


Firefox 6.0.2 has just come out, blocking even more browser certificates than Firefox 6.0.1, in yet more fallout from the mess caused by disgraced Dutch web security company DigiNotar.

DEFCON 2011: SSL and the future of authenticity


Moxie Marlinspike proposed a solution to the ongoing trust problems in the SSL protocol. Marlinspike's solution, Convergence, uses a series of notaries to provide a framework for detecting man-in-the-middle attacks while eliminating the need to purchase digital certificates or rely on certificate authorities.