(get it in RSS or Atom)

Cheeky Lavabit *did* hand over crypto keys to US government after all - printed in a 4-point font


Just under two months ago, we wrote about the mysterious closure of Edward Snowden's secure email service, Lavabit.

With the unsealing of US court documents, a fascinating (and cheeky) cryptographic tale has emerged...

Anatomy of a cryptographic oracle - understanding (and mitigating) the BREACH attack


A whole lot has been talked, over the past week, about BREACH, a newly-documented attack against HTTPS.

Paul Ducklin digs into the theory, shows how it works in practice, and suggests how to soften the blow...

Monday review - the hot 22 stories of the week


Did you miss anything in the past week?

Here's a recap of the hot 22 stories of the past seven days, so you can catch up quickly!

Ruby + OpenSSL && sprintf() == 2009-style Man-in-the-Middle?


If you have web-facing code written in Ruby, and you support SSL (which you do, right?), be sure to patch as soon as you can, to avoid falling victim to what seems very much like a four-year-old flaw...

Google's certificate announcement contains a hidden surprise for Windows XP users

Google's certificate announcement contains a hidden surprise for Windows XP users

Are you an IT administrator still caring for Windows XP computers that are running Internet Explorer?

Google's latest announcement brings another good reason to upgrade your systems or switch to an alternative browser.

Anatomy of a change - Google announces it will double its SSL key sizes


Google just announced that its secure web pages will be ditching 1024-bit RSA keys in favour of 2048 bits.

We look at the lessons to be learned from whats, the whys and the wherefores of this change...

Monday review - the hot 32 stories of the week

Monday review - the hot stories of the week

It's that time of the week again - here's your roundup of everything we wrote in the last seven days.

Has HTTPS finally been cracked? Five researchers deal SSL/TLS a biggish blow...


Cryptographers have once again put SSL/TLS (that's the padlock in HTTPS) in their gunsights and opened fire.

This time, they've done some severe damage.

Paul Ducklin takes a detailed look...

SSCC 102 - Probably the best 15 minute security podcast you'll hear today

Sophos security Chet Chat podcast 102

Have your joined thousands of others, and become a loyal listener to the "Chet Chat" yet?

Here's the latest Naked Security podcast, Sophos Security Chet Chat 102, discussing a range of recent and newsworthy topics from the world of computer security.

Boffins 'crack' HTTPS encryption in Lucky Thirteen attack

The security of web transactions is again in the spotlight as a pair of UK cryptographers take aim at TLS.

Like 2011's much-talked-about BEAST attack, it has a groovy name: Lucky Thirteen.

Do programmers understand the meaning of PRIVATE?

Public-key encryption relies on a pair of cryptographic keys, one public and the other private.

You'd think that programmers would be able to tell which one to keep private and which one to make public, wouldn't you?

Using Yahoo Mail? You should turn on this privacy option as soon as possible

Yahoo (finally!) to make SSL encryption the default for webmail

It has taken Yahoo a ridiculously long time, but it is finally rolling out an option that will help protect users' privacy when accessing their web-based email - HTTPS.

The TURKTRUST SSL certificate fiasco - what really happened, and what happens next?

The TURKTRUST SSL certificate fiasco - what happened, and what happens next?

Was the TURKTRUST SSL fiasco an abortive attempt at secret surveillance, or a blundering crisis of convenience?

Paul Ducklin takes stock of the situation...

Monday review - the hot 17 stories of the week

OK, these aren't just the hot 17 stories of the past week, but of the two weeks before that, too.

If, like us, you've been enjoying some downtime over the Christmas and New Year holidays, here's your quickest way to get back up to speed with Naked Security...

Facebook finally enables HTTPS by default, we give away free T-shirts to celebrate

Facebook finally enables HTTPS by default, we give away free T-shirts to celebrate

Thumbs up to Facebook, which has announced it is finally enabling HTTPS by default for its users.

We celebrate by giving away some T-shirts..

FTC smacks down security sloppiness by web analytics company Compete


The FTC has settled with web analytics company Compete, Inc. over poor security. Compete has agreed not to do it again, and to audit itself every two years for 20 years.

What do you think? Is that a stiff enough penalty? Have your say in our comments section...

Microsoft says "No!" to insecure certificate practices

Microsoft says "No!" to insecure certificate practices

Microsoft will be shipping an update as part of October's Patch Tuesday that will invalidate RSA certificates weaker than 1024 bits. If you are using old or weak certificates now is the time to upgrade them to a more appropriate strength.

Police penalty-payment website makes amateurish coding errors


Trust is crucial for financial web transactions, which is why it is so important that legitimate organisations don't get sloppy with best practice.

Sophos Techknow - Understanding SSL


To many of us, SSL isn't much more than "the padlock in the browser." But how does it work? Who verifies SSL certificates? How do we know we can trust them? What happens if we realise we can't?

Duck and Chet discuss all this, and more, in this episode of the Techknow podcast.

Russian hacker's App Store fraud site adds Mac support

Russian hacker's App Store fraud site adds Mac support

ZonD Eighty, the Russian hacker who brought App Store fraud to unjailbroken iPads and iPhones, has extended his "service" to OS X users.

Mac owners can now join their iDevice brethren in ripping off developers.