TLS

(get it in RSS or Atom)

The FREAK bug in TLS/SSL - what you need to know

The FREAK bug affects TLS/SSL, the security protocol that puts the S into HTTPS and the padlock in your browser's address bar.

Paul Ducklin explains in plain English...

Anatomy of a certificate problem - the "PrivDog" software in the spotlight

The bug's now fixed, but when software offers to make your secure transactions more secure...

...you don't expect things to work the other way around!

SSCC 187 - The cryptography edition [PODCAST]

chet-chat-logo-featured-250

Sophos expert John Shier sits in for regular presenter Chester Wisniewski in this episode.

John and Paul Ducklin dissect the latest security issues, which were dominated this week by some thorny matters of cryptography.

"Cheaper car insurance" dongle could lead to a privacy wreck

snapshot-250

You'd hope that the developers of a dongle that tracks your driving paid a lot of attention to computer security.

Or, in fact, any attention at all...

The worst password in the penitentiary - 60 Sec Security [VIDEO]

Here's this week's 60 Second Security video.

The latest news made educational and amusing...and it only takes a minute.

Mummy, my schoolbooks are spying on me! 60 Sec Security [VIDEO]

Here's our latest 60 Second Security video for your viewing pleasure.

The wry side of the week's news, in just a minute...

SSCC 165 - "U2 or not U2," that is the question [PODCAST]

It's Chet Chat time!

Here's this week's episode of our news-you-can-use security podcast...

Firefox sneaks out an "inbetweener" update, with security improvements rather than fixes

Usually, if everything goes according to plan, Firefox updates appear every six weeks.

But if needs must, Mozilla delivers in-between updates, too, and that's what has happened here, bumping Firefox from version 32.0 to 32.0.1.

Move over Heartbleed - here comes another SSL/TLS bug

buff-250

Which widely used open source SSL/TLS cryptographic library just recently fixed a critical bug caused by a buffer overflow?

(Hint. The software isn't OpenSSL and the vulnerability isn't Heartbleed.)

Apple ships OS X 10.9.2 - delivers on promise to patch SSL/TLS hole "very soon"

osx-250

Forget my unofficial patch for OS X!

Apple has done what it said, and delivered the latest update to Mavericks, numbered OS X 10.9.2, "very soon."

Anatomy of a "goto fail" - Apple's SSL bug explained, plus an unofficial patch for OS X!

gotofail-250

Apple just patched an SSL/TLS bug in iOS - but the flaw is not yet fixed in OS X.

Paul Ducklin comes to the rescue with explanations, mitigations, and even an unofficial patch! (For educational purposes only, you understand.)

Just how secure is that mobile banking app?

https-tablet-250

Security researcher Ariel Sanchez recently published a fascinating report on the sort of security you can expect if you do your internet banking on an iPhone or iPad.

The answer, sadly, seems to be, "Very little."

Serious Security: Google finds fake but trusted SSL certificates for its domains, made in France

ff-ssl-warn-250

Google just announced the discovery of a bunch of fake SSL certificates for some of its own domains. The bogus certificates were apparently signed by the certificate authority of the French Treasury.

Paul Ducklin looks at how this sort of blunder happens, and how spot if ever it happens to your company...

SSCC 125 - Happy hour, forward secrecy, $300 extortions and LG unrepentant [PODCAST]

sscc-125-thumb-250

Chet and Duck dig into the good and bad of the week's news, from the amusing "Happy Hour Virus", through Twitter's implementation of forward secrecy, to LG's data-grabbing TVs and the company's unamusingly casual attitude...

Twitter joins the "forward secrecy" club for added resistance to surveillance

padlock-250

Twitter is the latest high-traffic social networking site to announce that it has added an extra layer of protection known as "forward secrecy" to its web servers.

And the company didn't say "surveillance" or "NSA" once in its statement.

Microsoft leads the way, setting new cryptographic defaults

ts-cracked-250

Microsoft is upping its game with regards to cryptographic standards. By discontinuing support for the older, weak RC4 cipher and putting Certificate Authorities on note to migrate to SHA-2, it seems to be leading the way to be ready for the future, rather than reacting.

Anatomy of a cryptographic oracle - understanding (and mitigating) the BREACH attack

breach-250

A whole lot has been talked, over the past week, about BREACH, a newly-documented attack against HTTPS.

Paul Ducklin digs into the theory, shows how it works in practice, and suggests how to soften the blow...

Monday review - the hot 32 stories of the week

Monday review - the hot stories of the week

It's that time of the week again - here's your roundup of everything we wrote in the last seven days.

Has HTTPS finally been cracked? Five researchers deal SSL/TLS a biggish blow...

ts-cracked-250

Cryptographers have once again put SSL/TLS (that's the padlock in HTTPS) in their gunsights and opened fire.

This time, they've done some severe damage.

Paul Ducklin takes a detailed look...

SSCC 102 - Probably the best 15 minute security podcast you'll hear today

Sophos security Chet Chat podcast 102

Have your joined thousands of others, and become a loyal listener to the "Chet Chat" yet?

Here's the latest Naked Security podcast, Sophos Security Chet Chat 102, discussing a range of recent and newsworthy topics from the world of computer security.