OpenSSL High Severity Vulnerability
July 10, 2015 by
Bruce Morton
(Entrust)
Attack
DTLS
Google
MITM
OpenSSL
SSL/TLS
Vulnerability
OpenSSL has announced a high severity vulnerability, CVE-2015-1793 which will require an upgrade to some OpenSSL installations.
The vulnerability was discovered by Google personnel Adam Langley and David Benjamin on June 24, 2015. Google has been working on an alternative to OpenSSL called BoringSSL. This has allowed Google to reduce vulnerabilities in their installations, but is also a benefit to OpenSSL as issues have been reported. Note that BoringSSL is not impacted.
New Directions for Elliptic Curve Cryptography in Internet Protocols
June 24, 2015 by
Rick Andrews
ECC
ECDSA
IETF
NIST
RSA
SSL/TLS
Last week I attended and presented at the National Institute of Standards and Technology (NIST) Workshop on Elliptic Curve Cryptography Standards. In NIST’s words, “The workshop is to provide a venue to engage the crypto community, including academia, industry, and government users to discuss possible approaches to promote the adoption of secure, interoperable and efficient elliptic curve mechanisms.”
We began by discussing the reasons for holding this workshop. Speakers acknowledged that although there are no known issues with the current set of NIST curves, in some circles they are widely distrusted.
The Insecurity of Mobile Applications
June 11, 2015 by
Rick Andrews
Android
Attack
MITM
OpenSSL
SSL/TLS
Vulnerability
Recently, we read about lots of SSL/TLS-related vulnerabilities found in mobile apps, which should come as no surprise. We were warned about this back in 2012 (see these studies). More warnings came in 2014 from CERT and FireEye. The Open Web Application Security Project (OWASP) listed “insufficient transport layer protection” as number three (#3) in its top 10 list of mobile security problems of 2014. Apps that don’t use SSL/TLS are particularly vulnerable, given the ease of reading and modifying unsecured traffic at Wi-Fi hot spots, for example.
Facebook Will Stop Supporting SHA-1 in October
June 8, 2015 by
Ben Wilson
Announcement
SSL/TLS
On June 2, 2015, Facebook announced that it would stop supporting Facebook-connected apps that were signed with SHA-1, as of October 1, 2015.
“These changes are part of a broader shift in how browsers and web sites encrypt traffic to protect the contents of online communications. Typically, web browsers use a hash function to create a unique fingerprint for a chunk of data or a message. This fingerprint is then digitally signed to prove that a message has not been altered or tampered with when passing through the various servers and systems between your computer and Facebook’s servers.
Server Name Indication and Fewer IP Addresses
June 2, 2015 by
Bruce Morton
(Entrust)
Attack
Chrome
MITM
SSL/TLS
You have a dilemma. You want to continue to deploy your web service but are running out of IPv4 addresses. You consider deploying multiple virtual servers that will use the same IP address. However, your thought is that you can only have one SSL certificate per IP address. How will you make your service secure?
Server Name Indication (SNI) is an extension to the SSL/TLS protocol that allows the browser or client software to indicate which hostname it is attempting to connect.
Practical Steps to Counter the Logjam Attack
May 26, 2015 by
Kirk Hall
(Entrust)
Apple
Attack
Encryption
Google
MITM
SSL/TLS
Vulnerability
Another flaw has been found in the basic encryption algorithms that secure the Internet. This flaw, named the Logjam attack by its discoverers (researchers from various universities and companies), allows an attacker that can carry out man-in-the-middle (MitM) attacks to weaken the encryption used in secure connections (such as HTTPS, SSH, and VPNs). In theory, this means that an attacker (with sufficient resources) can break the encryption and read the “secure” traffic.
Why You Should Get Familiar With TLS If You Accept Credit Cards
April 28, 2015 by
Billy VanCannon
Encryption
PDF
SSL/TLS
Vulnerability
The group that manages the Payment Card Industry Data Security Standard quietly announced in February that an imminent update was coming to its payment card and application requirements related to the use of the SSL encryption protocol. Since then, there has been growing concern among merchants about what the changes mean to them.
The confusion among retailers generally can be boiled down to two questions:
What will the new updates require me to do?
HTTP/2 Is Speedy and Secure
April 20, 2015 by
Wayne Thayer
Announcement
Chrome
Firefox
Forward Secrecy
Google
HSTS
IETF
Microsoft
Mozilla
SSL/TLS
Vulnerability
Since we last wrote about SSL/TLS performance, there has been a lot of activity in the IETF HTTP Working Group, resulting in the February announcement that the next version of HTTP has been approved. This is big news because it means that major SSL/TLS performance improvements are on the way.
Background When your browser connects to a website today, it most likely uses the HTTP/1.1 protocol that was defined in 1999 in RFC 2616.
Extended Validation Builds Trust (Infographic)
April 15, 2015 by
CA Security Council
SSL/TLS
Click on the image above to download a full-size version.
CA Security Council Report: Consumers Don’t Know Much About Security, But They Trust the Padlock and Green Bar When Shopping Online
April 13, 2015 by
CA Security Council
CASC
EV
Google
Identity
SSL/TLS
San Francisco – April 13, 2015 – The CA Security Council (CASC), an advocacy group committed to the advancement of the security of websites and online transactions, today released its 2015 Consumer Trust Survey which found that validation matters. While consumers are confused about some aspects of security, they recognize and trust the security that SSL brings to e-commerce sites. Fifty-three percent of respondents identify the padlock as adding confidence in an e-commerce site, with 42 percent associating the green bar and organization name in the URL with greater safety.
