VB Migration

Tag: ssl

  • POODLE is the brown M&Ms of security

    Just because it won’t be exploited, doesn’t mean you shouldn’t patch it. There is a famous story about the rock band Van Halen whose lists of requirements when performing a show included some M&Ms — but “absolutely no brown ones”. The story is true and has little to do with childish rock star behaviour. The…

  • FREAK attack takes HTTPS connections back to 1990s security

    Golden keys from the (first) crypto wars have come back to haunt us. When a web client makes a secure connection to a web server (using HTTPS), it starts by sending a ‘Hello’ message in which it announces which cipher suites it supports. The web server then chooses one, presumably the one that offers the…

  • Book review: Bulletproof SSL and TLS

    Must-read for anyone working with one of the Internet’s most important protocols. I was reading Ivan Ristić’s book Bulletproof SSL and TLS when rumours started to appear about an attack against SSL 3.0, which would soon become commonly known as the ‘ POODLE ‘ attack. Thanks to the book, I was quickly able to read…

  • POODLE attack forces the Internet to move away from SSL 3.0

    Users and administrators urged to stop supporting the protocol, or at least to prevent downgrade attacks. After Heartbleed and Shellshock, or the SSL/TLS attacks CRIME and BEAST, ‘POODLE’ does sound rather cute. Yet the vulnerability in version 3.0 of the SSL protocol that was disclosed by Google researchers yesterday is fairly serious and shouldn’t be…

  • 1 in 500 secure connections use forged certificate

    For reasons ranging from relatively good, to actual malware. Researchers from Facebook and Carnegie Mellon University have published a paper ( PDF ) in which they show that out of a sample of over 3 million secure connections to Facebook , 0.2% used a forged SSL certificate. SSL and its successor TLS are encryption protocols…

  • OpenSSL vulnerability lets attackers quietly steal servers’ private keys

    Security firm advises regenerating keys and replacing certificates on vulnerable servers. A very serious vulnerability in OpenSSL has caused panic among network administrators: CVE-2014-0160 allows an attacker to read the memory of a vulnerable server and thus obtain private encryption keys, passwords and other kinds of sensitive information. OpenSSL is a widely used open-source implementation…

  • Iranians spied on using rogue DigiNotar certificates

    Fake certificates signed for CIA, Mossad, Google, Facebook. It is likely that Iranian Internet users have been spied on following a hack discovered at Dutch certificate authority (CA) DigiNotar last week, according to Trend Micro . In July, a hack at DigiNotar resulted in a large number of fake SSL certificates being issued for popular…

  • Rogue SSL certificates issued for popular websites

    Certificates revoked, but browsers still need to be updated. Comodo , a major vendor of SSL certificates, has admitted to one of its affiliates’ servers being hacked, leading to nine rogue SSL certificates for popular domains to be issued. SSL (secure socket layer) allows for traffic over the Internet that can not be intercepted by…

  • Symantec to acquire VeriSign business

    Vendor splashes out more cash on authentication. Symantec , the AV vendor with a reputation for snapping up other companies, has announced its purchase of VeriSign ‘s authentication services business. The $1.28 billion cash deal – expected to close in the quarter ending in September – follows hot on the heals of two other encryption-related…