Washington Post: Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov. The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year. [more inside]
POODLE (Padding Oracle On Downgraded Legacy Encryption) is the latest exploit found in SSL, a protocol used widely across the Internet for secure connections. Engineers at Google discovered the exploit, and they have written a white paper discussing it. In response, Google is disabling SSL in all Google products. Some are calling this the death of SSL. For web users, disabling SSL in your browser is recommended. Here is a tool to identify if your browser is potentially affected by the POODLE exploit.
The Heartbleed Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. All of the above is a direct quote and authored by the fine folks at heartbleed.com. It may be worth noting that one of the measures recommended (and indeed a good idea) - certificate revocation. Unfortunately, certificate revocation has some problems. [more inside]
Yesterday, Feb 21, Apple computer released a security patch with a vague description of SSL fixes. It turns out that it's quite a bug which would trivially allow Man in the Middle attacks for assumed-secure connections via SSL. Folks dug into the code and found the code resulting in the bug. If this affects you and your devices, you might want to go upgrade.
SSL vs. The Universe A few concessions were made in the creation and visualization of these materials. The Big Bang shown is simply an artistic interpretation of the event. Most experts agree that there was no giant “explosion” at the start of time. The math.
EFF's HTTPS Everywhere v2 adds support for Chrome and adds Decentralized SSL Observatory to the FireFox version, [more inside]
Two days ago a user asked Google about a strange warning he was getting when trying to access Gmail from Iran. Turns out he was getting a fraudulent SSL certificate that was issued incorrectly for *.google.com by DigiNotar, a Dutch certificate authority. It seems likely this was a deliberate man-in-the-middle attack to snoop email in Iran. This attack is the second SSL certificate compromise in a year (previously), pointing to a fundamental design flaw in Internet security. [more inside]
The circumstantial evidence suggests that the attack originated in Iran. Every time you see a little lock icon in your browser and are using HTTPS connections, odds are you're using a site whose certificate was signed by an Certificate Authority like VeriSign, Comodo, or Thawte. This week, SSL certificate provider Comodo announced that one of its accounts had been compromised. The attacker used the account to generate 9 bogus certificates to use for 7 well-known domains. While the breach was discovered and the certificates were revoked, it does raise questions about the chain of trust for all SSL certificates. [more inside]
LastPass is the last password manager you'll ever need. Available on almost all common platforms, its easy to use, and free. [more inside]
Starting today, Starbucks is offering free wifi in all of their US and Canadian stores. This has computer security folks a little edgy, since it could allow hackers and computer miscreants new opportunities to steal the data of unsuspecting computer users, and prompted Steve Gibson, computer security guru, to advise people to "just be afraid. Be very afraid." This applies to people who use laptops, wifi enabled cellphones and pdas. But there are ways to protect yourself. [more inside]
DVDs to save the music industry (video interview) Record Producers discuss illegal downloads, home studios and why 5.1 DVD sound just might be the future. [more inside]
Your Gmail account isn't secure. Announced at Defcon 16, Jay Beale's tool, The Middler (man-in-the-middle) to steal session ID from not only Gmail users, but LinkedIn, LiveJournal, Facebook, and presumably any site that uses a session-based cookie. Enable https permanently. (previously)
On May 13, security advisories published by Debian and Ubuntu revealed that, for over a year, their OpenSSL libraries have had a major flaw in their CSPRNG, which is used by key generation functions in many widely-used applications, which caused the "random" numbers produced to be extremely predictable. [lolcat summary] [more inside]
What do a balding man with a unique talent, shopping carts, and Extended Validation SSL Certificates have in common? Well, this: Liberty Fillmore: The Cart Whisperer (YT). Won't you think of the carts and visit No More Abandoned Carts today?
Eudora Releases 5.1... an incremental release is seldom worth a post, but with 5.1 comes support for SSL! Which makes me very happy: our SysAdmin banned us from hooking up to our mail server until we had an e-mail client that was A) SSL-enabled and B) not a product of Microsoft... finally! I can get my corporate e-mail without having it forwarded to my Yahoo! e-mail account! : )