recentpopularlog in

mcherm : ssl   55

Troy Hunt: Extended Validation Certificates are Dead
Unless you are a bank there is no reason to use Extended Validation SSL certificates.
web  security  ssl  internet  via:HackerNews 
december 2018 by mcherm
Why TLS 1.3 isn't in browsers yet - A Problem with Standards
Many interesting points; my favorite is that they found that any value designed to be changeable in future versions (but not changing in practice) "rusts in place" as systems are introduced that depend on it not changing. So they tried a new protocol that puts random values in these places to prevent future issues!
standards  ssl  via:HackerNews 
november 2018 by mcherm
The Illustrated TLS 1.3 Connection: Every Byte Explained
Every byte of a TLS 1.3 connection explained. Look at the amount of backward-compatible cruft. This is what it is like to live in reality.
internet  ssl  via:HackerNews 
november 2018 by mcherm
Troy Hunt: The 6-Step "Happy Path" to HTTPS
Here are instructions on all the special headers and stuff to use to force HTTPS.
ssl  security  via:HackerNews  webdevelopment 
october 2017 by mcherm
Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates - Google Groups
Google Chrome is going to gradually give less trust to SSL certs issued by Symantec because they've really abused and misused the system (but can't be cut off because they have 30% of all certificates).
internet  ssl  chrome 
march 2017 by mcherm
MD5 considered harmful today
MD5 collisions were proven (in 2008) to actually be exploitable to create fake trusted SSL certs.
cryptography  security  ssl 
february 2017 by mcherm
Certified Malice – text/plain
Let's encrypt allows phishing sites to have SSH certs. How best to solve this? Maybe use several different signals for site reputation?
security  browsers  ssl  internet  lets_encrypt  phishing  via:HackerNews 
january 2017 by mcherm
New – AWS Certificate Manager – Deploy SSL/TLS-Based Apps on AWS | AWS Blog
Appears AWS will offer free SSL certificates. I should look into this for my blog.
blogging  aws  s3  https  ssl  security  todo 
december 2016 by mcherm
Industry Concerns about TLS 1.3 | Hacker News
Banks object to a proposal that would remove their ability to MITM their own employees. People respond to that objection (some of them with sensible, well-considered comments).
security  ssl  via:HackerNews 
october 2016 by mcherm
Firefox ready to block certificate authority that threatened Web security | Ars Technica
Well, the folks at Firefox officially got upset at a really bad Chinese certificate authority. But will that actually have any effect?
september 2016 by mcherm
HTTPS Results in 7% Google AdX Revenue Drop | Rome2rio Blog
Some advertisers don't support HTTPS so ad revenue dropped 7% when they switched to https-only.
advertising  google  ssl  via:HackerNews 
may 2016 by mcherm
Padding oracles and the decline of CBC-mode cipher suites
Why CBC mode is unsafe, explained very carefully and clearly along with some history.
cryptography  security  ssl  via:HackerNews  history 
february 2016 by mcherm
HTTPS provides more than just privacy
A list of good reasons why your site you should use https instead of just HTTP.
internet  ssl  cryptography  via:HackerNews 
january 2016 by mcherm
Google Online Security Blog: Sustaining Digital Certificate Security
Symantec produced fake certificates for opera,, and others. Thousands of fake certs, and they "have no idea how that could have happened". As a result, Google Chrome will stop trusting Symantec unless they take certain transparency measures.
via:boingboing  ssl  security  google 
november 2015 by mcherm
How to Protect Yourself from NSA Attacks on 1024-bit DH | Electronic Frontier Foundation
EFF tells us how to avoid NSA listening now that we realize they've probably broken 1024-bit Diffie-Hellman key exchange for certain commonly used primes. Basically, they said use 2048 bit encryption instead.
eff  security  ssl  nsa  privacy  cryptography 
october 2015 by mcherm
Days without an SSL exploit
A list of SSL exploits. A bit overdone, in my opinion: I don't think all of these are so bad, but it's something.
security  ssl 
november 2014 by mcherm
CREAM: the scary SSL attack you’ve probably never heard of
Just a talk about timing attacks on SSL to extract keys by closely observing the response time of code that is not constant-time.
cryptography  security  ssl 
november 2014 by mcherm
Why Google is Hurrying the Web to Kill SHA-1
Nice writeup of the situation intended for a non-technical audience.
cryptography  google  ssl  via:HackerNews 
september 2014 by mcherm
Google Online Security Blog: Gradually sunsetting SHA-1
Googly has a plan for Chrome to start gradually trusting certs signed by SHA-1 less and less to persuade people to move off them.
security  cryptography  ssl  google  chrome  via:HackerNews 
september 2014 by mcherm
ImperialViolet - No, don't enable revocation checking
SSL cert revocation lists are too big to store with every browser. Checking every time is so unreliable that browsers don't treat failures as fails.
security  ssl  cryptography  internet  via:HackerNews 
april 2014 by mcherm
Lauren Weinstein's Blog: No, I Don't Trust You! -- One of the Most Alarming Internet Proposals I've Ever Seen
Proposal for SSL 2 to build in the ability to spy on people's "secure" connections. Commentators say it isn't so bad because in SSL2 *all* connections are encrypted and this applies only to those that were formerly http.
internet  security  via:HackerNews  ssl 
february 2014 by mcherm
How secure is HTTPS today? How often is it attacked? | Electronic Frontier Foundation
There are several productive ways to attack SSL today and it appears that several of them are in use. Here is some data on the rate at which they are used.
security  ssl  cryptography  internet  via:HackerNews  eff 
june 2013 by mcherm
Crack in Internet’s foundation of trust allows HTTPS session hijacking | Ars Technica
A genuine attacck on SSL by using chosen plantext that interacts with part of the message (like the session cookie) to give differing amounts of compression. Rather like timing attacks, the only real defense is to disable compression (which major browsers have done).
security  cryptography  internet  ssl  ArsTechnica  via:ArsTechnica 
october 2012 by mcherm
I can still see your actions on Google Maps over SSL
Observing traffic patterns, one can tell what someone is viewing over SSL.
security  via:twitter  ssl 
march 2012 by mcherm
Why doesn't anyone use client certs in SSL?
No one uses them because the UI is terrible. I wonder, could we (the bank) use them as one option for 2-factor authentication as the article suggests?
security  internet  ssl  via:HackerNews  cryptography 
march 2012 by mcherm
Message to Certificate Authorities about Subordinate CAs at Mozilla Security Blog
Mozilla puts certificate authorities on notice about misbehaving. They'd better not be issuing sub-certs that give global approval for anything, no matter how good their reason.
cryptography  security  firefox  mozilla  ssl  via:HackerNews 
february 2012 by mcherm
Convergence - SSL without a list of trusted roots
An attempt at building a PKI infrastructure that is not dependent on a list of trusted root certificates.
security  ssl  cryptography  pki  blogworthy  firefox 
february 2012 by mcherm
ImperialViolet - Revocation checking and Chrome's CRL
Chrome is dropping real-time checks for SSL cert revocation. They leak info, slow down SSL connections, and don't work when you're under attack anyway.
via:twitter  ssl  security  internet  browser  chrome 
february 2012 by mcherm
Punching through The Great Firewall of T-Mobile
Claims that T-Mobile is sending RST packets to disrupt attempts to create secure connections from their phones in the UK.
via:boingboing  t-mobile  internet  ssl  personal_net  security 
january 2012 by mcherm
Long Term Privacy with Forward Secrecy | Electronic Frontier Foundation
Intercepted SSL traffic can be decrypted later if the server's private key is ever exposed. There's a way to protect against that and Google just implemented it.
security  google  ssl  https  eff  internet  cryptography  via:boingboing 
december 2011 by mcherm
Sovereign Keys: A Proposal to Make HTTPS and Email More Secure | Electronic Frontier Foundation
The EFF proposes a replacement for the SSL cert infrastructure: a single, global append-only list of certs for every DNS domain would be built and cached by the browser. Entries would be verified by a proof the DNS is owned.
security  https  ssl  cryptography  programmming  internet  via:eff 
november 2011 by mcherm
SingleHop Are Cheats
It’s probably not intentional, but serving up via SSL means the file gets compressed, so their bandwidth test gives spurious results.
internet  ssl  personal_net  via:HackerNews 
september 2011 by mcherm
DigiNotar Removal Follow Up at Mozilla Security Blog
Mozilla explains how badly DigiNotar screwed up: not only did they sign evil certs, they kept it secret.
security  cryptography  ssl  mozilla  firefox 
september 2011 by mcherm
Iran forged the wrong SSL certificate
An enterprising government could forge an SSL certificate for google analytics. The they could inject JavaScript onto almost every page on the internet.
security  ssl  cryptography  via:HackerNews 
september 2011 by mcherm
TLS Renegotiation Test | netsekure rng
A site that will test for the SSL renegotiation bug.
security  ssl 
june 2011 by mcherm
Eureka! Google breakthrough makes SSL less painful • The Register
Google introduces a way to start ssl with 1 fewer round trips. It works today with no changes needed on servers so they implemented it in chrome.
security  ssl  google  cryptography  via:HackerNews 
may 2011 by mcherm
A Syrian Man-In-The-Middle Attack against Facebook | Electronic Frontier Foundation
The syrian government forged an SSL cert so they could do a man-in-the-middle attack against Facebook connections. (The cert wasn't signed, so it raised warning errors.)
security  ssl  via:boingboing 
may 2011 by mcherm
ImperialViolet - Overclocking SSL
Some details about how to make SSL faster, from experts at Google who work on this kind of stuff. Key quote: "you only need to remember one thing: SSL/TLS is not computationally expensive any more."
security  cryptography  google  networking  ssl 
december 2010 by mcherm
EFF to Verizon: Etisalat Certificate Authority Threatens Web Security | Electronic Frontier Foundation
The problem with centralized trust systems is that they can be subverted by "appropriate authorities". Here, the EFF publically questions whether an arm of the UAE should have a cert capable of signing SSL certificates which is trusted by Verizon which, in turn, is trusted by major browser vendors.
security  verizon  eff  ssl  cryptography  trust  privacy  via:slashdot 
august 2010 by mcherm
Side-Channel Leaks in Web Applications | Freedom to Tinker
An eavesdropper to an SSL connection can observe number of requests, timing of them, and size of request and response. This leaks LOTS of info. Eg: the "options" that pop down for search results have characteristic sizes. An attacker can tell EXACTLY what you searched for by watching what is obtained for each letter. Will soon be a serious problem.
security  webdevelopment  ssl  cryptography  cloudcomputing  privacy  via:BruceSchneier  blogworthy 
may 2010 by mcherm
The Secure Goose: TLS renegotiation vulnerability (CVE-2009-3555)
A clever trick to exploit the SSL vulnerability recently discovered by sending the message to Twitter where the attacker can then read the first 140 characters of the otherwise encrypted data stream (because twitter publishes it, of course).
hacking  security  ssl  via:slashdot 
november 2009 by mcherm
Another Protocol Bites The Dust
I need to see more details, but apparently there is a genuine vulnerability in the SSL protocol.
security  cryptography  ssl  via:slashdot 
november 2009 by mcherm
Moserware: The First Few Milliseconds of an HTTPS Connection
A helpful detailed description of exactly what happens when an SSL connection is made. Lots of details in there that I hadn't known.
internet  cryptography  security  ssl  programming  via:reddit 
june 2009 by mcherm
Web browser flaw could put e-commerce security at risk | Security - CNET News
Because MD5 collisions can be found, someone has expanded that to a mechanism for spoofing SSL certificates. It's a genuine vulnerability (although perhaps not the greatest worry at the moment).
security  via:slashdot  md5  cryptography  ssl 
january 2009 by mcherm
» Even SSL Gmail can get sidejacked | Zero Day |
Here's an attack on pretty much anything using cookies. It even works on Gmail because if SSL is failing Gmail attempts plain http.
ssl  security  hacking  gmail 
february 2008 by mcherm
SSL Certificates
Reasonably priced SSL certificates.
useful  ssl  web 
april 2005 by mcherm

Copy this bookmark:

to read