background preloader


Facebook Twitter

Letsencrypt/acme-spec. Launching in 2015: A Certificate Authority to Encrypt the Entire Web. Today EFF is pleased to announce Let’s Encrypt, a new certificate authority (CA) initiative that we have put together with Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS.

Launching in 2015: A Certificate Authority to Encrypt the Entire Web

Although the HTTP protocol has been hugely successful, it is inherently insecure. Connect securely to https websites – Blog and info for the Perspectives project. LibreSSL: More Than 30 Days Later. Ted Unangst LibreSSL was officially announced to the world just about exactly five months ago.

LibreSSL: More Than 30 Days Later

Bob spoke at BSDCan about the first 30 days. Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux” The first "preview" release of OpenSSL alternative LibreSSL is out, and already a researcher says he has found a "catastrophic failure" in the version for Linux.

Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux”

The problem resides in the pseudo random number generator (PRNG) that LibreSSL relies on to create keys that can't be guessed even when an attacker uses extremely fast computers. When done correctly, the pool of numbers supplied is so vast that the output will almost never be repeated in subsequent requests, and there should be no way for adversaries to accurately predict which numbers are more likely than others to be chosen. Generators that don't produce an extremely large pool of truly random numbers can undermine an otherwise robust encryption scheme. The Dual EC_DRBG influenced by the National Security Agency and used by default in RSA's BSAFE toolkit, for instance, is reportedly so predictable that it can undermine the security of applications that rely on it.

Edge cases. SSL/TLS Strong Encryption: An Introduction - Apache HTTP Server. Available Languages: en | fr | ja As an introduction this chapter is aimed at readers who are familiar with the Web, HTTP, and Apache, but are not security experts.

SSL/TLS Strong Encryption: An Introduction - Apache HTTP Server

It is not intended to be a definitive guide to the SSL protocol, nor does it discuss specific techniques for managing certificates in an organization, or the important legal issues of patents and import and export restrictions. Rather, it is intended to provide a common background to mod_ssl users by pulling together various concepts, definitions, and examples as a starting point for further exploration. Cryptographic Techniques Understanding SSL requires an understanding of cryptographic algorithms, message digest functions (aka. one-way or hash functions), and digital signatures. Cryptographic Algorithms. Fighting Cargo Cult – The Incomplete SSL/TLS Bookmark Collection. Throughout the recent months (and particularly: weeks), people have asked me how to properly secure their SSL/TLS communication, particularly on web servers.

Fighting Cargo Cult – The Incomplete SSL/TLS Bookmark Collection

At the same time I’ve started to look for good literature on SSL/TLS. I noticed that many of the “guides” on how to do a good SSL/TLS setup are actually cargo cult. Cargo cult is a really dangerous thing for two reasons: First of all, security is never a one-size-fits-all solution. Your setup needs to work in your environment, taking into account possible limitation imposed by hardware or software in your infrastructure. And secondly, some of those guides are outdated, e.g. they do neglect the clear need for Perfect Forward Secrecy, or use now-insecure ciphers. Apple’s #gotofail weekend – Ashkan Soltani. How does the NSA break SSL? A few weeks ago I wrote a long post about the NSA's 'BULLRUN' project to subvert modern encryption standards.

How does the NSA break SSL?

I had intended to come back to this at some point, since I didn't have time to discuss the issues in detail. But then things got in the way. A lot of things, actually. Some of which I hope to write about in the near future. Tor and HTTPS. <p>Please enable Javascript in your browser if you want this to be interactive.

Tor and HTTPS

</p><p><strong>No Tor and No HTTPS</strong><br /><img src="/files/tor-https-0.png" /></p><p><strong>No Tor and HTTPS</strong><br /><img src="/files/tor-https-1.png" /></p><p><strong>Tor and No HTTPS</strong><br /><img src="/files/tor-https-2.png" /></p><p><strong>Tor and HTTPS</strong><br /><img src="/files/tor-https-3.png" /></p>

Mitmproxy - home. How secure is HTTPS today? How often is it attacked? This is part 1 of a series on the security of HTTPS and TLS/SSL HTTPS is a lot more secure than HTTP!

How secure is HTTPS today? How often is it attacked?

If a site uses accounts, or publishes material that people might prefer to read in private, the site should be protected with HTTPS. BREACH ATTACK. [PFS] SSL: Intercepted today, decrypted tomorrow. [September 2013: The Netcraft extension — for Firefox, Google Chrome, and Opera — now displays whether or not PFS is supported] Millions of websites and billions of people rely on SSL to protect the transmission of sensitive information such as passwords, credit card details, and personal information with the expectation that encryption guarantees privacy.

[PFS] SSL: Intercepted today, decrypted tomorrow

However, recently leaked documents appear to reveal that the NSA, the United States National Security Agency, logs very high volumes of internet traffic and retains captured encrypted communication for later cryptanalysis. The United States is far from the only government wishing to monitor encrypted internet traffic: Saudi Arabia has asked for help decrypting SSL traffic, China has been accused of performing a MITM attack against SSL-only GitHub, and Iran has been reported to be engaged in deep packet inspection and more, to name but a few. [RSA, PFS] Facebook's outmoded Web crypto opens door to NSA spying. Secret documents describing the National Security Agency's surveillance apparatus have highlighted vulnerabilities in outdated Web encryption used by Facebook and a handful of other U.S. companies.

[RSA, PFS] Facebook's outmoded Web crypto opens door to NSA spying

Documents leaked by former NSA contractor Edward Snowden confirm that the NSA taps into fiber optic cables "upstream" from Internet companies and vacuums up e-mail and other data that "flows past" -- a security vulnerability that "https" Web encryption is intended to guard against. But Facebook and a few other companies still rely on an encryption technique viewed as many years out of date, which cryptographers say the NSA could penetrate reasonably quickly after intercepting the communications. Facebook uses encryption keys with a length of only 1,024 bits, while Web companies including Apple, Microsoft, Twitter, Dropbox, and even Myspace have switched to exponentially more secure 2,048-bit keys. The NSA's budget is estimated to be at least $10 billion a year. Sovereign Keys: A Proposal to Make HTTPS and Email More Secure.

This is part 2 of a series on the security of HTTPS and TLS/SSL. [Part 1] In a previous post, we discussed some structural insecurities in HTTPS and TLS/SSL, and how those are beginning to pose serious problems for the security of the Web. In this post I will introduce a new proposal called "Sovereign Keys", which is intended to systematically fix these weaknesses in the way that encrypted Internet protocols perform authentication. Hackers break SSL encryption used by millions of sites. High performance access to file storage Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Google preps Chrome fix to slay SSL-attacking BEAST. High performance access to file storage Google has prepared an update for its Chrome browser that protects users against an attack that decrypts data sent between browsers and many websites protected by the secure sockets layer protocol. The fix, which has already been added to the latest developer version of Chrome, is designed to thwart attacks from BEAST, proof-of-concept code that its creators say exploits a serious weakness in the SSL protocol that millions of websites use to encrypt sensitive data. Tor and the BEAST SSL attack. Today, Juliano Rizzo and Thai Duong presented a new attack on TLS <= 1.0 at the Ekoparty security conference in Buenos Aires. Let's talk about how it works, and how it relates to the Tor protocol. Short version: Don't panic. The Tor software itself is just fine, and the free-software browser vendors look like they're responding well and quickly.

Beta - Blog - The Background In the early 90’s, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. It’s amazing that SSL has endured for as long as it has, in contrast to a number of other protocols from the same vintage. We’ve definitely learned a lot since then, though, but the thing about protocols and APIs is that there’s very little going back.

Generally speaking, all secure protocols need to provide three things: secrecy, integrity, and authenticity. Lately, however, the general perception of Certification Authorities seems to be shifting from the old vibe of “total ripoff” to a new vibe of “total ripoff and also insecure.” Defining The Problem. NetCertScanner - Universal Network Based SSL Certificate Scanner. NetCertScanner is the enterprise software to scan & manage expired SSL Certificates on your local network or internet.

It's swift SSL Certifcate scan powered by 'Host-Port Multiplexed Multithreading' technique helps you to scan the entire network in just few minutes. Along with this, it also boasts of other special features like Smarter SSL Cert Analysis, Hidden SSL Port Scan, Color based Display, Database Integration, Console Version, HTML/CSV Scan Report etc making it a unique product in the universe. Served independently since 2007, now for the first time it is being released under the company 'XenArmor' offering enterprise support and service to all our customers.

NetCertScanner 2014 presents the fully renovated edition from inside out to perform SSL certificate scan smarter than ever. How to Deploy HTTPS Correctly. Firesheep, a week later: Ethics and Legality - codebutler. New paper - Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL. Gov't, certificate authorities conspire to spy on SSL users? - SSL is the cornerstone of secure Web browsing, enabling credit card and bank details to be used on the 'Net with impunity.