SSL/TLS – WindowsTechs.com

Google to enforce HTTPS on TLDs it controls

Posted on October 4, 2017 by Zeljka Zorz

In its sustained quest to bring encryption to all existing Web sites, Google has announced that it will start enforcing HTTPS for the 45 Top-Level Domains it operates. How will it do that? You may or may not know that, since 2015, Google has been offering domain name registration services, and it operates domains such as .google, .how, and .dev (among others). And now, Google will start adding them to the HTTPS Strict Transport Security … More → Continue reading Google to enforce HTTPS on TLDs it controls→

Breaking TLS: Good or bad for security?

Posted on May 23, 2017 by Help Net Security

As the use of TLS by malware and phishing increases, some security practitioners are seeking solutions to break TLS so they can monitor all traffic in and out of their network. Breaking TLS is typically accomplished by loading an inspection CA certificate that dynamically generates certificates by your TLS inspection device. The public key from this CA is loaded into all clients on the network. When a domain is requested, a certificate is generated “on … More → Continue reading Breaking TLS: Good or bad for security?→

The HTTPS interception dilemma: Pros and cons

Posted on March 8, 2017 by Help Net Security

HTTPS is the bread-and-butter of online security. Strong cryptography that works on all devices without complicating things for users. Thanks to innovative projects like Let’s Encrypt, adoption of HTTPS is rising steadily: in mid-2015 it was at 39%, now it’s at 51% of HTTPS requests. Recent research shows however that HTTPS interception happens quite often. In fact, about 10% of connections to CloudFlare are intercepted, and the main culprits are enterprise network monitoring products. Without … More → Continue reading The HTTPS interception dilemma: Pros and cons→

Google launches its own Root Certificate Authority

Posted on January 30, 2017 by Zeljka Zorz

Google is known for slipping fingers in many pies, so it should not come as a surprise that it has opted for starting its own Root Certificate Authority. With the increased implementation of HTTPS across their products, it makes sense for Google to wade in that particular pool. With this step, the company is also minimizing its dependency on other organization, and allowing its engineers to control issued certificated from start to finish. “The process … More → Continue reading Google launches its own Root Certificate Authority→

Final warning: Popular browsers will soon stop accepting SHA-1 certificates

Posted on November 17, 2016 by Zeljka Zorz

Starting with Chrome 56, planned to be released to the wider public at the end of January 2017, Google will remove support for SHA-1 certificates. Other browser makers plan to do the same. “The SHA-1 cryptographic hash algorithm first showed signs of weakness over eleven years ago and recent research points to the imminent possibility of attacks that could directly impact the integrity of the Web PKI,” Chrome Security team member Andrew Whalley explained. “Website … More → Continue reading Final warning: Popular browsers will soon stop accepting SHA-1 certificates→

Chrome will start labeling some HTTP sites as non-secure

Posted on September 9, 2016 by Zeljka Zorz

Slowly but relentlessly, Google is pushing website owners to deploy HTTPS – or get left behind. The latest announced push is scheduled for January 2017, when Chrome 56 is set to be released and will start showing in the address bar a warning that labels sites that transmit passwords or credit cards over HTTP as non-secure. In due time, all HTTP pages will be labeled by Chrome as non-secure, and ultimately, the HTTP security indicator … More → Continue reading Chrome will start labeling some HTTP sites as non-secure→

Secure mobile communications explained

Posted on September 9, 2016 by Help Net Security

For a typical consumer, seeing Secured by SSL is all it takes to reassure them that whatever they are doing online is safe and secure. Awareness also teaches these same users that if https is in the browser, they are safe. For most, SSL is necessary and offers a decent amount of security for the risks they may encounter online – however, any security or IT pro understanding mobile communications would rather use a personal … More → Continue reading Secure mobile communications explained→

Too many Cisco ASA boxes still open to an EXTRABACON attack

Posted on September 6, 2016 by Zeljka Zorz

Among the Equation Group exploits leaked by the Shadow Brokers, the one named EXTRABACON that targets Cisco ASA devices got the most attention from security researchers and attackers. It has been demonstrated that the original exploit can be easily modified to work on more recent versions of the Cisco ASA SSL VPN appliances, and researchers armed with honeypots noted that exploitation attempts started soon after the leak. You would think that news like this would … More → Continue reading Too many Cisco ASA boxes still open to an EXTRABACON attack→

CRIME, TIME, BREACH and HEIST: A brief history of compression oracle attacks on HTTPS

Posted on August 11, 2016 by Help Net Security

The HEIST vulnerability was presented at Black Hat USA 2016 by Mathy Vanhoef and Tom Van Goethem. In this presentation, new techniques were presented that enhanced previously presented padding oracle attacks on HTTPS, making them more practical. In a padding oracle attack, the attacker has partial control of part of a message that contains secret information, and is compressed, then encrypted before being sent over the network. An example of this is a web page … More → Continue reading CRIME, TIME, BREACH and HEIST: A brief history of compression oracle attacks on HTTPS→

Breathing new life into SSL VPNs: Making the most of the security benefits

Posted on August 10, 2016 by Help Net Security

Network security has been in an accelerated arms race for over a decade, with IT managers constantly adding new technologies to secure various network resources in an attempt to stay ahead of the bad guys. While the newer technologies can certainly help improve the overall security profile and reduce risks, there are also additional security benefits to be gained by creatively leveraging products you probably already have in your network. Take SSL VPNs, for example. … More → Continue reading Breathing new life into SSL VPNs: Making the most of the security benefits→