CertificateAuthority
Latest
Google and Symantec go to war over our internet security
Google and Symantec are engaged in a war about each other's security practices, with all of us caught in the crossfire. As TechCrunch reports, Google believes that Symantec has been improperly issuing security certificates for tens of thousands of websites. If the search engine follows through with its threat, then Chrome will soon no longer place the same level of trust in Symantec's certificates.
Companies could use 'intermediate' web security certificates to spy
A certificate authority (CA) is a trusted entity that issues electronic certificates (duh) to verify identity on the Internet. They're a key part of secure communications online -- and thus super important. Then there's intermediate CAs, signed by a root CA, making certificates for any website. However, they're just as powerful as those root ones. Worse still, there's no full list for the ones your system trusts because root CAs can make new ones whenever it wants, and our computers will trust 'em immediately. This is a problem when companies get their hands on them, although they could have legitimate reasons for using an intermediate CA within their own networks.
Tech companies want you to have free web encryption
Ideally, you'd encrypt everything you do on the web to keep it away from spies and thieves. However, getting a security certificate to enable that encryption on your own site can be both costly and difficult -- many people don't even bother. That's not good enough for the Electronic Frontier Foundation, so it's partnering with Mozilla, Cisco and other tech firms to launch Let's Encrypt, an authority that will hand out and manage free certificates for anyone that wants them. Besides eliminating the cost barrier, the effort will also scrap a lot of the bureaucracy and hard work that's normally involved -- all you'll have to do is run a program, which should take seconds.
PlayStation 3 used to hack SSL, Xbox used to play Boogie Bunnies
Between the juvenile delinquent hordes of PlayStation Home and some lackluster holiday figures, the PlayStation has been sort of a bummer lately, for reasons that have nothing to do with its raison d'etre -- gaming. That doesn't mean that the machine is anything less than a powerhouse -- as was made clear today when a group of hackers announced that they'd beaten SSL, using a cluster of 200 PS3s. By exploiting a flaw in the MD5 cryptographic algorithm (used in certain digital signatures and certificates), the group managed to create a rogue Certification Authority (CA) which allows them to create their own SSL certificates -- meaning those authenticated web sites you're visiting could be counterfeit, and you'd have no way of knowing. Sure, this is all pretty obscure stuff, and the kids who managed the hack said it would take others at least six months to replicate the procedure, but eventually vendors are going to have to upgrade all their CAs to use a more robust algorithm. It is assumed that the Wii could perform the operation just as well, if the hackers had enough room to spread out all their Balance Boards.[Via ZD Net]
