tls
Latest
Russian hackers modify Chrome and Firefox to track secure web traffic
Many hackers won't touch web browsers beyond exploiting their vulnerabilities, but one group is taking things one step further. Kaspersky has detailed attempts by a Russian group, Turla, to fingerprint TLS-encrypted web traffic by modifying Chrome and Firefox. The team first infects systems with a remote access trojan and uses that to modify the browsers, starting with installing their own certificates (to intercept TLS traffic from the host) and then patching the pseudo-random number generation that negotiates TLS connections. That lets them add a fingerprint to every TLS action and passively track encrypted traffic.
Google faces scrutiny from Congress, DOJ over plans to encrypt DNS
Google's bid to encrypt domain name requests appears to be raising hackles among American officials. The Wall Street Journal has learned that the House Judiciary Committee is investigating Google's plans to implement DNS over HTTPS in Chrome, while the Justice Department has "recently received complaints" about the practice. While Google says it's pushing for adoption of the technology to prevent spying and spoofing, House investigators are worried this would give the internet giant an unfair advantage by denying access to users' data.
Government shutdown has left several US agency websites inaccessible
Agency websites are among the many facets of the US government that the ongoing shutdown has affected, as more than 80 TLS certificates on government sites have reportedly expired. Even though federal employees could have renewed them well in advance of the shutdown, there's no one around to do so now, meaning dozens of sites may be inaccessible or non-secure for the time being.
New York settles with Equifax and others over lax mobile app security
New York Attorney General Barbara Underwood announced that the state has reached settlements with five companies regarding a security vulnerability present on each of their mobile apps. Going forward, the companies -- Equifax, Western Union, Priceline, Spark Networks and Credit Sesame -- will be required to implement security programs aimed at protecting their customers' information.
Microsoft browsers will disable 20-year-old security protocol
Microsoft has announced that it will be disabling the oldest versions of the Transport Layer Security (TLS) protocol in Edge and Internet Explorer 11 by default in 2020. The company said in a blog post that the move is intended to help "advance a safer browsing experience for everyone" and it's giving advance notice so that the few websites that still rely on TLS 1.0 and 1.1 can upgrade to newer versions ahead of the switch.
New web security standard promises safer, faster browsing
It's safe to say that web security could use a tune-up given the deluge of malware attacks and data breaches. Thankfully, it's about to get one. The Internet Engineering Task Force has approved Transport Layer Security 1.3, a new standard that makes some fundamental improvements to how and when web encryption kicks in. For the most part, int involves both shrinking the window of opportunity for intruders and preventing them from recycling code.
Android is getting a feature that encrypts website name requests
Google's efforts to push websites to use encrypted connections is paying off. Just days ago, the search giant revealed that HTTPS use on its own products is at 89 percent overall, up from just 50 percent at the beginning of 2014. (Not sure what we're blabbering on about? Just peep the green lock icon and the word "secure" in the address bar). Now, Google is adding an extra layer of security to Android. XDA Developers has spotted that DNS over TLS (Transport Layer Security) support is heading to the mobile OS, according to the Android Open Source Project -- meaning DNS queries will be encrypted to the same level as HTTPS.
Netflix explains how and why it's switching to HTTPS streaming
Netflix has always used DRM to keep studios happy and make an effort to stop people from copying its video streams, but now it's added a new layer of protection. Last year the video streaming giant announced it would roll out HTTPS encryption for streams, and a new post on its tech blog explains how you do that for 80+ million customers at once. It developed a scheme to add encryption on its Open Connect servers -- the boxes hosted by or near ISPs to bring Netflix's library closer to the homes of viewers -- without impacting efficiency.
Tech companies want you to have free web encryption
Ideally, you'd encrypt everything you do on the web to keep it away from spies and thieves. However, getting a security certificate to enable that encryption on your own site can be both costly and difficult -- many people don't even bother. That's not good enough for the Electronic Frontier Foundation, so it's partnering with Mozilla, Cisco and other tech firms to launch Let's Encrypt, an authority that will hand out and manage free certificates for anyone that wants them. Besides eliminating the cost barrier, the effort will also scrap a lot of the bureaucracy and hard work that's normally involved -- all you'll have to do is run a program, which should take seconds.
Windows is vulnerable to web encryption attacks, too
Microsoft's software isn't immune to the rash of recent web encryption exploits, it seems. The company has discovered (and thankfully, patched) a Windows flaw that lets hackers use the software's Secure Channel technology, which handles SSL and TLS encryption, to compromise PCs. If you're susceptible, you only have to visit a maliciously-coded website to trigger it; after that, thieves can swipe cryptographic keys and theoretically spy on your communications. The vulnerability primarily affects servers (where a lot of encrypted traffic flows), but Microsoft warns that it also affects regular versions of Windows from Vista on up.
Apple issues iOS 7.0.6 / 6.1.6 security updates
Today, Apple issued security updates for iOS 7 and iOS 6. The updates protect phones against potential attacks that might compromise data in secure sessions. Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. The iOS 7.0.6 update appears to be available for all iPhones, iPods, and iPads running iOS 7. In addition, Ars Technica writes that iOS 6.1.6 has also been patched to address the SSL vulnerability. TUAW highly recommends that you install the appropriate update on your iOS devices as soon as possible. Thanks, Sam Marshall
