certificate
Latest
Spotify's podcast hosting service went down because of a lapsed security certificate
All shows hosted on Megaphone were unavailable for several hours due to the slip up.
Older Android phones won't support many secure websites by September 2021
Let's Encrypt has warned that older Android phones won't support many secure websites after they lose key certificates by September 2021.
Microsoft Teams went down because of an expired certificate
This morning, Microsoft Teams went down for a few hours, and it seems that a pretty rookie mistake is to blame. Microsoft apparently forgot to renew the SSL certificate, which allows a secure connection between a web browser and a web server. As a result, the app told users that it failed to establish an HTTPS connection to Microsoft's servers.
Chrome's upcoming security change will break hundreds of sites
Google will strengthen Chrome's security with its next release, but that might have some unintended consequences for the sites you use. Security researcher Scott Helme has found that hundreds of the top 1 million sites are using old Symantec HTTPS certificates (pre-June 2016) that won't be trusted when Chrome 70 arrives as soon as October 16th. Some of these are vital sites, too, including multiple Indian government sites, the government of Tel Aviv and Penn State Federal Credit Union.
The EFF wants to make email servers more secure
The Electronic Frontier Foundation (EFF) launched HTTPS-encryption initiative Let's Encrypt two years ago with Mozilla and Cisco. Now it's turning its attention to email servers with a new project called STARTTLS Everywhere, which aims to help server admins run STARTTLS emails servers properly. Because according to the EFF, most aren't.
Chrome will soon stop supporting weak SHA-1 certificates
Google hasn't had confidence in SHA-1's -- the algorithm used for encryption by most SSL certificates, which add the "s" to https:// -- ability to keep your info safe for a long time. Now, the company is determined to stop supporting it and has revealed when it plans to do so. According to Google's Online Security blog, Chrome version 48 (currently in beta) will show a message that says "Your connection is not private" starting early next year whenever it detects an SHA-1-based certificate issued on or after January 1st, 2016.
Dell is the latest PC maker with a gaping security flaw, but it will fix it
Lenovo and Samsung might not be the only big Windows PC makers pre-installing software that compromises your security. Computer buyers have discovered that Dell is shipping at least some PCs (such as the new XPS 15) with a self-signed security certificate that's the same on every system. If intruders get a raw copy of the certificate's private key, which isn't hard, they have an easy way to attack every PC shipping with this code. The kicker? This is much like Lenovo's Superfish exploit, only written by the hardware vendor itself -- Dell had plenty of time to learn from its rival's mistake.
Google slaps Symantec for issuing fake web security certificates
Not long ago, Symantec revealed that it had issued bogus security certificates for numerous web domains, including Google's... and as you might guess, Google isn't happy. The search firm is warning Symantec that, as of June 1st, any Symantec certificates which don't meet its transparency policy may create warnings and "problems" in Google products (read: they'll be deemed insecure). Moreover, it's asking Symantec to explain why it didn't catch some of the fake certificates, the causes behind each slip-up and the steps it'll take to set things right. Not surprisingly, Google doesn't want malicious sites posing as someone else (especially not Google) in order to deliver malware or perpetuate phishing scams.
Gogo's in-flight WiFi uses fake web security to keep you off YouTube
It's easy to understand why Gogo would curb video streaming given the limited headroom on its current in-flight WiFi service. You don't want to miss important email just because someone in row 29 is watching the latest Epic Rap Battle, after all. However, the company's approach to keeping you off those forbidden sites is raising some major security concerns. Google's Adrienne Porter Felt recently noticed that Gogo is using fake google.com web security certificates to deter people from visiting YouTube. You can bypass any warnings from your browser, but the move theoretically lets Gogo decrypt and monitor your mid-air activity on any secure website, so long as it has the matching credentials.
Your iPhone inherently trusts many sites, including the government's
As a matter of course, virtually all the internet-capable hardware you use supports trusted certificates, or proofs that secure data connections (such as those for apps and websites) should be legitimate. Have you ever wondered exactly how much faith your gadgets place in others, however? Thanks to Karl Kornel, we now have a good sense of how iOS 8 devices fare -- and apparently, they trust a lot of organizations. Apple's latest mobile software has no less than 222 certificates that greenlight data sharing. Most of these are from companies you'd expect to oversee security on iPads and iPhones, including Symantec's various brands (35 certificates) and Apple itself (five). However, there are also quite a few governments that also get iOS' all-clear in certain circumstances, including China, Japan, the Netherlands, Taiwan, Turkey and the US.
Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible
Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge. Confused by all the programming and security terms and just need to know how this affects you? It means that while you definitely need to change your passwords, but wait until affected services announce they've not only fixed their OpenSSL, but also swapped out (potentially compromised) security certificates for new ones. Update: If you're wondering how he did it, Indutny has posted more details and the script on his blog. Image credit: snoopsmaus/Flickr
EVE Evolved: Everything we know about Rubicon
Back in April, EVE Online Senior Producer Andie Nordgren delivered an incredible long-term vision for the game's future that included deep space colonisation, player-built stargates, and players controlling practically everything that's currently run by NPC empires. This vision sets the tone and direction for development over the next ten expansions, each of which will introduce a small component of the overall goal. In a live interview session earlier this week, CCP revealed the first steps it will take toward space colonisation in its upcoming winter expansion. Named Rubicon, the expansion will be in players' hands on November 19th and promises to give individuals and small groups unprecedented control over the sandbox. It will let players fight over planetary customs offices in high security space, significantly buff the ability of small ships to participate in hit-and-run style warfare, and even introduce a new set of personal deployable structures that can be hidden anywhere in space. All this comes alongside two new Sisters of EVE ships, twitch livestream integration, and significant balance changes to Marauders, Interceptors, Interdictors, and Electronic Attack Frigates. In this week's EVE Evolved, I run down all of the new features and changes announced so far for EVE Online's Rubicon expansion.
Microsoft halts posting new Windows Phone apps after some refuse to install on older devices
Microsoft may face a few uncomfortable questions at Build this fall. A bug in digital signatures resulting from the Windows Phone Dev Center rollout is preventing a "small percentage" of apps in the Windows Phone Store, including not-so-insignificant titles like WhatsApp and Microsoft's own Translator, from installing on older phones that had to upgrade to Windows Phone 7.5 after the fact. While the company already has a fix in the works, it's performing some painful triage to keep the damage from spreading: it's putting the brakes on publishing any new apps until certificate signing is back under control. Microsoft doesn't yet know when it can open the taps once more, either. The momentary freeze won't stop downloads of already-published apps, but it's likely to leave a few customers jittery about resetting their phones -- and developers twiddling their thumbs.
LG Optimus 2X scoops up Guinness World Record for being first dual-core smartphone
LG's Optimus 2X just scooped up official recognition from the Guinness World Records crew for being the very first dual-core smartphone, which sounds like a good thing, but really it kind of isn't. In its rabid pursuit of the "First!" badge, LG neglected to polish up the 2X's software, leaving a lot of early users feeling high, dry, and in need of a good custom ROM. On the other hand, that very same phone's US variant, the T-Mobile G2x that came a couple of months later, arrived with a nice and shiny stock Android build that really showed off the underlying hardware's true capabilities. So yeah, kudos on another Record, LG, but next time let's have less haste and more awesome, mmkay?
Samsung's new Galaxy Tab 10.1 hits the FCC with GT-P7510 moniker
Yes, this is Samsung's latest 10.1-inch Galaxy Tab alright, not to be mistaken with its thicker 10.1v sibling that's gradually rolling out across Europe and Australia. How can you tell? Well, the older Honeycomb tablet bears the GT-P7100 codename, whereas this FCC filing and a Wi-Fi Alliance certificate show off the GT-P7510 moniker for this WiFi-only 10.1. Oh, and the drawing of the backside -- pictured after the break -- is a dead giveaway, of course. What remains unknown is the mysterious 1GHz dual-core CPU inside this razor-thin slate, but given the release of this FCC application, it probably won't be long before all is revealed.
Palm smartphone pops up in WiFi certification database: is this Verizon's Pre?
Look, let's not beat around the bushes -- Verizon Wireless will one day stock Palm's Pre. It's a rather well documented fact, and at this point the only real question is "when?" Judging by a mysterious Wi-Fi Certificate that just popped up, we're beginning to think that the waiting period is nearly up, and with CES 2010 happening in a week, there's hardly a better time for us to really start believing. If you'll recall, Sprint's Pre snagged a Wi-Fi Certificate number of P100EWW, and just this summer we spotted a few leaked Palm devices within VZW documents with "P101" and "P121" monikers; lo and behold, the certificate for this elusive dual-mode (WiFi and cellular) smartphone boasts a P101EWW label. We aren't trying to read too deeply between the lines or anything, but if this isn't a Pre destined for Big Red, we're eager to know what kind of new mobile Palm has lined up for its presser at CES. [Thanks, Rehman]
Earn a certificate in iPhone and Cocoa Development from the University of Washington
If you've already got a degree or a little knowledge in programming and you're looking to get in on the iPhone app craze (or maybe you wish to write a Mac app -- many people still do) you may want to look at the University of Washington in Seattle. They are now offering a certificate program in iPhone and Cocoa development, which should teach you the basics of iPhone and Mac development in a mere 90 contact hours (three classes).Ars reports that the program may be extended to an online offering next year. I'd imagine that would be quite popular far beyond the borders of the UW campus. The course itself was developed with a stellar cast of advisors, including developers from NewsGator and OMNI Group, plus experts from Microsoft, Google and Disney Interactive and is "already close to capacity" for this Fall.While there are myriad books, websites and other resources for learning how to write Cocoa software, this appears to be the first continuing education certification program specifically tailored to writing iPhone apps. Yes, you can write Mac apps too, but I'm guessing the majority of attendees with have mobile dollar signs in their eyes.[via Ars]
Certificates and medals coming to EVE Online
Most players who've been drawn to EVE Online enjoy the game for its complexity. For such gamers, complexity in a title can be a strength, not a drawback. However, you know what they say about having too much a good thing... Newer players especially find aspects of the game daunting to learn, particularly in terms of skills and skill training plans. This complexity surrounding skills, while not a big deal to veteran players, can be hard to grasp for newer players. Enter "certificates" -- EVE's simplified and (visually) ranked groups of skills that should help rookie players better understand what they should focus on to achieve particular goals. If the feature does what the developers hope, certificates will remedy a problem newer players face -- "an inability to clearly see where a particular skill fits into the greater scheme of things, what it enables, how to get there and where to go next," CCP Greyscale writes in his latest dev blog "Certificates: Planning the Future."
Symbian 9.2 hacked to bypass app certification
App certificates have long been a bane to S60 users and developers alike, causing pain, frustration, and an almost obligatory cash outlay to get your hard work certified to run on the very platform Nokia is so quick to call "open." Finally, it truly is, thanks to the hard work of the Symbian hacking community that has developed an easy (or easy sounding, anyway) method of "jailbreaking" the Symbian 9.2 device in your life (S60 3rd Edition FP1 users, that's you). After that, installed apps won't need a certificate at all -- let alone an invalid one -- to do their dirty work. Open, indeed.[Via Part-Time Phone Reviewer, thanks to everyone who sent this in]
