ssl
Latest
Windows is vulnerable to web encryption attacks, too
Microsoft's software isn't immune to the rash of recent web encryption exploits, it seems. The company has discovered (and thankfully, patched) a Windows flaw that lets hackers use the software's Secure Channel technology, which handles SSL and TLS encryption, to compromise PCs. If you're susceptible, you only have to visit a maliciously-coded website to trigger it; after that, thieves can swipe cryptographic keys and theoretically spy on your communications. The vulnerability primarily affects servers (where a lot of encrypted traffic flows), but Microsoft warns that it also affects regular versions of Windows from Vista on up.
Google discovers another web security flaw that leaves browsers vulnerable
Get ready for Heartbleed deja-vu: Google just found an exploit in SSL 3.0 that could give attackers the ability to work out the plaintext traffic of a secure connection. It's calling the attack "POODLE," or Padding Oracle On Downgraded Legacy Encryption, and it allows a man-in-the-middle attacker to decrypt HTTP cookies. Cookies can be used to store personal information, website preferences or even passwords, depending on the situation. SSL 3.0 is a pretty old (15 years) protocol, but it's still used in most web browsers and as a fallback for countless servers in case modern protocols fail to connect. Prospective attackers can force a server to default back to SSL 3.0 for the sake of the exploit.
Tor's anonymity network may have to shrink to fight the Heartbleed bug
Bad news if you're relying on the Tor network to evade surveillance or otherwise remain anonymous: you're not immune from the Heartbleed bug, either. Key developer Roger Dingledine warns that some Tor nodes are running encryption software that's vulnerable to the flaw, and that they may have to be kicked off the network to safeguard its privacy-minded users. If all the service's directory operators decide to boot compromised nodes, roughly an eighth of Tor's capacity could go away -- you may well notice the difference.
Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible
Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge. Confused by all the programming and security terms and just need to know how this affects you? It means that while you definitely need to change your passwords, but wait until affected services announce they've not only fixed their OpenSSL, but also swapped out (potentially compromised) security certificates for new ones. Update: If you're wondering how he did it, Indutny has posted more details and the script on his blog. Image credit: snoopsmaus/Flickr
Bloomberg: NSA used Heartbleed exploit for 'years' without alerting affected websites, the public (update: NSA response)
The United States National Security Security Agency reportedly used the recently uncovered "Heartbleed" security exploit to access information, Bloomberg reports. According to two unnamed sources, the NSA exploited the flawed security standard for the past two years without alerting affected companies and the public at large. It's unclear what the exploit was used to access, but the flaw affects a huge portion of the web: something like two-thirds. Major services like Google are already acting, updating services and patching the issue. For those services, we suggest updating your passwords ASAP. For the still affected sites? Sadly, your best option is to wait it out. Update: The NSA insists that it only became aware of Heartbleed at the same time as everyone else. This answer isn't going to satisfy everyone given the many contradictory claims about the agency's activities, but hey -- at least it's on top of the situation.
The Heartbleed bug is affecting routers, too
Read our Heartbleed defense primer? Good, but the fight for your privacy isn't over just yet: you might have to replace your router, too. Cisco Systems and Juniper Networks have announced that the Heartbleed bug -- a flaw in OpenSSL that lets attackers bypass common security protocols -- has been found in their networking products. This news isn't too surprising, as any device using OpenSSL is potentially vulnerable, but checking these devices for the flaw is a laborious process. Naturally, devices that don't use the affected versions of OpenSSL (like Linksys routers) are unaffected. Both firms are investigating their product libraries to compile lists of affected devices. You can find those lists here, here (for Juniper Networks) and here (for Cisco Systems). If one of your devices is listed, sit tight and watch for updates; both companies say they're working on patches.
How to avoid heartburn, er, Heartbleed
Don't change your password. It's strange advice to hear when the so-called Heartbleed bug is leaving databases all over the web open and exposed, but it's applicable. Yes, security has been compromised for many of your favorite websites and services (including Google, Flickr and Steam, at least initially) but protecting yourself isn't quite as easy as changing your password. Unlike past exploits, Heartbleed isn't a database leak or a list of plaintext logins; it's a flaw in one of the web's most prevalent security protocols -- and until its fixed, updating your login information won't do a darn thing to protect you. What, then, can you do to protect yourself? Wait, watch and verify.
Internet security key flaw exposes a whole load of private data
Most internet security holes, even the bigger ones, tend to be fairly limited in scope -- there are only so many people using the wrong software or visiting the wrong sites. Unfortunately, that's not true of the newly revealed Heartbleed Bug. The flaw, which affects some older versions of common internet encryption software, lets attackers grab both a site's secure content and the encryption keys that protect that content. As such, a successful intruder could both obtain your private information from a given site and impersonate that site until its operators catch on. Since the vulnerable code is both popular and has been in the wild for as long as two years, there's a real possibility that some of your online data is at risk.
OS X Update 10.9.2 now available, patches SSL/TLS hole [Updated]
OS X 10.9.2 just arrived via the Mac App Store, bringing with it a number of "improvements to the stability, compatibility and security of your Mac." While the update seems to focus on issues that were occurring with FaceTime audio calls, iMessages, Mail, and server/VPN connections, there's no word on whether or not it has also fixed the SSL vulnerability that was recently patched in iOS 7.0.6 and 6.1.6. Update: developer Steve Streza confirms that Safari now behaves correctly/securely in 10.9.2, indicating that the security hole has been plugged as expected. The "detailed information about the security content of this update" has not been posted as of publication time; however, "detailed information about this update" -- which lists all of the changes made with the exception of the security details -- is updated. Update: If you're dubious that the error has been fixed on a specific machine or browser, head over to http://gotofail.com to find out if your installation is safe from the Apple SSL bug. Thanks to Andrew, Eric and everyone who sent this in.
OS X still vulnerable to SSL bug, and other news for Feb. 24, 2014
Last Friday, Apple issued an emergency software update to iOS 7 and iOS 6 which closed a security hole that exposed iOS devices to potential attacks that could compromise data in secure sessions. The Apple TV also received updated software. Noticeably absent, however, was any software update for OS X, which still possesses the SSL bug. However, Apple has confirmed to Reuters that a release is coming: Confirming researchers' findings late Friday that a major security flaw in iPhones and iPads also appears in notebook and desktop machines running Mac OS X, Apple spokeswoman Trudy Muller told Reuters: "We are aware of this issue and already have a software fix that will be released very soon." As of yet no fix has arrived, but hopefully that "very soon" arrives, well...soon. In other news: Do you like Steve Jobs? How about trash? Do you like art? Then check out this portrait of Steve Jobs made out of recycled e-waste. A new Apple store is coming to Lansing, Michigan according to the Lansing State Journal. It will be 6,000 square feet situated at the Eastwood Towne Center. The AirForceTimes says the United States Air Force is ditching 5000 Blackberrys in favor of Apple's iPhones.
Apple quietly issues iOS update to patch faulty SSL authentication (update 2: OS X patch coming)
Is that an iPhone in your pocket? Then you'd better pull it out, dive into the settings menu and check for updates: there may be an important patch waiting for you. Apple has quietly pushed out iOS 7.0.6 and 6.1.6 -- small updates that addresses a hitherto unknown security issue with its mobile OS. According to the company's security notes, the previous versions of iOS was missing key SSL validation steps that kept Secure Transport from validating authentic connections, making it possible for "attackers with a privileged network position" to "capture or modify data in sessions protected by SSL/TLS." In other words, iOS devices were failing to protect themselves on shady networks, unbeknownst to the user. It's not clear if this security flaw was known outside of Cupertino, but it certainly is now. Lucky you, then, that Apple has already issued the fix. Well, what are you waiting for? Update your phone/tablet/Apple TV, already. Update: Researchers have found evidence that OS X also has SSL validation issues. Security firm Crowdstrike analyzed the iOS updates, and say that both of Apple's platforms are/were vulnerable to man-in-the-middle attacks. It expects Apple will push a fix for OS X soon, but for now recommends avoiding shady WiFi hotspots and updating only on trusted networks -- good habits to practice any time. Adam Langley posted a segment of what appears to be the offending code, and tests show it affects OS X up through the most recent developer builds of Mavericks. We've contacted Apple regarding the claims, but have yet to receive a response. Update 2: Apple tells us that it's aware of the OS X vulnerability, and that a patch will be available "very soon."
Apple issues iOS 7.0.6 / 6.1.6 security updates
Today, Apple issued security updates for iOS 7 and iOS 6. The updates protect phones against potential attacks that might compromise data in secure sessions. Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. The iOS 7.0.6 update appears to be available for all iPhones, iPods, and iPads running iOS 7. In addition, Ars Technica writes that iOS 6.1.6 has also been patched to address the SSL vulnerability. TUAW highly recommends that you install the appropriate update on your iOS devices as soon as possible. Thanks, Sam Marshall
NSA collecting email and messaging contacts worldwide, Yahoo moves to encrypt webmail by default
Don't think that the NSA's bulk communication data collection is focused solely on the communications themselves. The Washington Post has published more Edward Snowden documents which reveal that the agency collects large volumes of contact lists from email and instant messaging users around the world. While the NSA gathers the information on foreign soil, its method reportedly prevents it from automatically screening out any Americans in the list. The NSA and anonymous officials argue that American laws prevent analysts from accessing data unless they believe there's a foreign target hidden with, but the strategy still has the government storing contacts for "millions" of people. Yahoo customers are some of the most common targets of this surveillance, as the company doesn't normally encrypt webmail sessions. That's about to change, however. The internet firm tells the Post that its webmail service will default to using SSL encryption on January 8th, catching up with Facebook and Google. Yahoo isn't officially tightening its security in response to NSA activity, and using SSL won't necessarily stop interceptions when spies frequently have workarounds. However, the upcoming encryption will at least complicate any snooping -- whether or not it's part of an intelligence operation.
Chrome 25 extends encrypted search to everyone, not just signed-in users
Chrome users with something to hide have heretofore been required to sign in to Google to keep their omnibox searches hidden from prying eyes -- but today's Chrome 25 beta update changes that. Now all searches are automatically encrypted, whether you're signed in or not. It's certainly not the first browser to implement such a security feature -- Firefox 14 switched to HTTPS for all searches last year -- but it's a welcome change all the same. With web voice recognition and security whitelists on the docket as well, the latest version of Chrome is setting up to be quite the must-have, especially for those who want to keep their Justin Bieber search results to themselves.
Firefox deems favicons risky, banishes them from address bar
Who'd have thought those tiny reminders of the site you're browsing could bite your backside? Apparently Mozilla did, and with its latest nightly Firefox build it has expunged favicons from their eternal perch just left of the URL. The problem is that instead something friendly -- like Google's famous "g" -- nefarious sites can use a padlock or similar image, making you think you're on a secure SSL page. So, starting from mid-July you'll see a generic globe for standard websites, green padlocks for SSL sites with validation, and gray padlocks for SSL sites without it. Take note that (so far) tabs will keep their favicons, so those of us with 43 sites open at the same time will still know where in the web we are.
Google puts False Start SSL experiment down, nobody notices
Back in September of 2010 Google started experimenting with a new Chrome feature called False Start, which cut the latency of SSL handshakes by up to 30 percent. While the delay in forging a secure connection never seemed like a major concern for most, the pause (which could be several hundred milliseconds long) before a browser starts pulling in actual content was too much to swallow for Mountain View engineers. The tweak to SLL was a somewhat technical one that involved packaging data and instructions normally separated out -- reducing the number of round trips between a host and a client before content was pulled in. Unfortunately, False Start has proven incompatible with a number of sites, in particular those that rely on dedicated encryption hardware called SSL Terminators. Chrome used a blacklist to track unfriendly sites, but maintaining that repository proved more difficult than anticipated and became quite unwieldy. Despite reportedly working with over 99 percent of websites Adam Langley, a Google security researcher, has decided that False Start should be retired with version 20 of the company's browser. The change will likely go unnoticed by most users, but it's always a shame to see efforts to make the web as SPDY as possible fail.
Google brings search to Your World, complete with results close to your heart
As Google presses forward with its social network initiative, it only makes sense that the company famed for comprehensive search results would naturally bring Google+ along for the ride. That day is now upon us, as the juggernaut from Mountain View has officially unveiled Your World -- an addition to its search results that prioritizes content generated by you and those in your circles. Now, the company hopes it'll be much easier to find relevant photos, blog posts and contacts from the Google search bar, which includes content both public and private. In effort to keep security in check, all searches will be performed by default over SSL. Additionally, skeptics may opt-out of Your World at any time. For those looking for the best of both worlds, a toggle at the top-right of the page allows users to choose on-the-fly whether to include personalized results. It all looks quite slick -- in fact, we wouldn't be too surprised if another social networking company just threw up a little.
Google encrypts search for users, paranoiacs unsure how to respond
When Al Gore first created the internet (hard wink, everybody), we're pretty sure the plan was for Big Brother to collect your data, not Silicon Valley titans. Now Google, the company that mainly tends the gates to the web's vast array of information, is stepping up to its "Do No Evil" motto, and making encrypted search the norm -- for account users. While Gmail's long had SSL set as a default login, good ol' Joe Public's had to specifically access Mountain View's dedicated encrypted search page for anonymous surfing privileges. No longer, as Gmail users signed in to Goog's suite of web services will be automatically redirected to https://www.google.com where their searches and results will be hidden from prying eyes. The protection doesn't extend out to web advertisements, so those specific clicks will deliver the same metric-relevant info that helps marketers optimize their hyper-targeting. Any of that put you conspiracy theorists at ease? Good, now you can open those curtains again.
Motorola's Atrix Certificate Updater remedies its mobile banking blunder
If you're an Atrix 4G user who has been reeling since your banking apps failed, go ahead and cancel that next therapist appointment -- thankfully for you, a permanent fix is now available in the Android Market. Motorola's Atrix Certificate Updater swaps the troublesome security signatures from v4.1.83 with versions that should play nicely alongside your mobile banking apps. If you're a sucker for punishment and want to restore the v4.1.83 certificates, the change can be reverted by relaunching Motorola's updater. With this misstep out of the way, you can enjoy the Memorial Day holiday and keep your financial life in order -- even while your bank's doors remain tightly locked.
Motorola's Atrix 4G update 4.1.83 breaks the bank (literally)
Fans of mobile banking are discovering harsh surprises after updating their Atrix 4G to v4.1.83. Amongst the numerous improvements in this release (including the widely touted HSUPA fix), Motorola added new SSL certificates to the mix. While such a change would normally be inconsequential, many banking apps have stopped functioning with the new certificates in place -- a rude shock for anyone needing to deposit a paycheck. So far, Moto confirms that American Express, Bank of America, Chase and Discover are affected -- while Wells Fargo and Citibank's apps run just fine. Motorola plans to issue a workaround for affected users, but currently suggests that everyone access their financial institution through Android's web browser. Maybe it's just us, but this sounds like a fine opportunity to take the new Firefox 4 for a spin. [Thanks, David]
