Skip to main content

SSL

​Another day, another OpenSSL patch

posted onJuly 13, 2015
by l33tdawg
Credit:

The latest OpenSSL security hole isn't a bad one as these things go. It's no Heartbleed, Freak, or Logjam. But it's serious enough that, if you're running alpha or beta operating systems, you shouldn't delay patching it.

Fortunately, the affected OpenSSL versions are not commonly used in enterprise operating systems. For example, it doesn't impact shipping and supported versions of Red Hat Enterprise Linux (RHEL) or Ubuntu. In the case of Ubuntu, it does affect the 15.10 development release, but the patch is already available.

What the FREAK? Huge SSL security flaw stems from US government backdoor

posted onMarch 4, 2015
by l33tdawg

Seven hours is all it takes to crack the encryption that is in place on some supposedly secure websites. Security experts blame the US government's ban on the use of strong encryption back in the 1990s for a vulnerability that has just come to light. Named FREAK (Factoring attack on RSA-EXPORT Keys), the flaw exists on high-profile websites including, ironically, NSA.gov.

Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

posted onDecember 9, 2014
by l33tdawg

Some of the world's leading websites—including those owned or operated by Bank of America, VMware, the US Department of Veteran's Affairs, and business consultancy Accenture—are vulnerable to simple attacks that bypass the transport layer security encryption designed to thwart eavesdroppers and spoofers.

German Spy Agency Wants To Buy Zero-Day Vulnerabilities In Order To Undermine SSL Security

posted onNovember 13, 2014
by l33tdawg

The newspaper Süddeutsche Zeitung reports that the German spy agency BND will spend €28 million on what it calls its 'Strategic Technical Initiative' (SIT) next year, and that it has asked the German government for a further €300 million (original in German). The German edition of the English-language site "The Local" explains how the money will be used:

    The aim of the programme is to penetrate foreign social networks and create an early warning system for cyber attacks.

Microsoft releases anti-POODLE Fix It

posted onOctober 30, 2014
by l33tdawg

Microsoft has released a Fix It to disable the feature which was the subject of the POODLE attack. The Fix It, a program which implements changes in the registry, makes the process simpler than the alternatives.

POODLE is the name given to a vulnerability in SSL version 3.0 found earlier this month by a Google researcher. SSL was supplanted by TLS and the current version is 1.2, but systems may fall back to older versions if the server does not support the newer ones.

OpenSSL warns vendors against using vulnerability info for marketing

posted onSeptember 9, 2014
by l33tdawg

Security advisories for OpenSSL should not be used for competitive advantage, according to the development project behind the widely used cryptography component.

The warning comes from the OpenSSL Project, which has published for the first time guidelines for how it internally handles security problems, part of an ongoing effort to strengthen the project following the Heartbleed security scare in April.

Vendors slow to patch OpenSSL vulnerabilities

posted onJune 30, 2014
by l33tdawg

Several key technology vendors are yet to fully patch against the OpenSSL cryptographic library used to secure networked communications, a leading Australian security researcher has warned.

The Heartbleed vulnerability in OpenSSL, first revealed to the public in April this year, makes it possible for attackers to tap into what was thought to be secure, encrypted communications unnoticed.

Surprise Android 'KitKat' update fixes nasty OpenSSL vuln

posted onJune 23, 2014
by l33tdawg

Android fans who are hoping Google will debut a new version of the OS at its annual I/O conference in San Francsico next week might be in for a disappointment ... because the company is rolling out a new version this week.

On Friday, the Chocolate Factory published firmware images of Android 4.4.4 – yes, we're still talking "KitKat" – for the Nexus 4 and 5 phones and the Nexus 7 and 10 fondleslabs. The build number of the new release is KTU84P.

OpenSSL fixes another severe vulnerability

posted onJune 5, 2014
by l33tdawg

The OpenSSL project has reported fixes for several vulnerabilities, at least one of them serious.

The most significant vulnerability is SSL/TLS MITM vulnerability (CVE-2014-0224). Unlike Heartbleed, which had been introduced into the program not long before, affects all versions of OpenSSL, including those that were patched to fix Heartbleed.