Security News

cert-manager: Automatically provision and manage TLS certificates in Kubernetes
2022-10-24 03:30

Cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters and simplifies the process of obtaining, renewing, and using those certificates. Cert-manager is an open-source project that automates the issuance and renewal of X.509 certificates for cloud-native Kubernetes or OpenShift environments.

THE TLS CERTIFICATE MANAGEMENT BEST PRACTICES CHECKLIST
2022-10-14 00:00

In the last year, 60% of organizations suffered a certificate related outage that impacted their critical business applications. These outages are now costing large corporations an average of $5,600 per minute, damaging reputation and growth rates.

OpenSSL patches infinite-loop DoS bug in certificate verification
2022-03-18 19:59

Amusingly, if we're allowed to say that, the bug only gets triggered if a program decides to do the right thing when making or accepting a secure connection, and verifies the cryptographic certificate supplied by the other end. The OpenSSL implementation of the Tonelli-Shanks algorithm had a bug problem that was unlikely to show up in normal use, but could be triggered on purpose by feeding in data that would force the code to misbehave.

Russian Pushing New State-run TLS Certificate Authority to Deal With Sanctions
2022-03-15 20:11

The Russian government has established its own TLS certificate authority to address issues with accessing websites that have arisen in the wake of sanctions imposed by the west following the country's unprovoked military invasion of Ukraine. According to a message posted on the Gosuslugi public services portal, the Ministry of Digital Development is expected to provide a domestic replacement to handle the issuance and renewal of TLS certificates should they get revoked or expired.

Russia creates its own TLS certificate authority to bypass sanctions
2022-03-10 16:06

Russia has created its own trusted TLS certificate authority to solve website access problems that have been piling up after sanctions prevent certificate renewals. The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates.

Malware now using stolen NVIDIA code signing certificates
2022-03-05 20:45

Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows. The leak includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executables.

Malware now using NVIDIA's stolen code signing certificates
2022-03-05 20:45

Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows. The leak includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executables.

Experts urge EU not to force insecure certificates in web browsers
2022-03-04 20:00

The particular provision requires web browsers like Chrome, Safari, and Firefox to accept QWACs, which practically compels browser developers and security advocates to ease their security stance. TLS certificates are vital for the online exchange of sensitive information with websites such as passwords, sensitive uploads, or payment details.

Alert: Let's Encrypt to revoke about 2 million HTTPS certificates in two days
2022-01-26 21:26

Let's Encrypt, a non-profit organization that helps people obtain free SSL/TLS certificates for websites, plans to revoke a non-trivial number of its certs on Friday because they were improperly issued. In a post to the Let's Encrypt discussion community forum, site reliability engineer Jillian Tessa explained that on Tuesday, a third party reported "Two irregularities" in the code implementing the "TLS Using ALPN" validation method in Boulder, its Automatic Certificate Management Environment software.

Let's Encrypt is revoking lots of SSL certificates in two days
2022-01-26 10:38

Let's Encrypt will begin revoking certain SSL/TLS certificates issued within the last 90 days starting January 28, 2022. As a non-profit certificate authority run by Internet Security Research Group, Let's Encrypt provides X.509 certificates for Transport Layer Security encryption at no cost.