Security News

In the last year, 60% of organizations suffered a certificate related outage that impacted their critical business applications. These outages are now costing large corporations an average of $5,600 per minute, damaging reputation and growth rates.

Amusingly, if we're allowed to say that, the bug only gets triggered if a program decides to do the right thing when making or accepting a secure connection, and verifies the cryptographic certificate supplied by the other end. The OpenSSL implementation of the Tonelli-Shanks algorithm had a bug problem that was unlikely to show up in normal use, but could be triggered on purpose by feeding in data that would force the code to misbehave.

The Russian government has established its own TLS certificate authority to address issues with accessing websites that have arisen in the wake of sanctions imposed by the west following the country's unprovoked military invasion of Ukraine. According to a message posted on the Gosuslugi public services portal, the Ministry of Digital Development is expected to provide a domestic replacement to handle the issuance and renewal of TLS certificates should they get revoked or expired.

Russia has created its own trusted TLS certificate authority to solve website access problems that have been piling up after sanctions prevent certificate renewals. The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates.

Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows. The leak includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executables.

Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows. The leak includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executables.

The particular provision requires web browsers like Chrome, Safari, and Firefox to accept QWACs, which practically compels browser developers and security advocates to ease their security stance. TLS certificates are vital for the online exchange of sensitive information with websites such as passwords, sensitive uploads, or payment details.

Let's Encrypt, a non-profit organization that helps people obtain free SSL/TLS certificates for websites, plans to revoke a non-trivial number of its certs on Friday because they were improperly issued. In a post to the Let's Encrypt discussion community forum, site reliability engineer Jillian Tessa explained that on Tuesday, a third party reported "Two irregularities" in the code implementing the "TLS Using ALPN" validation method in Boulder, its Automatic Certificate Management Environment software.

Let's Encrypt will begin revoking certain SSL/TLS certificates issued within the last 90 days starting January 28, 2022. As a non-profit certificate authority run by Internet Security Research Group, Let's Encrypt provides X.509 certificates for Transport Layer Security encryption at no cost.

Another CISO walks into a board meeting and muddles through stats showing their compliance status. In the classic risk management equation of Risk = Threat x Vulnerability, I have no control over the threat actor's motivation, skill, or resources.