Security News
The Tor Project, the nonprofit developers of the Tor network and Tor Browser, have announced two exciting developments for onion services: affordable DV certificates for v3 onion sites from HARICA, and new, easy onion site setup guides. Onion sites are websites that are only accessible over the Tor network: you can spot them because they end in the TLD.onion.
Today, the OpenSSL project has issued an advisory for two high-severity vulnerabilities CVE-2021-3449 and CVE-2021-3450 lurking in OpenSSL products. CVE-2021-3450: An improper Certificate Authority certificate validation vulnerability which impacts both the server and client instances.
A report released Tuesday by threat intelligence firm Check Point Research explains how phony COVID-19 vaccine documents are selling on the Dark Web and how to avoid these fake documents. For individuals who don't have such a certificate or can't wait for a vaccine, the Dark Web is becoming home to fake documents, according to Check Point's analysis.
GLEIF has launched a CA Stakeholder Group to facilitate communication between GLEIF, CAs and TSPs from across the world, as they collectively aim to coordinate and encourage a global approach to LEI usage across digital identity products. The collaboration announcement follows news last year that ISO has standardized the process of embedding LEIs in digital certificates.
In an incident report published on Friday, Google said that a Google Voice outage affecting a majority of the telephone service's users earlier this month was caused by expired TLS certificates. During regular operation, voice calls made through Google Voice are controlled using the Session Initiation Protocol, with client devices immediately retrying their connection to the service once it breaks.
In an incident report published on Friday, Google said that a Google Voice outage affecting a majority of the telephone service's users earlier this month was caused by expired TLS certificates. During regular operation, voice calls made through Google Voice are controlled using the Session Initiation Protocol, with client devices immediately retrying their connection to the service once it breaks.
Let's Encrypt just announced an infrastructure makeover which means the open certificate authority is able to re-issue up to 200 million certificates in a 24-hour period, something the service said could be necessary in "Some of the worst scenarios." The upgrade comes a year after Let's Encrypt was compromised by a Certificate Authority Authorization bug and was forced to revoke 3 million Transport Layer Security certificates on a single day, March 4, potentially leaving the sites behind them insecure or unavailable.
Email security company Mimecast on Tuesday revealed that a sophisticated threat actor had obtained a certificate provided to certain customers. According to Mimecast, it learned from Microsoft that hackers had compromised a certificate used to authenticate Mimecast Continuity Monitor, Internal Email Protect, and Sync and Recover products with Microsoft 365 Exchange Web Services.
Mimecast said on Tuesday that "a sophisticated threat actor" had compromised a digital certificate it provided to certain customers to securely connect its products to Microsoft 365 Exchange. The company didn't elaborate on what type of certificate was compromised, but Mimecast offers seven different digital certificates based on the geographical location that must be uploaded to M365 to create a server Connection in Mimecast.
"First, if the stolen certificate was used for Mimecast customers to verify the validity of the servers their users' connect to, it would allow an attacker that was able to man-in-the middle the user to server connection to easily decrypt the encrypted data stream and access potentially sensitive information." Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told Threatpost that attackers could also possibly disable Office 365's Mimecast protections altogether to make an email-borne attack more effective.