Security News

WeChat devs introduced security flaws when they modded TLS, say researchers
2024-10-17 08:31

No attacks possible, but enough issues to cause concern Messaging giant WeChat uses a network protocol that the app's developers modified – and by doing so introduced security weaknesses,...

Researchers Uncover TLS Bootstrap Attack on Azure Kubernetes Clusters
2024-08-20 09:36

Cybersecurity researchers have disclosed a security flaw impacting Microsoft Azure Kubernetes Services that, if successfully exploited, could allow an attacker to escalate their privileges and...

Shorter TLS certificate lifespans expected to complicate management efforts
2024-08-09 04:00

76% of security leaders recognize the pressing need to move to shorter certificate lifespans to improve security, according to Venafi. 81% of security leaders believe Google's proposed plans to shorten TLS certificate lifespans from 398 days to 90 days will amplify existing challenges they have around managing certificates.

Firefox's Mozilla follows Google in losing trust in Entrust's TLS certificates
2024-08-01 12:28

Mozilla is following in Google Chrome's footsteps in officially distrusting Entrust as a root certificate authority following what it says was a protracted period of compliance failures. Entrust has apologized to Google, Mozilla, and the wider web community, outlining its plans to regain the trust of browsers, but these appear to be unsatisfactory to both Google and Mozilla.

DigiCert mass-revoking TLS certificates due to domain validation bug
2024-07-30 15:02

DigiCert is warning that it will be mass-revoking SSL/TLS certificates due to a bug in how the company verified if a customer owned or operated a domain and requires impacted customers to reissue certificates within 24 hours. DigiCert is one of the prominent certificate authorities that provides SSL/TLS certificates, including Domain Validated, Organization Validated, and Extended Validation certificates.

Google Chrome's new post-quantum cryptography may break TLS connections
2024-04-28 14:19

Some ​Google Chrome users report having issues connecting to websites, servers, and firewalls after Chrome 124 was released last week with the new quantum-resistant X25519Kyber768 encapsulation mechanism enabled by default. Google started testing the post-quantum secure TLS key encapsulation mechanism in August and has now enabled it in the latest Chrome version for all users.

How Google’s 90-day TLS certificate validity proposal will affect enterprises
2024-04-11 05:00

Announced last year, Google's proposal to reduce the lifespan of TLS certificates from 13 months to 90 days could be implemented in the near future. As a result, the new 90-day TLS certificate lifespan proposed by Google will have far-reaching impacts on three areas of corporate IT: DevOps, security and operations.

Messaging Service Wiretap Discovered through Expired TLS Cert
2023-10-27 11:01

The suspected man-in-the-middle attack was identified when the administrator of jabber. Ru, the largest Russian XMPP service, received a notification that one of the servers' certificates had expired.

Microsoft calls time on ancient TLS in Windows, breaking own stuff in the process
2023-09-04 14:15

Microsoft has reminded users that TLS 1.0 and 1.1 will soon be disabled by default in Windows. SQL Server 2008 R2 finally dropped out of Extended Security Updates in July, although Microsoft has published instructions for adding TLS 1.2 support.

Microsoft reminds users Windows will disable insecure TLS soon
2023-09-03 14:20

Microsoft reminded users that insecure Transport Layer Security 1.0 and 1.1 protocols will be disabled soon in future Windows releases. The original TLS 1.0 specification and its TLS 1.1 successor have been used for nearly two decades, with TLS 1.0 initially introduced in 1999 and TLS 1.1 in 2006).