Security News
Russia is offering its own trusted Transport Layer Security certificate authority to replace certificates that need to be renewed by foreign countries. According to a notice on Russia's public service portal, Gosuslugi, as shown in a translated version in this article's featured art, the certificates will replace foreign security certs if they expire or get yanked by foreign CAs.
Russia has created its own trusted TLS certificate authority to solve website access problems that have been piling up after sanctions prevent certificate renewals. The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates.
Apple has deprecated the insecure Transport Layer Security 1.0 and 1.1 protocols in recently launched iOS and macOS versions and plans to remove support in future releases altogether. The original TLS 1.0 specification and its TLS 1.1 successor have been used for almost 20 years.
The OpenSSL Project has released OpenSSL 3.0, a major new stable version of the popular and widely used cryptography library. OpenSSL contain an open-source implementation of the SSL and TLS protocols, which provide the ability to secure communications across networks.
The bad news, of course, is that ALPACA is a vulnerability nevertheless, or more precisely a family of vulnerabilities, and it exists because we, as an internet community, haven't been quite as careful or as precise as perhaps we should have been when setting up our servers to use TLS in the first place. The researchers discovered that millions of network domains out there not only use TLS on multiple servers for multiple different purposes, such as securing both HTTP and SMTP, but also often fail to keep the verification part of the TLS process separate for the different services they offer.
Researchers have disclosed a new type of attack that exploits misconfigurations in transport layer security servers to redirect HTTPS traffic from a victim's web browser to a different TLS service endpoint located on another IP address to steal sensitive information. The attacks have been dubbed ALPACA, short for "Application Layer Protocol Confusion - Analyzing and mitigating Cracks in tls Authentication," by a group of academics from Ruhr University Bochum, Münster University of Applied Sciences, and Paderborn University.
Researchers from three universities in Germany have identified a new TLS attack method that can allow a man-in-the-middle attacker to extract user data or execute arbitrary code. The new attack, dubbed ALPACA, has been described as an "Application layer protocol content confusion attack."
Academics from three German universities have found a vulnerability in the Transport Layer Security protocol that under limited circumstances allows the theft of session cookies and enables cross-site scripting attacks. Because TLS does not bind TCP connections to the desired application layer protocol, there's an opportunity for a miscreant-in-the-middle attack to redirect TLS traffic to a different endpoint at another IP address or port.
Ten years ago, even the biggest and most popular online services in the world, such as Facebook, Gmail and Hotmail didn't use TLS all the time - it was thought to be too complicated, too slow, and not always necessary. These days we expect our web browsing to be protected by TLS all the time.
British infosec biz Sophos reckons just under half of malware traffic it saw in the wild during the opening three months of 2021 alone was using Transport Layer Security to encrypt both its command-and-control traffic and data exfiltration. He was open about this only being traffic observed by Sophos, meaning the true worldwide figure for TLS-encrypted malware traffic could differ.