Security News

Russia Issues Its Own TLS Certs
2022-03-11 18:34

Russia is offering its own trusted Transport Layer Security certificate authority to replace certificates that need to be renewed by foreign countries. According to a notice on Russia's public service portal, Gosuslugi, as shown in a translated version in this article's featured art, the certificates will replace foreign security certs if they expire or get yanked by foreign CAs.

Russia creates its own TLS certificate authority to bypass sanctions
2022-03-10 16:06

Russia has created its own trusted TLS certificate authority to solve website access problems that have been piling up after sanctions prevent certificate renewals. The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates.

Apple will disable insecure TLS in future iOS, macOS releases
2021-09-22 16:59

Apple has deprecated the insecure Transport Layer Security 1.0 and 1.1 protocols in recently launched iOS and macOS versions and plans to remove support in future releases altogether. The original TLS 1.0 specification and its TLS 1.1 successor have been used for almost 20 years.

OpenSSL 3.0: A new FIPS module, new algorithms, support for Linux Kernel TLS, and more
2021-09-09 10:56

The OpenSSL Project has released OpenSSL 3.0, a major new stable version of the popular and widely used cryptography library. OpenSSL contain an open-source implementation of the SSL and TLS protocols, which provide the ability to secure communications across networks.

ALPACA – the wacky TLS security vulnerability with a funky name
2021-06-11 18:17

The bad news, of course, is that ALPACA is a vulnerability nevertheless, or more precisely a family of vulnerabilities, and it exists because we, as an internet community, haven't been quite as careful or as precise as perhaps we should have been when setting up our servers to use TLS in the first place. The researchers discovered that millions of network domains out there not only use TLS on multiple servers for multiple different purposes, such as securing both HTTP and SMTP, but also often fail to keep the verification part of the TLS process separate for the different services they offer.

New TLS Attack Lets Attackers Launch Cross-Protocol Attacks Against Secure Sites
2021-06-10 21:00

Researchers have disclosed a new type of attack that exploits misconfigurations in transport layer security servers to redirect HTTPS traffic from a victim's web browser to a different TLS service endpoint located on another IP address to steal sensitive information. The attacks have been dubbed ALPACA, short for "Application Layer Protocol Confusion - Analyzing and mitigating Cracks in tls Authentication," by a group of academics from Ruhr University Bochum, Münster University of Applied Sciences, and Paderborn University.

ALPACA: New TLS Attack Allows User Data Extraction, Code Execution
2021-06-10 11:26

Researchers from three universities in Germany have identified a new TLS attack method that can allow a man-in-the-middle attacker to extract user data or execute arbitrary code. The new attack, dubbed ALPACA, has been described as an "Application layer protocol content confusion attack."

ALPACA gnaws through TLS protection to snarf cookies and steal data
2021-06-10 00:07

Academics from three German universities have found a vulnerability in the Transport Layer Security protocol that under limited circumstances allows the theft of session cookies and enables cross-site scripting attacks. Because TLS does not bind TCP connections to the desired application layer protocol, there's an opportunity for a miscreant-in-the-middle attack to redirect TLS traffic to a different endpoint at another IP address or port.

When cryptography attacks – how TLS helps malware hide in plain sight
2021-04-21 18:33

Ten years ago, even the biggest and most popular online services in the world, such as Facebook, Gmail and Hotmail didn't use TLS all the time - it was thought to be too complicated, too slow, and not always necessary. These days we expect our web browsing to be protected by TLS all the time.

Half of Q1's malware traffic observed by Sophos was TLS encrypted, hiding inside legit requests to legit services
2021-04-21 13:32

British infosec biz Sophos reckons just under half of malware traffic it saw in the wild during the opening three months of 2021 alone was using Transport Layer Security to encrypt both its command-and-control traffic and data exfiltration. He was open about this only being traffic observed by Sophos, meaning the true worldwide figure for TLS-encrypted malware traffic could differ.