Hack-attacks with stolen certs tell you the future of FBI vs Apple

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x989

Since 2014, Suckfly, a hacker group apparently based in Chengdu, China, has used at least 9 signing certs to make their malware indistinguishable from official updates from the vendor. Read the rest

Using distributed code-signatures to make it much harder to order secret backdoors

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x985

Cothority is a new software project that uses "multi-party cryptographic signatures" to make it infinitely harder for governments to order companies to ship secret, targeted backdoors to their products as innocuous-looking software updates. Read the rest

Chrome won't trust Symantec-backed SSL as of Jun 1 unless they account for bogus certs

why-symantec-ssl-certificates-are-1-1-638

In September, Google caught Symantec issuing a fake google.com cryptographic certificate that could have been used to seamlessly intercept encrypted Google.com traffic. Symantec is one of the participants in Certificate Transparency, through which all new certificates issued and seen in the wild are logged to append-only, cryptographically provable logs, which create irrefutable audit trails for any bogus certs issued/discovered. Read the rest

Symantec caught issuing rogue Google.com certificates

why-symantec-ssl-certificates-are-1-1-638

Your browser trusts SSL certificates from hundreds of "Certificate Authorities," each of which is supposed to exercise the utmost caution before issuing them -- a rogue cert would allow a criminal or a government to act as a man-in-the-middle between you and your bank, email provider, or employer, undetectably intercepting communications that you believed to be secure. Read the rest

Fake Google subdomain certificates found in the wild

An Indian certificate authority in the Microsoft root of trust has been caught issuing fake Google subdomain certificates that would allow nearly undetectable eavesdropping on "secure" connections to services like Google Docs. Read the rest