/ SUBMIT / SEARCH / STORE / MENU
Cory Doctorow / 12:59 pm Thu, Nov 29, 2018

Sennheiser's headphone drivers covertly changed your computer's root of trust, leaving you vulnerable to undetectable attacks

Your computer ships with a collection of trusted cryptographic certificates, called its "root of trust," which are consulted to verify things like SSL connections and software updates. Read the rest

Cory Doctorow / 1:38 pm Sun, Mar 4, 2018

CEO of Trustico emails 23,000 HTTPS private keys, triggering panicked mass-revocation

On Tuesday, the CEO of UK certificate reseller Trustico decided to settle an argument with Digicert executive VP Jeremy Rowley by emailing him the private keys for 23,000 TLS certificates that had been issued by Symantec's disgraced Certificate Authority, to prove they had been compromised. Read the rest

Cory Doctorow / 10:26 am Wed, Sep 13, 2017

4-10% of encrypted web connections are man-in-the-middled and intercepted

Cloudflare's joint research with "a large e-commerce site" and Mozilla found that between 4-10% of secure, encrypted web connections are "intercepted," largely by corporate antivirus software that inserts its own certificates into users' browsers, allowing it to scan all traffic entering workers' computers. Read the rest

Cory Doctorow / 8:12 am Tue, Jul 11, 2017

Cheating Chinese certificate authorities, caught by Certificate Transparency, will get the death penalty

In 2012, Google introduced Certificate Transparency, an internet-wide tripwire system designed to catch cryptographic "certificate authorities" who abused their position to produce counterfeit credentials that would allow criminals, governments and police to spy on and tamper with secure internet connections. Read the rest

Cory Doctorow / 5:12 am Fri, Mar 24, 2017

Google: Chrome will no longer trust Symantec certificates, 30% of the web will need to switch Certificate Authorities

In 2012, Google rolled out Certificate Transparency, a clever system to spot corrupt "Certificate Authorities," the entities who hand out the cryptographic certificates that secure the web. If Certificate Authorities fail to do their jobs, they put the entire electronic realm in danger -- bad certificates could allow anything from eavesdropping on financial transactions to spoofing industrial control systems into accepting malicious software updates. Read the rest

Cory Doctorow / 5:21 am Sat, Nov 5, 2016

Chrome is about to start warning users that non-HTTPS sites are insecure

An imminently forthcoming version of Google's Chrome browser will flip the way that browsers convey information about privacy and security to users: instead of discreetly informing users that the HTTPS-enabled sites they're browsing are more secure, they'll flag any non-HTTPS site as insecure, with a series of escalating alerts that will end -- at some unspecified date -- by displaying an exclamation point inside red triangle and the letters HTTP next to the web addresses of non-HTTPS sites. Read the rest

Cory Doctorow / 10:21 am Mon, Oct 24, 2016

UAE surveillance contractor is recruiting an army of foreign hackers to break into its citizens' devices

The world's most sophisticated security experts have been bombarded with recruiting offers from UAE-based company Darkmatter, which bills itself as a major state security contractor -- but people who've taken the bait say they were then told that they were being hired to weaponize huge arsenals of zero-day vulnerabilities so that the UAE can subject its own population to fine-grained, continuous surveillance. Read the rest