This is bad: the UAE's favorite sleazeball cybermercenaries have applied for permission to break Mozilla's web encryption

Remember Darkmatter, the UAE-based cybermercenaries who worked with the beltway bandit firm Cyberpoint to recruit ex-NSA spies to infiltrate and expose dissidents, journalists, even children who opposed the despotic regime in the Emirates? (Darkmatter is also one of the least-discriminating cybermercenary bands in the world, available to help torturers, murderers and thugs hang onto power by attacking opposition movements and letting the secret police know who to arrest, torture and kill). Read the rest “This is bad: the UAE's favorite sleazeball cybermercenaries have applied for permission to break Mozilla's web encryption”

Installing a root certificate should be MUCH scarier

The news that Facebook had spent years paying teens to install a surveillance kit called "Facebook Research" had a key detail: as part of the program, Facebook had its users install a new "root certificate." Read the rest “Installing a root certificate should be MUCH scarier”

Sennheiser's headphone drivers covertly changed your computer's root of trust, leaving you vulnerable to undetectable attacks

Your computer ships with a collection of trusted cryptographic certificates, called its "root of trust," which are consulted to verify things like SSL connections and software updates. Read the rest “Sennheiser's headphone drivers covertly changed your computer's root of trust, leaving you vulnerable to undetectable attacks”

CEO of Trustico emails 23,000 HTTPS private keys, triggering panicked mass-revocation

On Tuesday, the CEO of UK certificate reseller Trustico decided to settle an argument with Digicert executive VP Jeremy Rowley by emailing him the private keys for 23,000 TLS certificates that had been issued by Symantec's disgraced Certificate Authority, to prove they had been compromised. Read the rest “CEO of Trustico emails 23,000 HTTPS private keys, triggering panicked mass-revocation”

4-10% of encrypted web connections are man-in-the-middled and intercepted

Cloudflare's joint research with "a large e-commerce site" and Mozilla found that between 4-10% of secure, encrypted web connections are "intercepted," largely by corporate antivirus software that inserts its own certificates into users' browsers, allowing it to scan all traffic entering workers' computers. Read the rest “4-10% of encrypted web connections are man-in-the-middled and intercepted”

Cheating Chinese certificate authorities, caught by Certificate Transparency, will get the death penalty

In 2012, Google introduced Certificate Transparency, an internet-wide tripwire system designed to catch cryptographic "certificate authorities" who abused their position to produce counterfeit credentials that would allow criminals, governments and police to spy on and tamper with secure internet connections. Read the rest “Cheating Chinese certificate authorities, caught by Certificate Transparency, will get the death penalty”

Google: Chrome will no longer trust Symantec certificates, 30% of the web will need to switch Certificate Authorities

In 2012, Google rolled out Certificate Transparency, a clever system to spot corrupt "Certificate Authorities," the entities who hand out the cryptographic certificates that secure the web. If Certificate Authorities fail to do their jobs, they put the entire electronic realm in danger -- bad certificates could allow anything from eavesdropping on financial transactions to spoofing industrial control systems into accepting malicious software updates. Read the rest “Google: Chrome will no longer trust Symantec certificates, 30% of the web will need to switch Certificate Authorities”

Chrome is about to start warning users that non-HTTPS sites are insecure

An imminently forthcoming version of Google's Chrome browser will flip the way that browsers convey information about privacy and security to users: instead of discreetly informing users that the HTTPS-enabled sites they're browsing are more secure, they'll flag any non-HTTPS site as insecure, with a series of escalating alerts that will end -- at some unspecified date -- by displaying an exclamation point inside red triangle and the letters HTTP next to the web addresses of non-HTTPS sites. Read the rest “Chrome is about to start warning users that non-HTTPS sites are insecure”

UAE surveillance contractor is recruiting an army of foreign hackers to break into its citizens' devices

The world's most sophisticated security experts have been bombarded with recruiting offers from UAE-based company Darkmatter, which bills itself as a major state security contractor -- but people who've taken the bait say they were then told that they were being hired to weaponize huge arsenals of zero-day vulnerabilities so that the UAE can subject its own population to fine-grained, continuous surveillance. Read the rest “UAE surveillance contractor is recruiting an army of foreign hackers to break into its citizens' devices”