/ SUBMIT / SEARCH / STORE / MENU
Cory Doctorow / 1:54 pm Tue, Feb 26, 2019

A finance industry group is pushing an intentionally broken cryptography "standard" called ETS

ETS was originally called "Enterprise TLS," implying that it was an "enterprise-grade" version of TLS, the system used to secure internet sessions (if you visit a URL that starts with "https://", it's being protected with TLS). Read the rest

Cory Doctorow / 9:44 am Mon, Apr 2, 2018

Cloudflare's 1.1.1.1: an encrypted, privacy-protecting DNS service

Cloudflare, a company with a history of resisting surveillance and censorship orders (albeit imperfectly and sometimes with undesirable consequences) has announced a new DNS service, hosted at the easy-to-remember address of 1.1.1.1, which accepts connections under the still-novel DNS-over-HTTPS protocol, and which has privacy designed in, with all logs written only to RAM (never to disk) and flushed every 24 hours. Read the rest

Cory Doctorow / 1:38 pm Sun, Mar 4, 2018

CEO of Trustico emails 23,000 HTTPS private keys, triggering panicked mass-revocation

On Tuesday, the CEO of UK certificate reseller Trustico decided to settle an argument with Digicert executive VP Jeremy Rowley by emailing him the private keys for 23,000 TLS certificates that had been issued by Symantec's disgraced Certificate Authority, to prove they had been compromised. Read the rest

Cory Doctorow / 7:56 am Wed, Feb 10, 2016

Gmail will warn you when your correspondents use unencrypted mail transport

A basic best-practice for email servers is to use TLS (Transport Layer Security) when they connect to one another, which guards against "man in the middle" attacks that would allow attackers to read or change emails while they travel between mail-servers. Read the rest

Cory Doctorow / 10:02 am Mon, Nov 23, 2015

Not just Lenovo: Dell ships computers with self-signed root certificates

Last February, Lenovo shocked its security-conscious customers by pre-installing its own, self-signed root certificates on the machines it sold. These certificates, provided by a spyware advertising company called Superfish, made it possible for attackers create "secure" connections to undetectable fake versions of banking sites, corporate intranets, webmail providers, etc. Read the rest

Cory Doctorow / 7:56 am Sun, Nov 1, 2015

Chrome won't trust Symantec-backed SSL as of Jun 1 unless they account for bogus certs

In September, Google caught Symantec issuing a fake google.com cryptographic certificate that could have been used to seamlessly intercept encrypted Google.com traffic. Symantec is one of the participants in Certificate Transparency, through which all new certificates issued and seen in the wild are logged to append-only, cryptographically provable logs, which create irrefutable audit trails for any bogus certs issued/discovered. Read the rest

Cory Doctorow / 12:16 am Sat, Sep 19, 2015

Symantec caught issuing rogue Google.com certificates

Your browser trusts SSL certificates from hundreds of "Certificate Authorities," each of which is supposed to exercise the utmost caution before issuing them -- a rogue cert would allow a criminal or a government to act as a man-in-the-middle between you and your bank, email provider, or employer, undetectably intercepting communications that you believed to be secure. Read the rest