background preloader

Ssl/https

Facebook Twitter

Letsencrypt/acme-spec. Launching in 2015: A Certificate Authority to Encrypt the Entire Web. Today EFF is pleased to announce Let’s Encrypt, a new certificate authority (CA) initiative that we have put together with Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS.

Launching in 2015: A Certificate Authority to Encrypt the Entire Web

Although the HTTP protocol has been hugely successful, it is inherently insecure. Connect securely to https websites – Blog and info for the Perspectives project. LibreSSL: More Than 30 Days Later. Ted Unangst tedu@openbsd.org LibreSSL was officially announced to the world just about exactly five months ago.

LibreSSL: More Than 30 Days Later

Bob spoke at BSDCan about the first 30 days. For those who weren't there, I'll quickly rehash some of that material. Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux” The first "preview" release of OpenSSL alternative LibreSSL is out, and already a researcher says he has found a "catastrophic failure" in the version for Linux.

Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux”

The problem resides in the pseudo random number generator (PRNG) that LibreSSL relies on to create keys that can't be guessed even when an attacker uses extremely fast computers. SSL/TLS Strong Encryption: An Introduction - Apache HTTP Server. Available Languages: en | fr | ja As an introduction this chapter is aimed at readers who are familiar with the Web, HTTP, and Apache, but are not security experts.

SSL/TLS Strong Encryption: An Introduction - Apache HTTP Server

It is not intended to be a definitive guide to the SSL protocol, nor does it discuss specific techniques for managing certificates in an organization, or the important legal issues of patents and import and export restrictions. Rather, it is intended to provide a common background to mod_ssl users by pulling together various concepts, definitions, and examples as a starting point for further exploration. Cryptographic Techniques Understanding SSL requires an understanding of cryptographic algorithms, message digest functions (aka. one-way or hash functions), and digital signatures.

Cryptographic Algorithms. Fighting Cargo Cult – The Incomplete SSL/TLS Bookmark Collection. Throughout the recent months (and particularly: weeks), people have asked me how to properly secure their SSL/TLS communication, particularly on web servers.

Fighting Cargo Cult – The Incomplete SSL/TLS Bookmark Collection

At the same time I’ve started to look for good literature on SSL/TLS. I noticed that many of the “guides” on how to do a good SSL/TLS setup are actually cargo cult. Cargo cult is a really dangerous thing for two reasons: First of all, security is never a one-size-fits-all solution. Your setup needs to work in your environment, taking into account possible limitation imposed by hardware or software in your infrastructure. Apple’s #gotofail weekend – Ashkan Soltani. How does the NSA break SSL? A few weeks ago I wrote a long post about the NSA's 'BULLRUN' project to subvert modern encryption standards.

How does the NSA break SSL?

I had intended to come back to this at some point, since I didn't have time to discuss the issues in detail. But then things got in the way. A lot of things, actually. Some of which I hope to write about in the near future. Tor and HTTPS. Mitmproxy - home. How secure is HTTPS today? How often is it attacked? This is part 1 of a series on the security of HTTPS and TLS/SSL.

How secure is HTTPS today? How often is it attacked?

BREACH ATTACK. [PFS] SSL: Intercepted today, decrypted tomorrow. [September 2013: The Netcraft extension — for Firefox, Google Chrome, and Opera — now displays whether or not PFS is supported] Millions of websites and billions of people rely on SSL to protect the transmission of sensitive information such as passwords, credit card details, and personal information with the expectation that encryption guarantees privacy.

[PFS] SSL: Intercepted today, decrypted tomorrow

However, recently leaked documents appear to reveal that the NSA, the United States National Security Agency, logs very high volumes of internet traffic and retains captured encrypted communication for later cryptanalysis. The United States is far from the only government wishing to monitor encrypted internet traffic: Saudi Arabia has asked for help decrypting SSL traffic, China has been accused of performing a MITM attack against SSL-only GitHub, and Iran has been reported to be engaged in deep packet inspection and more, to name but a few. [RSA, PFS] Facebook's outmoded Web crypto opens door to NSA spying. Secret documents describing the National Security Agency's surveillance apparatus have highlighted vulnerabilities in outdated Web encryption used by Facebook and a handful of other U.S. companies.

[RSA, PFS] Facebook's outmoded Web crypto opens door to NSA spying

Documents leaked by former NSA contractor Edward Snowden confirm that the NSA taps into fiber optic cables "upstream" from Internet companies and vacuums up e-mail and other data that "flows past" -- a security vulnerability that "https" Web encryption is intended to guard against. But Facebook and a few other companies still rely on an encryption technique viewed as many years out of date, which cryptographers say the NSA could penetrate reasonably quickly after intercepting the communications. Facebook uses encryption keys with a length of only 1,024 bits, while Web companies including Apple, Microsoft, Twitter, Dropbox, and even Myspace have switched to exponentially more secure 2,048-bit keys. Sovereign Keys: A Proposal to Make HTTPS and Email More Secure. This is part 2 of a series on the security of HTTPS and TLS/SSL.

Sovereign Keys: A Proposal to Make HTTPS and Email More Secure

[Part 1] In a previous post, we discussed some structural insecurities in HTTPS and TLS/SSL, and how those are beginning to pose serious problems for the security of the Web. Hackers break SSL encryption used by millions of sites. High performance access to file storage Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Google preps Chrome fix to slay SSL-attacking BEAST. High performance access to file storage Google has prepared an update for its Chrome browser that protects users against an attack that decrypts data sent between browsers and many websites protected by the secure sockets layer protocol.

The fix, which has already been added to the latest developer version of Chrome, is designed to thwart attacks from BEAST, proof-of-concept code that its creators say exploits a serious weakness in the SSL protocol that millions of websites use to encrypt sensitive data. Tor and the BEAST SSL attack. Today, Juliano Rizzo and Thai Duong presented a new attack on TLS <= 1.0 at the Ekoparty security conference in Buenos Aires. Beta - Blog - The Background In the early 90’s, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. NetCertScanner - Universal Network Based SSL Certificate Scanner. NetCertScanner is the enterprise software to scan & manage expired SSL Certificates on your local network or internet.

How to Deploy HTTPS Correctly. Firesheep, a week later: Ethics and Legality - codebutler. New paper - Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL. Gov't, certificate authorities conspire to spy on SSL users? - SSL is the cornerstone of secure Web browsing, enabling credit card and bank details to be used on the 'Net with impunity. We're all told to check for the little padlock in our address bars before handing over any sensitive information. SSL is also increasingly a feature of webmail providers, instant messaging, and other forms of online communication.