Free Republic

The internet connectivity on older tech devices and smart gadgets could stop working on Thursday after a key digital certificate required to access websites safely expires. Let's Encrypt, a nonprofit organization that is the largest issuer of digital certificates — which encrypts and protects the connection between devices and websites on the internet — will be forced to expire one of its most popular digital certificates, the IdentTrust DST Root CA X3, on Sept. 30.... ...This problem has flown under the radar of many manufacturers, including Big Tech companies Apple, Google, Sony, and Microsoft — none of which have made...

Cloudflare, a web infrastructure provider and content delivery network, is reportedly suffering outages resulting in major websites crashing across the internet. Multiple websites crashed worldwide today as one of the web’s most important infrastructure providers and content delivery networks, Cloudflare, suffered an outage. Cloudflare provides DNS and CDN services and powers approximately “40% of the internet.” The Cloudflare system status page stated that “the issue has been identified and a fix is being implemented.” The issue is reportedly related to the Cloudflare Resolver in the company’s edge network in certain locations. The outage struck at quite a few Cloudflare data...

Renewing an SSL certificate used to be easy. Basicly one click. Not necessarily so anymore. This one was a bear. Anyway, it appears our certificate is up and we're officially secure again! Thank you John!

Western democracies, especially the United States, just heaved a huge sigh of relief after getting word that United Kingdom PM Boris Johnson is dropping the controversial Chinese tech company, Huawei, as the nation's provider of 5G infrastructure. Although Johnson was in support of the Chinese tech giant laying the non-sensitive portions of 5G infrastructure, he said China's lack of transparency about coronavirus made the communist-run country untrustworthy. President Trump, Attorney General William Barr, Secretary of State Mike Pompeo and members of the so-called "Five-Eyes" countries that share intelligence information, brought huge pressure on the Brits to dump Huawei. The U.S....

As described in this paper "DROWN: Breaking TLS using SSLv2" (PDF), it is possible to crack current TLS encryption using an old, obsolete, but nevertheless still deployed protocol, SSLv2. This is a server-side issue -- it is not something clients (normal users) can do anything about. Folks browsing the web have to rely on the system admins at their favorite websites, mail portals, banks, shops, etc. to fix this. It is estimated that a third of the public servers on the Internet are vulnerable to this attack. You can test the servers in a given domain using this tool from...

No longer trusted. Google's products will no longer trust Symantec's digital certificates used to secure internet data communications, the company said. Starting 2 December Australian time, Symantec's Class 3 Public Primary Certificate Authority (CA) root certifcate is no longer trusted by Google in its Chrome web browser, Android mobile operating system and other products. Google software engineer Ryan Sleevi explained (https://googleonlinesecurity.blogspot.co.nz/2015/12/proactive-measures-in-digital.html) over the weekend Symantec intended to use the root certificate for reasons other than creating publicly trusted credentials. The certificate also no longer complies with the industry Certificate Authority/Browser Forum baseline requirements for best practice, Symantec said. As a...

Microsoft on Thursday confirmed that Windows was vulnerable to FREAK attacks, and researchers changed their tune, saying Internet Explorer (IE) users were at risk. The news was a turnabout from earlier in the week, when researchers initially fingered only Apple's iOS and OS X and Google's Android operating systems as those that could fall victim to cybercriminals spying on purportedly secure communications between browsers and website servers. By adding Windows to the list, the number of jeopardized users jumped dramatically: Windows powered 92% of all personal computers last month. In a security advisory released Thursday, Microsoft said Windows was, in...

A serious vulnerability in the popular OpenSSL cryptographic library has been discovered that allows attackers to steal information unnoticed. Known as the Heartbleed bug, the vulnerability allows anyone on the Internet to read the memory of systems that run vulnerable versions of OpenSSL, revealing the secret authentication and encryption keys to protect the traffic. User names, passwords and the actual content of the communications can also be read. ... OpenSSL recommends that uses immediately upgrade to version 1.0.1g. If that's not possible, users should recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag to remove the the heartbeat handshake. The 1.0.2 version of...

After having made a big push to increase the use of encrypted searches two years back, Internet search giant Google has apparently cut off keyword data altogether, and has confirmed that it is forwarding users to Google SSL Search even if they are not signed in. In a statement made earlier this week, Google said that all its users who had logged into its service - for example, to check Gmail - would be forwarded to the Google SSL Search, if they wanted to carry out some online search. With Google's statement revealing that the company has switched all searches...

The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users' private Web communications from eavesdropping. These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users. If the government obtains a company's master encryption key, agents could decrypt the contents of communications intercepted through a wiretap or by invoking the potent surveillance authorities of the Foreign Intelligence Surveillance Act. Web encryption -- which often appears...

Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who...

Most users ensure their Web sessions are using Secure Sockets Layer (SSL) before entering their credit card information, but less than half do so when typing their passwords onto a Web page, according to a new survey. Just what SSL does and doesn't do isn't clear to many users, and the way Websites implement it doesn't help: "The biggest issue is the general population doesn't know what SSL is, why they're using it, and it's ingrained in them that it always makes them secure, which is not always the case," says Tyler Reguly, senior security engineer for nCircle, who surveyed...

Security researchers have found some serious flaws in software that uses the SSL (Secure Sockets Layer) encryption protocol used to secure communications on the Internet.At the Black Hat conference in Las Vegas on Thursday, researchers unveiled a number of attacks that could be used to compromise secure traffic travelling between Web sites and browsers.This type of attack could let an attacker steal passwords, hijack an on-line banking session or even push out a Firefox browser update that contained malicious code, the researchers said.The problems lie in the way that many browsers have implemented SSL, and also in the X.509 public...

Website encryption has sustained another body blow, this time by an independent hacker who demonstrated a tool that can steal sensitive information by tricking users into believing they're visiting protected sites when in fact they're not.Unveiled Wednesday at the Black Hat security conference in Washington, SSLstrip works on public Wi-Fi networks, onion-routing systems, and anywhere else a man-in-the-middle attack is practical. It converts pages that normally would be protected by the secure sockets layer protocol into their unencrypted versions. It does this while continuing to fool both the website and the user into believing the security measure is still in...

BERLIN--A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers announced on Tuesday. They demonstrated how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss. The problem is unlikely to affect most Internet users in the near future because taking advantage of the vulnerability requires discovering some techniques that are not...

The former gang member recalls watching them spread the newly purchased machetes from Springfield Mall on the bed and marvel at their sexiness. With reggae music booming in the background, the South Side Locos gang members began touching the steel blades and gripping the black handles.They wanted revenge. One of their own, a 16-year-old boy, had just been brutally attacked in the Alexandria area by machete-wielding rivals in Mara Salvatrucha, the dominant gang in Northern Virginia. He had lost four fingers trying to shield his head from the blows, an incident so gruesome, audacious - and seemingly new - that...

Swiss researchers pirate the principal system of safety Internet Researchers of federal polytechnic Ecole of Lausanne (FPSL, Switzerland) found a fault in the most widespread system of securisation of the transactions by Internet, the SSL (Secure Socket Layer), famous up to now inviolable, announced Thursday EPFL.Ces researchers showed that it was possible to recognize in less than one hour the password used by a Net surfer to connect itself to a commercial service of sale or on its bank account in ligne."Nous are the first to have discovered this weakness of protocol SSL, the process of securisation most usually...

Digital signatures can easily be forged and therefore can't be trusted in Outlook because of the same certificate chaining issue plaguing Internet Explorer, researcher Mike Benham says. Benham is responsible for discovering and publicizing the IE debacle, where SSL certs can be signed by an untrusted intermediary without warning to the end user, as we reported earlier. Now after a bit of further tinkering it appears that the same design flaw can be used against Outlook users. Briefly, an attacker would sign an untrusted cert with a trusted, intermediate one. Of course, just because the cert doing the signing is...