SSL Certificate | Breaking Cybersecurity News | The Hacker News

Mimecast said on Tuesday that "a sophisticated threat actor" had compromised a digital certificate it provided to certain customers to securely connect its products to Microsoft 365 (M365) Exchange. The discovery was made after the breach was notified by Microsoft, the London-based company  said in an alert  posted on its website, adding it's reached out to the impacted organizations to remediate the issue. The company didn't elaborate on what type of certificate was compromised, but Mimecast offers  seven different digital certificates  based on the geographical location that must be uploaded to M365 to create a server Connection in Mimecast. "Approximately 10 percent of our customers use this connection," the company said. "Of those that do, there are indications that a low single digit number of our customers' M365 tenants were targeted." Mimecast is a cloud-based email management service for Microsoft Exchange and Microsoft Office 365

A group of researchers has detailed a new timing vulnerability in Transport Layer Security (TLS) protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions. Dubbed " Raccoon Attack ," the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used for secure communications between two parties. "The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret," the researchers explained their findings in a paper. "If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem." However, the academics stated that the vulnerability is hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable.

The introduction of Open AI's ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing, help marketers produce unique content at low cost, and enable teams and creatives to brainstorm new ideas.  Recent significant GenAI product launches include Microsoft 365 Copilot, GitHub Copilot, and Salesforce Einstein GPT. Notably, these GenAI tools from leading SaaS providers are paid enhancements, a clear sign that no SaaS provider will want to miss out on cashing in on the GenAI transformation. Google will soon launch its SGE "Search Generative Experience" platform for premium AI-generated summaries rather than a list of websites.  At this pace, it's just a matter of a short time befo

Starting today, the lifespan of new TLS certificates will be limited to 398 days, a little over a year, from the previous maximum certificate lifetime of 27 months (825 days). In a move that's meant to boost security, Apple, Google, and Mozilla are set to reject publicly rooted digital certificates in their respective web browsers that expire more than 13 months (or 398 days) from their creation date. The lifespan of SSL/TLS certificates has shrunk significantly over the last decade. In 2011, the Certification Authority Browser Forum (CA/Browser Forum), a consortium of certification authorities and vendors of browser software, imposed a limit of five years, bringing down the certificate validity period from 8-10 years. Subsequently, in 2015, it was cut short to three years and to two years again in 2018. Although the proposal to reduce certificate lifetimes to one year was shot down in a ballot last September , the measure has been overwhelmingly supported by the browser

The most popular free certificate signing authority Let's Encrypt is going to revoke more than 3 million TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software. The bug, which Let's Encrypt confirmed on February 29 and was fixed two hours after discovery, impacted the way it checked the domain name ownership before issuing new TLS certificates. As a result, the bug opened up a scenario where a certificate could be issued even without adequately validating the holder's control of a domain name. The Certification Authority Authorization (CAA), an internet security policy, allows domain name holders to indicate to certificate authorities (CAs) whether or not they are authorized to issue digital certificates for a specific domain name. Let's Encrypt considers domain validation results good only for 30 days from the time of validation, after which it rechecks the CAA record authorizing t

Let's Encrypt, a free, automated, and open certificate signing authority (CA) from the nonprofit Internet Security Research Group (ISRG), has said it's issued a billion certificates since its launch in 2015. The CA issued its first certificate in September 2015, before eventually reaching 100 million in June 2017. Since late last year, Let's Encrypt has issued at least 1.2 million certificates each day. The development comes as over 80 percent of the web page loads have begun using HTTPS worldwide , and 91 percent in the US alone. HTTPS, the default means of secure communication on the internet, comes with three benefits: authentication, integrity, and encryption. It allows HTTP requests to be transmitted over a secure encrypted channel, thus protecting users from an array of malicious activities, including site forgery and content manipulation. "Since 2017, browsers have started requiring HTTPS for more features, and they've greatly improved the way

Imperva, one of the leading cybersecurity startups that helps businesses protect critical data and applications from cyberattacks, has suffered a data breach that has exposed sensitive information for some of its customers, the company revealed today. The security breach particularly affects customers of Imperva's Cloud Web Application Firewall (WAF) product, formerly known as Incapsula , a security-focused CDN service known for its DDoS mitigation and web application security features that protect websites from malicious activities. In a blog post published today, Imperva CEO Chris Hylen revealed that the company learned about the incident on August 20, 2019, only after someone informed it about the data exposure that "impacts a subset of customers of its Cloud WAF product who had accounts through September 15, 2017." The exposed data includes email addresses and hashed and salted passwords for all Cloud WAF customers who registered before 15th September 2017

All major web browsers, including Google Chrome, Apple Safari, Microsoft Edge, Internet Explorer, and Mozilla Firefox, altogether today announced to soon remove support for TLS 1.0 (20-year-old) and TLS 1.1 (12-year-old) communication encryption protocols. Developed initially as Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS) is an updated cryptographic protocol used to establish a secure and encrypted communications channel between clients and servers. There are currently four versions of the TLS protocol—TLS 1.0, 1.1, 1.2 and 1.3 ( latest )—but older versions, TLS 1.0 and 1.1, are known to be vulnerable to a number of critical attacks, such as  POODLE  and  BEAST . Since TLS implementation in all major web browsers and applications supports downgrade negotiation process, it leaves an opportunity for attackers to exploit weaker protocols even if a server supports the latest version. All Major Web Browsers Will Remove TLS 1.0 and TLS 1.1 Support in 2020

Starting today with the release of Chrome 68, Google Chrome prominently marks all non-HTTPS websites as 'Not Secure' in its years-long effort to make the web a more secure place for Internet users. So if you are still running an insecure HTTP (Hypertext Transfer Protocol) website, many of your visitors might already be greeted with a 'Not Secure' message on their Google Chrome browser warning them that they can't trust your website to be secure. By displaying ' Not Secure ,' Google Chrome means that your connection is not secure because there is no SSL Certificate to encrypt your connection between your computer and the website's server. So, anything sent over a non-HTTPS connection is in plain text, like your password or payment card information, allowing attackers to snoop or tamper with your data. The non-https connection has been considered dangerous particularly for web pages that transfer sensitive information—like login pages and payment

As a punishment announced last October, Google will no longer trust SSL/TLS certificate authorities WoSign and its subsidiary StartCom with the launch of Chrome 61 for not maintaining the "high standards expected of CAs." The move came after Google was notified by GitHub's security team on August 17, 2016, that Chinese Certificate Authority WoSign had issued a base certificate for one of GitHub's domains to an unnamed GitHub user without authorization. After this issue had been reported, Google conducted an investigation in public as a collaboration with Mozilla and the security community, which uncovered several other cases of WoSign misissuance of certificates. As a result, the tech giant last year began limiting its trust of certificates backed by WoSign and StartCom to those issued before October 21st, 2016 and has been removing whitelisted hostnames over the course of several Chrome releases since Chrome 56. Now, in a Google Groups post published

A security researcher has disclosed critical issues in the processes and third-party API used by Symantec certificate resellers to deliver and manage Symantec SSL certificates. The flaw, discovered by Chris Byrne, an information security consultant and instructor for Cloud Harmonics, could allow an unauthenticated attacker to retrieve other persons' SSL certificates, including public and private keys, as well as to reissue or revoke those certificates. Even without revoking and reissuing a certificate, attackers can conduct "man-in-the-middle" attack over the secure connections using stolen SSL certs, tricking users into believing they are on a legitimate site when in fact their SSL traffic is being secretly tampered with and intercepted. "All you had to do was click a link sent in [an] email, and you could retrieve a cert, revoke a cert, and re-issue a cert," Byrne wrote in a Facebook post published over the weekend. Symantec knew of API Flaws Si

Google announced its plans to punish Symantec by gradually distrusting its SSL certificates after the company was caught improperly issuing 30,000 Extended Validation (EV) certificates over the past few years. The Extended Validation (EV) status of all certificates issued by Symantec-owned certificate authorities will no longer be recognized by the Chrome browser for at least a year until Symantec fixes its certificate issuance processes so that it can be trusted again. Extended validation certificates are supposed to provide the highest level of trust and authentication, where before issuing a certificate, Certificate Authority must verify the requesting entity's legal existence and identity. The move came into effect immediately after Ryan Sleevi, a software engineer on the Google Chrome team, made this announcement on Thursday in an online forum . "This is also coupled with a series of failures following the previous set of misissued certificates from Symantec, c

In an effort to expand its certificate authority capabilities and build the "foundation of a more secure web," Google has finally launched its root certificate authority. In past few years, we have seen Google taking many steps to show its strong support for sites using HTTPS, like: Giving more preference to HTTPS websites in its search rankings than others. Warning users that all HTTP pages are not secure. Starting an industry-wide initiative, Certificate Transparency − an open framework to log, audit, and monitor certificates that CAs have issued. However, Google has been relying on an intermediate Certificate Authority (Google Internet Authority G2 - GIAG2) issued by a third party, with the latest suppliers being GlobalSign and GeoTrust, which manages and deploys certificates to Google's products and services. Google announced Thursday the creation of its own certified, and independent Root Certificate Authority called Google Trust Services , allowing

As announced on Tuesday, the OpenSSL project team released OpenSSL version 1.1.0c that addresses three security vulnerabilities in its software. The most serious of all is a heap-based buffer overflow bug (CVE-2016-7054) related to Transport Layer Security (TLS) connections using *-CHACHA20-POLY1305 cipher suites. The vulnerability, reported by Robert Święcki of the Google Security Team on September 25, can lead to DoS attack by corrupting larger payloads, resulting in a crash of OpenSSL. The severity of the flaw is rated "High" and does not affect OpenSSL versions prior to 1.1.0. However, the OpenSSL team reports there is no evidence that the flaw is exploitable beyond a DoS attack. The OpenSSL project also patches a moderate severity flaw (CVE-2016-7053) that can cause applications to crash. "Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0

The OpenSSL Foundation has patched over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks. OpenSSL is a widely used open-source cryptographic library that provides encrypted Internet connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for the majority of websites, as well as other secure services. The vulnerabilities exist in OpenSSL versions 1.0.1, 1.0.2 and 1.1.0 and patched in OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u. The Critical-rated bug ( CVE-2016-6304 ) can be exploited by sending a large OCSP Status Request extension on the targeted server during connection negotiations, which causes memory exhaustion to launch DoS attacks, the OpenSSL Project said . What is OCSP Protocol? OCSP (Online Certificate Status Protocol), supported by all modern web browsers, is a protocol designed to perform verification and obtain the revocation status of a digital

A Chinese certificate authority (CA) appeared to be making a significant security blunder by handing out duplicate SSL certificates for a base domain if someone just has control over its any subdomain. The certificate authority, named WoSign , issued a base certificate for the Github domains to an unnamed GitHub user. But How? First of all, do you know, the traditional Digital Certificate Management System is the weakest link on the Internet today and has already been broken? Billions of Internet users blindly rely on hundreds of Certificate Authorities (CA) around the globe to ensure the confidentiality and integrity of their personal data. But, these CAs have powers to issue valid SSL cert for any domain you own, despite the fact you already have one purchased from another CA. ...and that's the biggest loophole in the CA system. In the latest case as well, WoSign issued a duplicate SSL certificate for GitHub domains without verifying ownership of the base domain.

If you have installed Trend Micro's Antivirus on your Windows computer, then Beware. Your computer can be remotely hijacked, or infected with any malware by even through a website – Thanks to a critical vulnerability in Trend Micro Security Software. The Popular antivirus maker and security firm Trend Micro has released an emergency patch to fix critical flaws in its anti-virus product that allow hackers to execute arbitrary commands remotely as well as steal your saved password from Password Manager built into its AntiVirus program. The password management tool that comes bundled with its main antivirus is used to store passwords by users and works exactly like any other password manager application. Even Websites Can Hack Into Your Computer Google's Project Zero security researcher, Tavis Ormandy, discovered the remote code execution flaw in Trend Micro Antivirus Password Manager component, allowing hackers to steal users' passwords. In short, o

Who else didn't see this coming? It was so obvious as I stressed earlier that the  Let's Encrypt free HTTPS certificates would not just help legitimate website operators to encrypt its users' traffic, but also help criminals to bother innocent users with malware through secure sites. Let's Encrypt allows anyone to obtain free SSL/TLS ( Secure Socket Layer/Transport Layer Security ) certificates for their web servers that encrypt all the Internet traffic passed between a server and users. Let's Encrypt is recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer. The organization started offering Free HTTPS certs to everyone from last month, and it is very easy for anyone to set up an HTTPS website in a few simple steps ( How to Install Free SSL Cert ). However, the most bothersome part is that Let's Encrypt free SSL certs are not only used by website owners to secure its

Next in the queue, Kazakhstan is also planning to Spy on encrypted Internet Traffic of its citizens, but in the most shameless way. Unlike other spying nations that are themselves capable of spying on their citizens, Kazakhstan will force every internet user in the country to install bogus security certs on their PCs and mobile devices, allowing the 'Dictator' Government to: Intercept users' Internet traffic to any Secure website, i.e. Man-in-the-Middle  Attack Access everything from user's web browsing history to usernames and passwords to secure and HTTPS-encrypted traffic This Program will seriously restrict Citizens' Freedom of Speech and Expression. What the F… is "National Internet Security Certificate"? On Monday, the nation's largest Internet service provider Kazakhtelecom JSC published a notice, which said: Citizens are "obliged" to install a so-called " National Internet Security Certificate "