The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: TLS encryption

Firefox to Automatically Trust OS-Installed CA Certificates to Prevent TLS Errors

Firefox to Automatically Trust OS-Installed CA Certificates to Prevent TLS Errors

July 02, 2019Mohit Kumar
Mozilla has finally introduced a mechanism to let Firefox browser automatically fix certain TLS errors, often triggered when antivirus software installed on a system tries to intercept secure HTTPS connections. Most Antivirus software offers web security feature that intercepts encrypted HTTPS connections to monitor the content for malicious web pages before it reaches the web browser. To achieve this, security software replaces websites' TLS certificates with their own digital certificates issued by any trusted Certificate Authorities (CAs). Since Mozilla only trusts those CAs that are listed in its own root store, the antivirus products relying on other trusted CAs provided by the operating system (OS) are not allowed to intercept HTTPS connections on Firefox. In recent months, this limitation continually crashed HTTPS pages for many Firefox users showing them SEC_ERROR_UNKNOWN_ISSUER, MOZILLA_PKIX_ERROR_MITM_DETECTED or ERROR_SELF_SIGNED_CERT error codes when their an
Chrome, Firefox, Edge and Safari Plans to Disable TLS 1.0 and 1.1 in 2020

Chrome, Firefox, Edge and Safari Plans to Disable TLS 1.0 and 1.1 in 2020

October 15, 2018Swati Khandelwal
All major web browsers, including Google Chrome, Apple Safari, Microsoft Edge, Internet Explorer, and Mozilla Firefox, altogether today announced to soon remove support for TLS 1.0 (20-year-old) and TLS 1.1 (12-year-old) communication encryption protocols. Developed initially as Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS) is an updated cryptographic protocol used to establish a secure and encrypted communications channel between clients and servers. There are currently four versions of the TLS protocol—TLS 1.0, 1.1, 1.2 and 1.3 ( latest )—but older versions, TLS 1.0 and 1.1, are known to be vulnerable to a number of critical attacks, such as  POODLE  and  BEAST . Since TLS implementation in all major web browsers and applications supports downgrade negotiation process, it leaves an opportunity for attackers to exploit weaker protocols even if a server supports the latest version. All Major Web Browsers Will Remove TLS 1.0 and TLS 1.1 Support in 2020
Facebook Open Sources Fizz — TLS 1.3 Library For Speed and Security

Facebook Open Sources Fizz — TLS 1.3 Library For Speed and Security

August 07, 2018Mohit Kumar
Facebook has open sourced Fizz—a library designed to help developers implement TLS 1.3 protocol with all recommended security and performance related configurations. Since late last month, Google Chrome web browser has started marking all non-HTTPS websites as 'Not Secure' in an effort to make the web a more secure place, forcing website administrators to switch to HTTPS. TLS 1.3 is the newest and most secure cryptographic protocol of the Transportation Layer Security (TLS), the successor to Secure Sockets Layer (SSL), which encrypts data in transit between clients and servers to prevent data theft or tampering. To make internet traffic more secure, TLS 1.3 incorporates several new features like encrypting handshake messages to keep certificates private, redesigning the way secret keys are derived, and a zero round-trip (0-RTT) connection setup, making certain requests faster than TLS 1.2. Written in C++ 14, Fizz is a reliable and highly performant TLS library that
Google to add "DNS over TLS" security feature to Android OS

Google to add "DNS over TLS" security feature to Android OS

October 23, 2017Mohit Kumar
No doubt your Internet Service Provides (ISPs), or network-level hackers cannot spy on https communications. But do you know — ISPs can still see all of your DNS requests, allowing them to know what websites you visit. Google is working on a new security feature for Android that could prevent your Internet traffic from network spoofing attacks. Almost every Internet activity starts with a DNS query, making it a fundamental building block of the Internet. DNS works as an Internet's phone book that resolves human-readable web addresses, like thehackernews.com, against their IP addresses. DNS queries and responses are sent in clear text (using UDP or TCP) without encryption, which makes it vulnerable to eavesdropping and compromises privacy. ISPs by default resolve DNS queries from their servers. So when you type a website name in your browser, the query first goes to their DNS servers to find the website's IP address, which eventually exposes this information (metada
High-Severity OpenSSL Vulnerability allows Hackers to Decrypt HTTPS Traffic

High-Severity OpenSSL Vulnerability allows Hackers to Decrypt HTTPS Traffic

May 05, 2016Mohit Kumar
OpenSSL has released a series of patches against six vulnerabilities, including a pair of high-severity flaws that could allow attackers to execute malicious code on a web server as well as decrypt HTTPS traffic . OpenSSL is an open-source cryptographic library that is the most widely being used by a significant portion of the Internet services; to cryptographically protect their sensitive Web and e-mail traffic using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. One of the high-severity flaws, CVE-2016-2107 , allows a man-in-the-middle attacker to initiate a " Padding Oracle Attack " that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI. A Padding Oracle flaw weakens the encryption protection by allowing attackers to repeatedly request plaintext data about an encrypted payload content. The Padding Oracle flaw ( exploit code ) was discovered by Juraj Somorovsky using his own developed tool c
DROWN Attack — More than 11 Million OpenSSL HTTPS Websites at Risk

DROWN Attack — More than 11 Million OpenSSL HTTPS Websites at Risk

March 01, 2016Swati Khandelwal
A new deadly security vulnerability has been discovered in OpenSSL that affects more than 11 Million modern websites and e-mail services protected by an ancient, long deprecated transport layer security protocol, Secure Sockets Layer (SSLv2). Dubbed DROWN , the highly critical security hole in OpenSSL was disclosed today as a low-cost attack that could decrypt your sensitive, secure HTTPS communications, including passwords and credit card details… ...and that too in a matter of hours or in some cases almost immediately, a team of 15 security researchers from various universities and the infosec community warned Tuesday. Here’s what the security researchers said: "We've been able to execute the attack against OpenSSL versions that are vulnerable to CVE-2016-0703 in under a minute using a single PC. Even for servers that do not have these particular bugs, the general variant of the attack, which works against any SSLv2 server, can be conducted in under 8 hour
Google to Disable Weak SSLv3 and RC4 Protocols to Boost Internet Security

Google to Disable Weak SSLv3 and RC4 Protocols to Boost Internet Security

September 19, 2015Swati Khandelwal
It is finally time to say GoodBye to the old and insecure Web security protocols. Citing the long history of weaknesses in the Secure Sockets Layer (SSL) 3.0 cryptographic protocol and the RC4 Cipher Suite, Google plans to disable support for both SSLv3 as well as RC4 stream cipher in its front-end servers. While announcing on its official blog , the Search Engine giant said the company is looking to put away SSLv3 and RC4 in all of its front-end servers, and eventually, in all its software including Chrome, Android, Web crawlers, and email servers. The move by Google came as no surprise, considering the fact that both RC4 and SSLv3 have been deemed unsecure by the Internet Engineering Task Force (IETF). What are the Problems? SSLv3, which was made outdated 16 years ago, has a long history of security problems like BEAST , out of them the most recent one was POODLE ( Padding Oracle On Downgraded Legacy Encryption ) attacks, which lead to the recovery of plaintext communication
Lenovo Shipping PCs with Pre-Installed 'Superfish Malware' that Kills HTTPS

Lenovo Shipping PCs with Pre-Installed 'Superfish Malware' that Kills HTTPS

February 19, 2015Swati Khandelwal
One of the most popular computer manufacturers Lenovo is being criticized for selling laptops pre-installed with invasive marketing software, or malware that, experts say, opens up a door for hackers and cyber crooks. The software, dubbed ‘ Superfish Malware ’, analyzes users’ Internet habits and injects third-party advertising into websites on browsers such as Google Chrome and Internet Explorer based on that activities without the user’s permission. Security researchers recently discovered  Superfish Malware  presents onto new consumer-grade Lenovo computers sold before January of 2015. When taken out of the box for the first time, the adware gets activated and because it comes pre-installed, Lenovo customers might end up using it inadvertently. SUPERFISH CERTIFICATE PASSWORD CRACKED The  Superfish Malware  raised serious security concerns about the company’s move for breaking fundamental web security protocols, carrying out " Man in the Middle " (MitM) at
Microsoft Boosts Encryption for Outlook Webmail and OneDrive

Microsoft Boosts Encryption for Outlook Webmail and OneDrive

July 02, 2014Wang Wei
After the wide chain of scandals over US global snooping that seriously damaged the trust on the top U.S. Tech companies, Google and Yahoo! came forward and took initiative to provide more secure, encrypted and NSA-proofed service in an effort to gain their reputation again among its users. Now, Microsoft has also announced several improvements to the encryption used in its online cloud services in order to protect them from cyber criminals, bad actors and prying eyes. The company effort detailed in a blog entry by Matt Thomlinson, Microsoft's Vice President of Trustworthy Computing Security. MICROSOFT’S COMMITMENT Last December, Microsoft promised to protect its users data from government snooping by expanding encryption across its services, reinforcing legal protections for its customers’ data and enhancing the transparency of its software code, making it easier for the customers to reassure themselves that its products contain no backdoors. Yesterday’s announc
Twitter enables StartTLS for Secure Emails to prevent Snooping

Twitter enables StartTLS for Secure Emails to prevent Snooping

March 14, 2014Wang Wei
TWITTER is taking users' privacy and security very seriously and in an effort to prevent Government snooping, the company has secured your Twitter emails with with TLS (Transport Layer Security). Twitter emails were previously using a plain text communication protocol, that now has been upgraded to an encrypted (TLS or SSL) connection using STARTTLS . In a blog post, Twitter announced : " Since mid-January, we have been protecting your emails from Twitter using TLS in the form of StartTLS. StartTLS encrypts emails as they transit between sender and receiver and is designed to prevent snooping. It also ensures that emails you receive from Twitter haven’t been read by other parties on the way to your inbox if your email provider supports TLS. " " These email security protocols are part of our commitment to continuous improvement in privacy protections and complement improvements like our securing of web traffic with forward secrecy and always-on HTT
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.