ssl security | Breaking Cybersecurity News | The Hacker News

A group of researchers has detailed a new timing vulnerability in Transport Layer Security (TLS) protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions. Dubbed " Raccoon Attack ," the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used for secure communications between two parties. "The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret," the researchers explained their findings in a paper. "If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem." However, the academics stated that the vulnerability is hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable.

Mozilla, in partnership with Facebook, Cloudflare, and other IETF community members, has announced technical specifications for a new cryptographic protocol called " Delegated Credentials for TLS ." Delegated Credentials for TLS is a new simplified way to implement "short-lived" certificates without sacrificing the reliability of secure connections. In short, the new TLS protocol extension aims to effectively prevent the misuse of stolen certificates by reducing their maximum validity period to a very short span of time, such as a few days or even hours. Before jumping into how Delegated Credentials for TLS works, you need to understand the current TLS infrastructure, and of course, about the core problem in it because of which we need Delegated Credentials for TLS. The Current TLS Infrastructure More than 70% of all websites on the Internet today use TLS certificates to establish a secure line of HTTPS communication between their servers and visitors,

Imagine a world where the software that powers your favorite apps, secures your online transactions, and keeps your digital life could be outsmarted and taken over by a cleverly disguised piece of code. This isn't a plot from the latest cyber-thriller; it's actually been a reality for years now. How this will change – in a positive or negative direction – as artificial intelligence (AI) takes on a larger role in software development is one of the big uncertainties related to this brave new world. In an era where AI promises to revolutionize how we live and work, the conversation about its security implications cannot be sidelined. As we increasingly rely on AI for tasks ranging from mundane to mission-critical, the question is no longer just, "Can AI  boost cybersecurity ?" (sure!), but also "Can AI  be hacked? " (yes!), "Can one use AI  to hack? " (of course!), and "Will AI  produce secure software ?" (well…). This thought leadership article is about the latter. Cydrill  (a

A team of security researchers has discovered a critical implementation flaw in major mobile banking applications that left banking credentials of millions of users vulnerable to hackers. The vulnerability was discovered by researchers of the Security and Privacy Group at the University of Birmingham, who tested hundreds of different banking apps—both iOS and Android—and found that several of them were affected by a common issue, leaving their users vulnerable to man-in-the-middle attacks. The affected banking apps include HSBC, NatWest, Co-op, Santander, and Allied Irish bank, which have now been updated after researchers reported them of the issue. According to a research paper [ PDF ] published by researchers, vulnerable applications could have allowed an attacker, connected to the same network as the victim, to intercept SSL connection and retrieve the user's banking credentials, like usernames and passwords/pincodes—even if the apps are using SSL pinning feature. SS

A Chinese certificate authority (CA) appeared to be making a significant security blunder by handing out duplicate SSL certificates for a base domain if someone just has control over its any subdomain. The certificate authority, named WoSign , issued a base certificate for the Github domains to an unnamed GitHub user. But How? First of all, do you know, the traditional Digital Certificate Management System is the weakest link on the Internet today and has already been broken? Billions of Internet users blindly rely on hundreds of Certificate Authorities (CA) around the globe to ensure the confidentiality and integrity of their personal data. But, these CAs have powers to issue valid SSL cert for any domain you own, despite the fact you already have one purchased from another CA. ...and that's the biggest loophole in the CA system. In the latest case as well, WoSign issued a duplicate SSL certificate for GitHub domains without verifying ownership of the base domain.

Are you Using HTTPS on your Website to securely encrypt traffic? Well, we'll see you in the court. At least, that's what CryptoPeak is saying to all big brands that utilize HTTPS on their web servers. BIG Brands Sued for Using HTTPS: 'Patent Troll' Texas-based company CryptoPeak Solutions LLC has filed 66 lawsuits against many big businesses in the US, claiming they have illegally used its patented encryption method – Elliptic Curve Cryptography (ECC) – on their HTTPS websites. Elliptic Curve Cryptography (ECC) is a key exchange algorithm that is most widely used on websites secured with Transport Layer Security (TLS) to determine what symmetric keys are used during a session. Encryption is on the rise after Edward Snowden made the world aware of government's global surveillance programs. Today, many big tech and online services are using encryption to: Protect the data transmitted to/from visitor to domain Lessen the risk of hacking

Internet of Things (IoT) with the purpose of providing convenience to the users enabled every object in the universe to be as smart as a whip. By assigning IP address to all sorts of devices, ranging from household appliances, machines, medical devices and sensors to other day-to-day objects, and putting them all together on a standardised network is a common Internet of Things (IoT) practice. Is Internet of Things Secure? In my previous articles, I gave you a glance of the most vulnerable smart cities that are increasingly adopting devices connected to the Internet in an attempt to add convenience and ease to daily activities. By 2020, there will be more than 45 Billion Internet-connected devices that will transform the way we live and work. The bottom line: As the number of IoT enabled systems increases, the complexity of handling them increases; leading to an introduction of new risk and vulnerabilities associated with them. Security of Internet of

After facing much criticism for violation of Net Neutrality, Facebook has opened up its new Internet.org platform to developers for creating their apps and services in India and other countries. Facebook's Internet.org aims at offering free Internet access to " the next 5 billion " impoverished people around the world who currently don't have it. This current move now would potentially allow any website to be accessed for free via the Internet.org service, but only in the case, if the website ditches the encrypted communications (HTTPS), JavaScript, and other important things. Internet for All: Facebook offers free mobile Internet access to people in India , Zambia , Colombia, Tanzania, Kenya, Ghana, Philippines and Indonesia . However, in order to access the free Internet, users must have special Android apps, Internet.org's website, the Opera Mini web browser or Facebook's Android app. Until now, the Internet.org scheme had been

Another new widespread and disastrous SSL/TLS vulnerability has been uncovered that for over a decade left Millions of users of Apple and Android devices vulnerable to man-in-the-middle attacks on encrypted traffic when they visited supposedly 'secured' websites, including the official websites of the White House, FBI and National Security Agency. Dubbed the " FREAK " vulnerability ( CVE-2015-0204 ) - also known as Factoring Attack on RSA-EXPORT Keys - enables hackers or intelligence agencies to force clients to use older, weaker encryption i.e. also known as the export-grade key or 512-bit RSA keys. FREAK vulnerability discovered by security researchers of French Institute for Research in Computer Science and Automation (Inria) and Microsoft, resides in OpenSSL versions 1.01k and earlier, and Apple's Secure Transport. 90s WEAK EXPORT-GRADE ENCRYPTION Back in 1990s, the US government attempted to regulate the export of products utilizing "

Google introduced a new security tool to help developers detect bugs and security glitches in the network traffic security that may leave passwords and other sensitive information open to snooping. The open source tool, dubbed as Nogotofail , has been launched by the technology giant in sake of a number of vulnerabilities discovered in the implementation of the transport layer security, from the most critical Heartbleed bug in OpenSSL to the Apple's gotofail bug to the recent POODLE bug in SSL version 3. The company has made the Nogotofail tool available on GitHub, so that so anyone can test their applications, contribute new features to the project, provide support for more platforms, and help improve the security of the internet. Android security engineer Chad Brubaker said that the Nogotofail main purpose is to confirm that internet-connected devices and applications aren't vulnerable to transport layer security (TLS) and Secure Sockets Layer (SSL) encry

Another Heartbleed-like vulnerability has been discovered in the decade old but still widely used Secure Sockets Layer ( SSL ) 3.0 cryptographic protocol that could allow an attacker to decrypt contents of encrypted connections to websites. Google's Security Team revealed on Tuesday that the most widely used web encryption standard SSL 3.0 has a major security vulnerability that could be exploited to steal sensitive data. The flaw affects any product that follows the Secure layer version 3, including Chrome, Firefox, and Internet Explorer. Researchers dubbed the attack as " POODLE ," stands for Padding Oracle On Downgraded Legacy Encryption , which allows an attacker to perform a man-in-the-middle attack in order to decrypt HTTP cookies. The POODLE attack can force a connection to "fallback" to SSL 3.0, where it is then possible to steal cookies, which are meant to store personal data, website preferences or even passwords. Three Google security engineers - Bodo Möll

A leading provider of advanced threat, security and compliance solutions, Tripwire , has announced that Craig Young , a security researcher from its Vulnerability and Exposure Research Team (VERT) , is working on a paper about SSL vulnerabilities that will be presented at DEF CON 22 Wireless Village . There are thousands of websites over Internet that contain serious mistakes in the way that Secure Sockets Layer and Transport Layer Security (SSL/TLS) is implemented, leaving them vulnerable to man-in-the-middle (MitM) attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information. MitM attack is one of the common and favorite techniques of attackers used to intercept wireless data traffic. Cyber criminals could able to intercept sensitive user data, including credit card numbers, PayPal credentials and social network credentials as well. Young has unearthed various situations where poor SSL implementations in co

The open source encryption protocol, OpenSSL, which is used by several social networks, search engines, banks and other websites to enable secure connections while transmitting data, came to everybody's attention following the Heartbleed vulnerability , a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server's memory, potentially revealing users data, that the server did not intend to reveal. Now, the biggest Internet giant Google is launching a new fork of OpenSSL, which they dubbed as BoringSSL, developed by its own independent work with the code. " We have used a number of patches on top of OpenSSL for many years, " Adam Langley, a cryptography engineer and Google employee, wrote in a blog post introducing BoringSSL. " Some of them have been accepted into the main OpenSSL repository, but many of them don't mesh with OpenSSL's guarantee of API and ABI

Two year back in 2012, one of the most popular online social networking sites Linkedin spent between $500,000 and $1 million on forensic work after millions of its users' account passwords were compromised in a major security data breach. But, it seems that the company hasn't learned any lesson from it. WHAT IS MAN-IN-THE-MIDDLE (MitM) ATTACK Before moving on to the story, let us discuss some emerging and common threats against the social networking sites nowadays. If we talk about less publicized but more danger, then Man-in-the-Middle (MitM) attack is the most common one. By attempting MitM attack, a potential attacker could intercept users' internet communication, steal sensitive information and even hijack sessions. Though MitM attacks are popular and have existed for years, a major categories of today's largest websites and social networking sites still haven't taken the necessary steps to safeguard their users' personal and sensitive data from the vulnerabil

Explosive revelations of massive surveillance programs conducted by government agencies by the former contractor Edward Snowden triggered new debate about the security and privacy of each individual who is connected somehow to the Internet and after the Snowden's disclosures they think that by adopting encrypted communications, i.e. SSL enabled websites, over the Internet, they'll be secure. People do care of their privacy and many have already changed some of their online habits, like by using HTTPS instead of HTTP while they are surfing the Internet. However, HTTPS may be secured to run an online store or the eCommerce Web site, but it fails as a privacy tool. The US researchers have found a traffic analysis of ten widely used HTTPS-secured Web sites " exposing personal details, including medical conditions, financial and legal affairs and sexual orientation. " The UC Berkeley researchers Brad Miller, A. D. Joseph and J. D. Tygar and Intel Labs' researchers, Li

If you haven't heard by now, Facebook just made its biggest move ever, buying the messaging service WhatsApp in a deal worth some $19 billion. That's 19 times what Facebook paid for Instagram two years ago. The WhatsApp Service run by the team of just 32 engineers, handles more than 50 Billion messages daily, and approx 385 million active users. WhatsApp acquisition has also brought out fresh criticism over security for the billions of messages delivered on the platform. Security Researcher at Praetorian Labs identified several SSL-related security issues in WhatsApp application using Project Neptune , a mobile application security testing platform. " WhatsApp communication between your phone and our server is fully encrypted. We do not store your chat history on our servers. Once delivered successfully to your phone, chat messages are removed from our system ." Company said in a blog post . But researchers found that WhatsApp is vulnerable to Man-in-theMiddl