A vulnerability that allows attackers to create their malicious certificates without depending on any external and trustworthy CAs was fixed in the newest version of the open-source software OpenSSL released July 9. Identified as CVE-2015-1793 (Alternative Chains certificate forgery) and rated with “high severity”, the vulnerability allows attackers to use certificates to produce other valid Certificates even…
Read MoreHow secure is online public communication? Last May, a paper was published that discusses about the Diffie-Helman (DH) crypto-strength deployment, which gives strong evidence that the current DH usage is weak and suggests that 1024-bit size parameters can be broken with a nation state’s computing power resources. The paper presents possible scenarios where such an incident could occur. They found,…
Read MoreDigital certificates are the backbone of the Public Key Infrastructure (PKI), which is the basis of trust online. Digital certificates are often compared to signatures; we can trust a document because it has a signature, or certificate authority (CA) by someone we trust. Simply put, digital certificates are a reproduction of a simple model which occurs…
Read MoreThe recent Superfish incident has raised more concerns that SSL/TLS connections of users can be intercepted, inspected, and re-encrypted using a private root certificate installed on the user system. In effect, this is a man-in-the-middle (MITM) attack carried out within the user’s own system. We believe that site owners adopting extended validation (EV) certificates would help…
Read MoreEarlier today, Google researchers Bodo Möller, Thai Duong, and Krzysztof Kotowicz released a paper discussing a serious bug in SSL 3.0 that allows attackers to conduct man-in-the-middle attacks and decrypt the traffic between Web servers and end users. For example, if you’re shopping online with your credit card, you may think that your information is secure…
Read More