I think it’s getting worse. Consumer privacy is disappearing totally. And SSL [Secure Sockets Layer] is being questioned and the problem isn’t the protocol itself but the key infrastructure. There have been several incidents where someone has stolen from the certificate authorities.
via http://www.networkworld.com/news/2012/072512-blackhat-ylonen-261134.html.
Microsoft has not said exactly what the now-untrusted certificates were used for, but company officials said there were a total of 28 certificates affected by the move. Many of the affected certificates are listed simply as “Microsoft Online Svcs”. However, the company said that it was confident that none of them had been compromised or used maliciously. The move to revoke trust in these certificates is a direct result of the investigation into the Flame malware and how the attackers were able to forge a Microsoft certificate and then use it to impersonate a Windows Update server.
via Microsoft Revokes Trust in 28 of Its Own Certificates | threatpost.
The goal of the SSL Labs surveys is to measure the effective security of SSL. After some experimentation with an assessment of substantially all public SSL sites (about 1.5 million of them), we settled on a smaller list of about 200,000 SSL-enabled web sites, based on Alexa’s list of most popular sites in the world. Working with a smaller list is more manageable and allows us to conduct the surveys more often. It also allows us to conduct more thorough analysis to look for application-layer issues that may subvert SSL security. In addition, focusing on popular sites – we believe – gives us more relevant results and also excludes abandoned sites.
We have been able to remotely compromise about 0.4% of all the public keys used for SSL web site security. The keys we were able to compromise were generated incorrectly–using predictable “random” numbers that were sometimes repeated. There were two kinds of problems: keys that were generated with predictable randomness, and a subset of these, where the lack of randomness allows a remote attacker to efficiently factor the public key and obtain the private key. With the private key, an attacker can impersonate a web site or possibly decrypt encrypted traffic to that web site. We’ve developed a tool that can factor these keys and give us the private keys to all the hosts vulnerable to this attack on the Internet in only a few hours.
The last time I was at this blog was many years ago when he showed how to hack electronic voting machines.
In an attempt to avoid these issues, SPDY uses a single SSL-encrypted session between a browser and a client, and then compresses all the request/response overhead. The requests, responses, and data are all put into frames that are multiplexed over the one connection. This makes it possible to send a higher-priority small file without waiting for the transfer of a large file that’s already in progress to terminate.
via SPDY: Google wants to speed up the web by ditching HTTP.
This article is two years old.
StartCom, the vendor and distributor of StartCom Linux Operating Systems, also operated MediaHost™, a hosting company which offered its clients SSL secured web sites with certificates signed by StartCom for many years. That’s where the idea originated: Free SSL certificates!
PolarSSL makes it easy for developers to include cryptographic and SSL/TLS capabilities in their embedded products with as little hassle as possible. It is designed to be readable, documented, tested, loosely coupled and portable.
via Light-weight, modular cryptographic and SSL/TLS library – PolarSSL.
I found the above site from this article on Slashdot.
The major change is the removal of OpenSSL as the cryptographic core of OpenVPN-NL. Instead, the Dutch government opted to include the smaller, better readable and documented open source library PolarSSL to provide the cryptographic and SSL/TLS functionality.
SSL made its debut in 1994 as a way to cryptographically secure e-commerce and other sensitive internet communications. A private key at the heart of the system allows website operators to prove that they are the rightful owners of the domains visitors are accessing, rather than impostors who have hacked the users’ connections. Countless websites also use SSL to encrypt passwords, emails and other data to thwart anyone who may be monitoring the traffic passing between the two parties.
It’s hard to overstate the reliance that websites operated by Google, PayPal, Microsoft, Bank of America and millions of other companies place in SSL. And yet, the repeated failures suggest that the system in its current state is hopelessly broken.
via How is SSL hopelessly broken? Let us count the ways • The Register.