InfoQ Homepage SSL Content on InfoQ
-
AWS s2n: Open-source TLS Implementation in Less than 6,000 Lines
Amazon Web Services has recently introduced s2n, short for “signal to noise”, an open-source implementation of the TLS/SSL protocols that aims to be “simple, small, fast, and with security as a priority”.
-
Netflix Releases Open Source Message Security Layer
Netflix have announced the release of the Message Security Layer protocol (MSL), which they describe as ‘A Modern Take on Securing Communication’. The project is available on github under the Apache 2.0 license, with implementations in Java and JavaScript.
-
Google to remove support for SSL 3.0
Google have announced that they will remove support for the obsolete SSL 3.0 after discovering vulnerabilities that may be exploitable by forcing clients or servers to downgrade. Removing SSL 3.0 may also unlock stalled negotiations with HTTP2. Read on for more details.
-
CloudFlare Universal SSL - Free Web Security for All
CloudFlare have made SSL available to all free subscribers to its content delivery network (CDN) with Universal SSL. The move addresses both cost and complexity issues that have previously confronted web site and application owners wanting to deploy SSL. CloudFlare takes care of issuing a certificate at no cost to the end user, and enabling SSL becomes a selection from a dropdown menu.
-
GitHub, BitBucket, Twitter and other Secure Services Affected on Mac OS X By Expired SSL Certificate
On Saturday July 26th, an intermediate certificate issued by DigiCert that was used by online services like GitHub, BitBucket, etc expired. Since this certificate was widely cached in the keychains of many Mac OS X users, this expiration caused any connection via browser or API to raise certificate chain errors.
-
Android 4.1.1 Vulnerable to Reverse Heartbleed
Google announced last week that Android 4.1.1 is susceptible to the Heartbleed OpenSSL bug. While Android 4.1.1 is, according to Google, the only Android version vulnerable to Heartbleed, it remains in use in millions of smartphones and tablets. Android 4.1.1 devices have been shown to leak significant amount of data in a "reverse Heartbleed" attack.
-
Microsoft to Stop Honoring SHA1 Certificates for SSL and Code Signing
Following recommendations by the US National Institute of Standards and Technology, Microsoft intends to stop honoring SHA1 for SSL and Code Signing certificates. This policy will begin in 2017 and applies to Windows Vista, Windows Server 2008, and later operating systems.
-
Researchers Expose SSL Vulnerabilities in Libraries and Their Usage in Popular Non-Browser Services
A recent publication in the ACM CCS'12 proceedings titled "The Most Dangerous Code in the World:Validating SSL Certificates in Non-Browser Software" exposes critical vulnerabilities in the creation and usage of SSL libraries in non-browser applications. The lessons learnt and the ensuing recommendations to developers and testers are shared in this news item.
-
Will SSL Collapse Under its Own Weight?
Lori MacVittie from F5 Networks provided an analysis of the recent adoption of NIST SSL Deployment Guidelines by the US Government as of January 2011. Since all commercial certificate authorities now issue only 2048-bit keys, the capacity of a server to process SSL is severely impacted and invalidates the general belief that SSL is not computationally expensive.
-
An MD5 Implementation for Silverlight
An implementation of the MD5 cryptographic hashing algorithm for Silverlight has been posted on MSDN by Reid Borsuk. Delay, another MSDN user, has recently posted ComputeFileHashes, a small .NET command-line application that also works on WPF and Silverlight and is helpful to compute MD5, SHA-1, and CRC-32 hashes.
-
MD5 Exploit Potentially Compromises SSL Security
SSL-based security using X509 certificates from certain CA's opens a vulnerability to sites masquerading under a forged X509 certificate, even in a "secure" connection. This was demonstrated recently at the Chaos Conference in Berlin by spoofing a real certificate.
-
JRuby: 1.0.3 addresses compatibility issues, 1.1 performance update
JRuby 1.0.3 is out now. Although a point release, the update is significant because it addresses compatibility issues with Rails 2.0 and other libraries and tools. Meanwhile, some JRuby 1.1 performance improvements get noticed.
-
Not-Yet-Commons-SSL Provides Powerful (and Free) SSL Capabilities
Not-Yet-Commons-SSL is an Apache licensed Java library designed to simplify the use of SSL by providing an easy-to-use API along with robust support for a variety of certificate formats and configuration options.