HackDig : Dig high-quality web security articles for hackers

The mystery of the expiring Sectigo web certificate

byPaul DucklinThere’s a bit of a kerfuffle in the web hosting community just at the moment over an expired web security certificate from a certificate authority called Sectigo, formerly Comodo Certificate Authority.Expired certificates are a problem because they cause the web server that relies on them to show up as “invalid” to any program
Publish At:2020-06-02 14:55 | Read:112 | Comments:0 | Tags:Cryptography chain of trust openssl Sectigo SSL TLS

Firefox 76 will have option to enforce HTTPS-only connections

byJohn E DunnConverting websites from HTTP to HTTPS over the last decade must count as one of the most successful quiet security upgrades ever to affect web browsing.Using an HTTPS site means that your browser and the site establish an encrypted connection which can’t be snooped on by ISPs, rogue Wi-Fi access points, or anyone else trying to monitor the cont
Publish At:2020-03-27 10:24 | Read:391 | Comments:0 | Tags:Firefox Google Mozilla Security threats Web Browsers browser

Malware and HTTPS – a growing love affair

byPaul DucklinIf you’re a regular Naked Security reader, you’ll know that we’ve been fans of HTTPS for years.In fact, it’s nearly nine years since we published an open letter to Facebook urging the social networking giant to adopt HTTPS everywhere.HTTPS is short for HTTP-with-Security, and it means that your browser, which uses HTTP (
Publish At:2020-02-18 10:21 | Read:332 | Comments:0 | Tags:Cryptography Malware malware sophoslabs TLS

TROOPERS20 Training Teaser: TLS in the Enterprise – Post Quantum Security

Our workshop “TLS in the enterprise” was held for the first time at Troopers 2018 and was our special contribution to the IT Security world to increase the usage of TLS and point out the pitfalls, when switching to TLS. But time is changing and TLS is a kind of standard nowadays, at least when looking at HTTPS, but there are still a lot of things
Publish At:2019-12-09 17:15 | Read:626 | Comments:0 | Tags:Events TLS TROOPERS

FreeRADIUS allows hackers to log in without credentials

The security researcher Stefan Winter has discovered a TLS resumption authentication bypass in FreeRADIUS, the world’s most popular RADIUS Server. The security researcher Stefan Winter from the Luxembourg’s high-speed academic network RESTENA has discovered a FreeRADIUS TLS resumption authentication bypass. FreeRADIUS is the world’s most po
Publish At:2017-05-30 05:10 | Read:5054 | Comments:0 | Tags:Breaking News Hacking authentication CVE-2017-9148 FreeRADIU

The OpenSSL Project fixed a High Severity flaw CVE-2017-3733 in release 1.1.0

On Thursday the OpenSSL Project has fixed a high severity denial-of-service (DoS) vulnerability in OpenSSL tracked as CVE-2017-3733. The OpenSSL development team has fixed a high severity denial-of-service (DoS) flaw tracked as CVE-2017-3733. This is the second security update released in just two months, the first one addressed four low and moderate severit
Publish At:2017-02-16 18:05 | Read:3201 | Comments:0 | Tags:Breaking News Hacking Security CVE-2017-3733 OpenSSL SSL TLS

Roughly 200,000 Devices still affected by the Heartbleed vulnerability

More than two years after the disclosure of the HeartBleed bug, 200,000 services are still affected. Systems susceptible to Heartbleed attacks are still too many, despite the flaw was discovered in 2014 nearly 200,000 systems are still affected. Shodan made a similar search in November 2015 when he found 238,000 results, the number dropped to 237,539 resul
Publish At:2017-01-23 22:35 | Read:4165 | Comments:0 | Tags:Breaking News Hacking Reports Security CVE-2014-0160 encrypt

Already on probation, Symantec issues more illegit HTTPS certificates

reader comments 43 Share this story A security researcher has unearthed evidence showing that three browser-trusted certificate authorities (CAs) owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates. In some cases, those certificates made it possible to spoof HTTPS-protected w
Publish At:2017-01-21 11:20 | Read:6836 | Comments:0 | Tags:Law & Disorder Risk Assessment certificate authorities PKI P

iOS TLS session resumption race condition

Roughly three months ago when iOS 9 was still the newest version available for the iPhone, we encountered a bug in the Twitter iOS app. When doing a transparent proxy setup for one of our iOS app security tests, a Twitter HTTPS request turned up in the Burp proxy log. This should never happen, as the proxy’s HTTPS certificate is not trusted on iOS and
Publish At:2016-12-23 23:30 | Read:3870 | Comments:0 | Tags:Mobile Security Hackerone iOS session resumption TLS Twitter

HTTPS crypto’s days are numbered. Here’s how Google wants to save it

Like many forms of encryption in use today, HTTPS protections are on the brink of a collapse that could bring down the world as we know it. Hanging in the balance are most encrypted communications sent over the last several decades. On Thursday, Google unveiled an experiment designed to head off, or at least lessen, the catastrophe.In the coming months, Goog
Publish At:2016-07-09 07:25 | Read:5552 | Comments:0 | Tags:Risk Assessment Technology Lab cryptography encryption HTTPS

Unmasking malware’s use of TLS without flow decryption

Researchers devised a method to unmask malware’s use of TLS without decrypting the data flow. The technique relies on analysis of observable data features. A team of security experts from Cisco demonstrated that it is possible to detect a malware in TLS connections without decrypting the traffic and block it. The researchers Blake Anderson, Subharthi P
Publish At:2016-07-07 22:50 | Read:5084 | Comments:0 | Tags:Breaking News Cyber Crime Malware Deep packet inspection enc

CVE-2016-2107 OpenSSL Flaw still affects many Alexa Top Sites

According to the security firm High-Tech Bridge many of the Alexa Top 10,000 websites are still vulnerable to the OpenSSL flaw CVE-2016-2107. The CVE-2016-2107 flaw affecting the open-source cryptographic library could be exploited to launch a man-in-the-middle attack leveraging on the ‘Padding Oracle Attack’ that can decrypt HTTPS traffic if the connection
Publish At:2016-05-31 15:05 | Read:3783 | Comments:0 | Tags:Breaking News Security CVE-2016-2107 encryption Hacking man-

Dozens of VISA HTTPS-protected sites vulnerable to Forbidden attack

  Dozens of HTTPS-protected websites belonging to Visa are vulnerable to Forbidden Attack, nearly 70,000 servers are at risk. A new attack technique dubbed ‘Forbidden attack’ expose dozens of HTTPS Visa sites vulnerable to cyber attacks and roughly another 70,000 servers are at risk. A group of international researchers (Hanno Böck, Aaron Za
Publish At:2016-05-27 01:35 | Read:4910 | Comments:0 | Tags:Breaking News Hacking Security Forbidden attack TLS VISA

“Forbidden attack” makes dozens of HTTPS Visa sites vulnerable to tampering

Dozens of HTTPS-protected websites belonging to financial services giant Visa are vulnerable to attacks that allow hackers to inject malicious code and forged content into the browsers of visitors, an international team of researchers has found.In all, 184 servers—some belonging to German stock exchange Deutsche Börse and Polish banking association Zwizek Ba
Publish At:2016-05-26 21:40 | Read:4147 | Comments:0 | Tags:Law & Disorder Risk Assessment Technology Lab authentication

A High-Severity flaw in OpenSSL allows the HTTPS Traffic decryption

OpenSSL has the patches for six flaws including two high-severity bugs that could allow attackers to decrypt HTTPS traffic and execute malicious code on the server. OpenSSL just released several patches to fix vulnerabilities in the open-source cryptographic library, including a couple of high-severity flaws (CVE-2016-2107, CVE-2016-2108) that could be expl
Publish At:2016-05-05 18:35 | Read:4298 | Comments:0 | Tags:Breaking News Hacking Security encryption man-in-the-middle


Share high-quality web security related articles with you:)


Tag Cloud