Posts Tagged ‘SSL certificates’

SSL certificatesGoogle has announced the strengthening of all SSL encryption certificates. Developers start using 2048-bit encryption.

The new standard will be put into operation gradually. Google starts using the new certificates in August. Fully transition promise to finish by the end of 2013.

In most cases and for most users, the transition to another technology will hardly be noticed. But hackers will have to work harder because the transmitted data will be much more difficult to decipher.

“We are starting to move to the new 2048-bit certificates from August 1, 2013 to provide sufficient time for translation reserve all of our products to the new standard by the end of the year. We also change the root certificate, because it used a 1024-bit encryption “ – explains Google. (more…)

Vulnerability

Substitution of SSL certificates

Vulnerability: Substitution of SSL certificates PayPal SDK

Danger: Low
Availability of fixes: Insturktsii to eliminate
Quantity of vulnerabilities: 1

CVE ID: CVE-2012-5787
Vector operation: Remote
Impact: Spoofing attack

Affected products: PayPal SDK

Affected versions: PayPal SDK

Description:

Which can be exploited by malicious people to conduct spoofing attacks. (more…)

icsi

ICSI Certificate Notary

Security researchers from the University of Berkeley, announced the creation of non-profit community ICSI Certificate Notary, which will support a single database with information on the validity of SSL-certificates.

Create a service certificate validation is an attempt to address the key architectural issues the certification process – with one of the hundreds of compromised certificates, collapsing the entire chain of trust (the attacker can generate a certificate dlyalyubogo site, which will be accepted as valid the entire system). ICSI Certificate Notary can detect these fraudulent certificates are in the early stages of their appearance.

On the basis of a year of automated inspection, sweeping statistics about 7.6 billion SSL-connections from 220,000 users, collected data on about 500 thousand certificates used by web-sites in the network. Data accumulated using several independent partner systems operating in different parts of the world. Information is updated in a continuous cycle that allows you to quickly track down the facts compromised certificates. Thus, using the ICSI Certificate Notary any user can verify that the certificate used to create the SSL-connection to a given site, this site is issued, and the customer is not embedded by attackers to intercept traffic organization. (more…)

Vulnerability

SSL certificates verification

It appears, not only developers of Android-applications sin with illiterate introduction of SSL, but similar mistakes are present at programs of the leading software companies, including Amazon and Paypal.

Illiterate procedure of verification of SSL certificates is found out in mission-critical application, SDK, Java middleware, bank software etc. that opens before malefactors of possibility for MiTM-attack — anything worse than it and it is impossible to present, researchers from Stenfordsky and Texas universities which published scientific work “The most dangerous code in the world consider: verification of SSL certificates out of the browser”. That fact is worthy mentions that the group of the American scientists worked under the direction of the candidate of science of the Texas university Vitaly Shmatikov. (more…)