(Feb 22) Suman Jana reported that GnuTLS, deviating from the documented behavior, considers a version 1 intermediate certificate as a CA certificate by default. [More…]
The National Institute of Standards and Technology (NIST) is still using SSL certificates signed with the SHA-1 signature algorithm, despite issuing a Special Publication disallowing the use of this algorithm for digital signature generation after 2013. “SHA-1 shall not be used for digital signature generation after December 31, 2013.” — NIST recommendation The SSL […]
Partly as a consequence of the US Government shutdown, there are presently more than two hundred .gov websites using expired SSL certificates. Although the shutdown is expected to be a short term measure, the widespread use of expired certificates on .gov sites may cause long term harm. The US Government is effectively training its citizens […]
Certificate revocation checking is an essential part of any connection to an SSL site; without it, an attacker can impersonate an SSL site with a compromised certificate until it expires of its own accord — an event which may be 5 years away — even if the issuer of the certificate (the certificate authority, or […]
The Malaysian government’s Police Portal (Johor Contingent) is currently hosting a phishing attack against PayPal on its secure website https://www.polisjohor.gov.my (Site Report). Phishing sites using SSL certificates can piggyback on the trust instilled by browser indicators, such as the padlock icon, to trick potential victims into revealing sensitive information such as their username and password. […]
(Jan 6) Google, Inc. discovered that the TurkTrust certification authority included in the Network Security Service libraries (nss) mis-issued two intermediate CA’s which could be used to generate rogue end-entity certificates. This update explicitly distrusts those two intermediate [More…]
60 queries. 8.5 mb Memory usage. 0.689 seconds.