Tag Archives: Cryptographic protocolsCryptographic protocols

RC4, CBC, what the …?

March 27, 2013 by Bruce Morton     No Comments

BEAST & Lucky Thirteen attacks said, “Prioritize RC4 cipher suite.” AlFBPPS attack said, “RC4 is old and crummy. CBC-mode would be better.”

IETF 86 – Web PKI Working Group

March 22, 2013 by Bruce Morton     No Comments

At the IETF 86 meeting in Orlando last week, there was a working group meeting discussing the operations of the Web PKI. At the previous IETF 85 meeting a birds-of-a-feather was held to discuss the purpose of having such a group.

SSL Certificates without Non-FQDNs

February 21, 2013 by Bruce Morton     1 Comment

The CA/Browser Forum decided to mitigate the risk by deprecating the issuance of certificates with non-FQDNs.

Lucky Thirteen TLS Attack

February 5, 2013 by Bruce Morton     No Comments

Nadhem AlFardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London, announced a new TLS/DTLS attack called Lucky Thirteen.

Lights Out: Super Bowl and OCSP

February 4, 2013 by Bruce Morton     No Comments

We were monitoring the performance of our OCSP service over the weekend and found an odd dip related to the Super Bowl.

Certificate Transparency Birds of a Feather

November 19, 2012 by Bruce Morton     No Comments

I was recently reminded by a couple of security researchers that SSL provides privacy, integrity and authenticity.

HTTPS Everywhere 3.0

October 11, 2012 by Bruce Morton     No Comments

The Electronic Frontier Foundation (EFF) has released HTTPS Everywhere 3.0.

Testing Your SSL Server for CRIME

September 17, 2012 by Bruce Morton     No Comments

We still have to wait for later this week when Juliano Rizzo and Thai Duong will present their CRIME SSL/TLS attack at Ekoparty Security Conference. Regardless, we now know that the attack is based on the implementation of TLS compression or SPDY (pronounced “speedy”). CRIME uses the vulnerability that there is information leakage when data [Read More...]

Stopping CRIME Attacks

September 13, 2012 by Bruce Morton     No Comments

This article by Dan Goodin appears to cover the most facts about the CRIME attack on SSL/TLS. It answers my first question about what the acronym means; CRIME is short for “Compression Ratio Info-Leak Made Easy.” It also confirms the attack is performed when the communication uses TLS compression. My understanding is that TLS compression [Read More...]

Speculation on CRIME

September 12, 2012 by Bruce Morton     No Comments

The SSL industry is waiting for the Ekoparty Security Conference next week to find out more details on the CRIME SSL/TLS attack. Speculation by SSL/TLS experts? The attack is based on TLS compression. Thomas Pornin made this post on IT Security of his guesses on how compression could be used in an attack. This also [Read More...]