Tag Archives: HTTPS

SSL News from Black Hat and DEF CON 2013

September 17, 2013 by Bruce Morton     No Comments

Every year we review some of the presentations at Black Hat and DEF CON that discuss SSL, TLS and HTTPS. Here is the list from 2013. The Factoring Dead: Preparing for the Cryptopocalypse Download: Slides by Alex Stamos, Tom Ritter, Thomas Ptacek and Javed Samuel This presentation looked into the recent leaps in solving discrete [Read More...]

Filed Under: SSL, SSL Deployment Tagged With: Breach, C.R.E.A.M., DEF CON

SSL Fingerprints

April 17, 2013 by Bruce Morton     No Comments

GRC has created HTTPS/SSL Fingerprints. This service allows you to check whether or not your enterprise is performing MITM on the SSL secured site that you are trying to reach. It compares the certificate fingerprint to what you would receive to the fingerprint that they receive by going direct. If they are the same, the certificate is authentic and you have no problem. If they are different, then it is likely that someone is performing MITM on your SSL connection.

HSTS RFC Finalized

November 21, 2012 by Bruce Morton     1 Comment

HTTP Strict Transport Security (HSTS) has been finalized and published as RFC 6797. The purpose of HSTS is to allow a website to declare to complying users’ agents that they should interact with it using a secure connection such as HTTPS. In order to implement HSTS, a website must have a statement in its header, such [Read More...]

Facebook Steps up SSL Game

November 20, 2012 by Bruce Morton     No Comments

A year and a half ago, I wrote a blog, Nice Try Facebook. This was my response to Facebook’s turning on of HTTPS for users. Probably a response to mitigate the new Firesheep attack. (BTW, happy second birthday Firesheep; more than 2.4 million downloads in two years.) My issue with Facebook was the HTTPS feature [Read More...]

Filed Under: Secure Browsing, SSL Tagged With: Firesheep, HTTPS, SSL

HTTPS Everywhere 3.0

October 11, 2012 by Bruce Morton     No Comments

The Electronic Frontier Foundation (EFF) has released HTTPS Everywhere 3.0.

Summarization of CRIME Attack on SSL

October 2, 2012 by Bruce Morton     No Comments

I’ve written a few blogs on CRIME, but now that Juliano Rizzo and Thai Duong have presented CRIME at Ekoparty 2012, I thought a summary is due. CRIME is short for “Compression Ratio Info-Leak Made Easy.” In their presentation, Rizzo and Duong reminded us that HTTPS provides confidentiality, integrity and authenticity; however, CRIME decrypts portions [Read More...]

Filed Under: Secure Browsing, SSL Tagged With: CRIME, DEFLATE, encryption

CRIME Attack on SSL/TLS

September 10, 2012 by Bruce Morton     No Comments

The security researchers who brought us BEAST now have a new SSL/TLS attack: CRIME. I would like to know what the acronym CRIME stands for, but we’ll probably have to wait until Juliano Rizzo and Thai Duong present their work at Ekoparty Security Conference later this month. Little information about the attack has been published. [Read More...]

Living with HTTPS

July 20, 2012 by Bruce Morton     No Comments

Here is a post by Adam Langley, a transport security person at Google. These were his notes before a talk that he did at HOPE9 last week. HOPE stands for Hackers on planet Earth. Adam’s talk does not focus on CAs and certificates. His notes deal with HTTPS issues and he really pushes for the [Read More...]

Filed Under: SSL Deployment Tagged With: Google, HOPE, HSTS

Addressing Mixed Content Vulnerabilities

June 30, 2011 by Bruce Morton     1 Comment

I fail to understand why website operators continue to deploy sites with Mixed Content. Are the following trust dialogues presented to their users not sufficient incentive to correct the problem? Nevertheless, a recent study showed that 22 percent of sites use Mixed Content. Internet Explorer (IE) and Firefox present these security dialogues by default. That [Read More...]

Is it SSL, TLS or HTTPS?

May 12, 2011 by Bruce Morton     No Comments

Throughout this blog I appear to use (or misuse) the terms SSL, TLS and HTTPS interchangeably. From time to time I catch myself and say, “Which one should I be using?” Frankly, my default is to use SSL. When I reference an article or site, I do tend to side with the term it prefers. [Read More...]

Filed Under: General, Technical Tagged With: SSL, TLS