Microsoft Warns of Malicious RTF Files, Remote Code Execution
On Monday, Microsoft issued a security advisory (2953095) notifying IT professionals and end-consumers of a vulnerability affecting “supported versions of Microsoft Word.” Per the advisory, specific rich text files (.RTF) that can be opened or previewed using many Microsoft software products, specifically Microsoft Word (2003-2013)and related service packs, could leave users vulnerable to remote code [Read More...]
Moving to TLS 1.2
In 2014, there will be a trend for website owners to implement TLS 1.2 on their servers. TLS 1.2 was defined in RFC 5246 in August 2008 and is the most secure version of SSL/TLS protocol. Although TLS 1.2 has been available for a few years, it is not well deployed. SSL Pulse indicates that [Read More...]
SHA-1 Deprecation, on to SHA-2
We have previously reviewed implementation of SHA-2, but with Bruce Schneier stating the need to migrate away from SHA-1 and the SHA-1 deprecation policy from Microsoft, the industry must start to make some progress in 2014. Web server administrators will have to make plans to move from SSL and code signing certificates signed with the [Read More...]
SSL Certificates without Non-FQDNs
The CA/Browser Forum decided to mitigate the risk by deprecating the issuance of certificates with non-FQDNs.
Lucky Thirteen TLS Attack
Nadhem AlFardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London, announced a new TLS/DTLS attack called Lucky Thirteen.
Yahoo turning on SSL
Yahoo is jumping on the SSL bandwagon to help secure their users’ email.
TURKTRUST Unauthorized CA Certificates
Although unrelated to Entrust, I thought you might be interested in the news about TURKTRUST.
Android SSL Problems
There have been a lot of articles written recently about Android SSL problems for applications, which were recently reported by German university researchers.
Stopping CRIME Attacks
This article by Dan Goodin appears to cover the most facts about the CRIME attack on SSL/TLS. It answers my first question about what the acronym means; CRIME is short for “Compression Ratio Info-Leak Made Easy.” It also confirms the attack is performed when the communication uses TLS compression. My understanding is that TLS compression [Read More...]
Certificate Key Lengths: Bigger is Better
As previously discussed, Microsoft issued a security advisory announcing they will block keys that are less than 1024 bits long. This feature will appear in an update for supported versions of Microsoft Windows (not affecting Windows 8 or Windows Server 2012; the functionality is already there) and, of course, you have to upgrade to this [Read More...]