Tag: certificate

Jul 08

Microsoft quietly pushes 17 new trusted root certificates to all Windows systems

The aging foundation of Certificate Authorities shows yet another crack as security experts are caught unaware

Source: Microsoft quietly pushes 17 new trusted root certificates to all Windows systems

Mar 25

Google Online Security Blog: Maintaining digital certificate security

Google Online Security Blog: Maintaining digital certificate security.

Mar 20

A Finnish man created this simple email account – and received Microsoft’s security certificate – Tivi

A Finnish man created this simple email account – and received Microsoft's security certificate – Tivi.

Feb 22

Lenovo Computers Vulnerable to HTTPS Spoofing | US-CERT

Lenovo consumer personal computers employing the pre-installed Superfish Visual Discovery software contain a critical vulnerability through a compromised root CA certificate. Exploitation of this vulnerability could allow a remote attacker to read all encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system.

US-CERT recommends users and administrators review Vulnerability Note VU#529496 and US-CERT Alert TA15-051A for additional information and mitigation details.

via Lenovo Computers Vulnerable to HTTPS Spoofing | US-CERT.

Jul 08

50. Android (DRD) – java – CERT Secure Coding Standards

The following rules and guidelines are specific only to the Android platform. These do not apply to the development of Java or C programs for non-Android platforms. (The full set of Android -relevant rules and guidelines are here.) The term sensitive incorporates the Java glossary definition of sensitive data, as well as the Android concept of permission-protected.

DRD00-J. Do not store sensitive information on external storage (SD card) unless encrypted first

DRD01-J. Limit the accessibility of an app’s sensitive content provider

DRD02-J. Do not allow WebView to access sensitive local resource through file scheme

DRD03-J. Do not broadcast sensitive information using an implicit intent

DRD04-J. Do not log sensitive information

DRD05-J. Do not grant URI permissions on implicit intents

DRD06-J. Do not act on malicious intents

DRD07-J. Protect exported services with strong permissions

DRD08-J. Always canonicalize a URL received by a content provider

DRD09-J: Restrict access to sensitive activities

DRD10-J. Do not release apps that are debuggable

DRD11-J. Ensure that sensitive data is kept secure

DRD12-J. Do not trust data that is world writable

DRD13-J. Do not provide addJavascriptInterface method access in a WebView which could contain untrusted content. (API level JELLY_BEAN or below)

DRD14-J. Check that a calling app has appropriate permissions before responding

DRD15-J. Consider privacy concerns when using Geolocation API

DRD16-J. Explicitly define the exported attribute for private components

DRD17-J. Do not use the Android cryptographic security provider encryption default for AES

DRD18-J. Do not use the default behavior in a cryptographic library if it does not use recommended practices

DRD19-J. Properly verify server certificate on SSL/TLS

via 50. Android (DRD) – java – CERT Secure Coding Standards.

Jun 06

Google’s certificate announcement contains a hidden surprise for Windows XP users | Naked Security

Duck wrote an excellent overview of the big change – the switch to 2048-bit certificates – but a less prominent aspect of the announcement should also be a concern to IT administrators, particularly those managing the 33% of desktops that are still running Windows XP*.

Google’s certificate announcement contains a hidden surprise for Windows XP users | Naked Security.

May 29

Certificate pinning – first for websites, now for software? | Naked Security

Certificate pinning – first for websites, now for software? | Naked Security.

Apr 15

Bitmessage Wiki

Bitmessage is a P2P communications protocol used to send encrypted messages to another person or to many subscribers. It is decentralized and trustless, meaning that you need-not inherently trust any entities like root certificate authorities. It uses strong authentication which means that the sender of a message cannot be spoofed, and it aims to hide “non-content” data, like the sender and receiver of messages, from passive eavesdroppers like those running warrantless wiretapping programs. If Bitmessage is completely new to you, you may wish to start by reading the whitepaper.

Bitmessage Wiki.

Mar 25

Certificate Patrol :: Modules pour Firefox

Your browser trusts many certification authorities and intermediate sub-authorities quietly, every time you enter an HTTPS web site. This add-on reveals when certificates are updated, so you can ensure it was a legitimate change.

Certificate Patrol :: Modules pour Firefox.

Mar 25

Blog Stéphane Bortzmeyer: Sécurité du pair-à-pair et composant central

Quelques remarques très intéressantes sur les systèmes pair-à-pair et leurs limitations qui s’appliquent entre autres aux systèmes de votes, aux PKI centralisées versus distribuées (e.g. openPGP, self-signed certificates, …) et aux réseaux anonymes basés sur ces principes (freenet, tor, …).

Blog Stéphane Bortzmeyer: Sécurité du pair-à-pair et composant central.