POPULARITY
Entrust Responds Other major Certificate Authorities respond Passkey Redaction Attacks Syncing passkeys Port Knocking Fail2Ban The Polyfill.io Attack Show Notes - https://www.grc.com/sn/SN-982-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com vanta.com/SECURITYNOW bitwarden.com/twit panoptica.app
Entrust Responds Other major Certificate Authorities respond Passkey Redaction Attacks Syncing passkeys Port Knocking Fail2Ban The Polyfill.io Attack Show Notes - https://www.grc.com/sn/SN-982-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com vanta.com/SECURITYNOW bitwarden.com/twit panoptica.app
Entrust Responds Other major Certificate Authorities respond Passkey Redaction Attacks Syncing passkeys Port Knocking Fail2Ban The Polyfill.io Attack Show Notes - https://www.grc.com/sn/SN-982-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com vanta.com/SECURITYNOW bitwarden.com/twit panoptica.app
Entrust Responds Other major Certificate Authorities respond Passkey Redaction Attacks Syncing passkeys Port Knocking Fail2Ban The Polyfill.io Attack Show Notes - https://www.grc.com/sn/SN-982-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com vanta.com/SECURITYNOW bitwarden.com/twit panoptica.app
Entrust Responds Other major Certificate Authorities respond Passkey Redaction Attacks Syncing passkeys Port Knocking Fail2Ban The Polyfill.io Attack Show Notes - https://www.grc.com/sn/SN-982-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com vanta.com/SECURITYNOW bitwarden.com/twit panoptica.app
Entrust Responds Other major Certificate Authorities respond Passkey Redaction Attacks Syncing passkeys Port Knocking Fail2Ban The Polyfill.io Attack Show Notes - https://www.grc.com/sn/SN-982-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com vanta.com/SECURITYNOW bitwarden.com/twit panoptica.app
Entrust Responds Other major Certificate Authorities respond Passkey Redaction Attacks Syncing passkeys Port Knocking Fail2Ban The Polyfill.io Attack Show Notes - https://www.grc.com/sn/SN-982-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com vanta.com/SECURITYNOW bitwarden.com/twit panoptica.app
Entrust Responds Other major Certificate Authorities respond Passkey Redaction Attacks Syncing passkeys Port Knocking Fail2Ban The Polyfill.io Attack Show Notes - https://www.grc.com/sn/SN-982-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to this show at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: lookout.com vanta.com/SECURITYNOW bitwarden.com/twit panoptica.app
In this episode of Storm⚡️Watch we're bracing for a tempest of cybersecurity insights. The Cyberside Chat segment takes a deep dive into the Department of Justice's recent announcement regarding AI in crimes, signaling harsher sentences akin to weapon-enhanced offenses. We explore the implications of AI's double-edged sword in criminal justice, the DOJ's Justice AI initiative, and the broader Artificial Intelligence Strategy. We also discuss federal actions to regulate AI, including the Algorithmic Accountability Act of 2022, and the Executive Order on Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government. A study on AI-modified content in peer reviews at AI conferences is examined, highlighting the challenges of distinguishing AI-generated text from human-written content. In the Cyber Spotlight, we shine a light on the National Vulnerability Database (NVD) and its recent slowdown in updates. We discuss the implications for vulnerability management and the cybersecurity community's response, including NIST's efforts to form a consortium to address these issues. Tool Time introduces the Sunlight Certificate Transparency Log, a project aimed at enhancing the scalability and reliability of Certificate Transparency logs. We delve into the new tile-based architecture and its benefits for various stakeholders, including Certificate Authorities, CT monitors and auditors, web browsers, and security researchers. We also engage in some Shameless Self-Promotion, highlighting key insights from the 2024 State of Threat Hunting Report by Censys and tracking the aftermath of Atlassian's Confluence CVE-2023-22527 with GreyNoise. Our Tag Roundup covers recent tags and active campaigns, providing a snapshot of the current threat landscape. Finally, we wrap up the episode with our KEV Roundup, discussing the latest entries in CISA's Known Exploited Vulnerabilities Catalog, and close with a fun question about our dream fictional vehicles. Forecast = Expect a downpour of DDoS with a chance of ransomware gusts, and keep an umbrella handy for data breach drizzles. Episode Slides >> Storm Watch Homepage >> Learn more about GreyNoise >>
Could your passwords withstand a cyber siege by expert Russian hackers? My latest podcast episode serves as a wakeup call to the cyber threats looming over us, showcasing the recent breach of Microsoft's test environment. As Sean Gerber, I dissect the pivotal missteps in password management and underscore the lifesaving grace of multi-factor authentication. We then shift gears to the bedrock of cyber training, examining message authenticity and integrity controls. By unpacking the intricacies of message digests and hashing algorithms, I highlight how they are the unsung heroes in maintaining data sanctity from sender to receiver.The digital realm's trust hinges on the integrity of digital signatures and certificates—crucial allies in the war against data manipulation. Tune in as I break down how hash functions like MD5 and SHA are your first line of defense on file-sharing platforms. But there's more: I pull back the curtain on the encrypted world of digital signatures, revealing their role in sender verification and message security. Diving into the complex trust web spun by Certificate Authorities and the X.509 standard, we explore how digital certificates serve as digital passports in the online world. Brace yourself for an enlightening journey through the landscape of email protection with S/MIME, ensuring that your virtual conversations are sealed, secure, and verifiably authentic.Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.
In today's episode of Elixir Wizards, Michael Lubas, founder of Paraxial.io, joins hosts Owen Bickford and Bilal Hankins to discuss security in the Elixir and Phoenix ecosystem. Lubas shares his insights on the most common security risks developers face, recent threats, and how Elixir developers can prepare for the future. Common security risks, including SQL injection and cross-site scripting, and how to mitigate these threats The importance of rate limiting and bot detection to prevent spam SMS messages Continuous security testing to maintain a secure application and avoid breaches Tools and resources available in the Elixir and Phoenix ecosystem to enhance security The Guardian library for authentication and authorization Take a drink every time someone says "bot" The difference between "bots" and AI language models The potential for evolving authentication, such as Passkeys over WebSocket How Elixir compares to other languages due to its immutability and the ability to trace user input Potion Shop, a vulnerable Phoenix application designed to test security Talking Tom, Sneaker Bots, and teenage hackers! The importance of security awareness and early planning in application development The impact of open-source software on application security How to address vulnerabilities in third-party libraries Conducting security audits and implementing security measures Links in this episode: Michael Lubas Email - michael@paraxial.io LinkedIn - https://www.linkedin.com/in/michaellubas/ Paraxial.io - https://paraxial.io/ Blog/Mailing List - https://paraxial.io/blog/index Potion Shop - https://paraxial.io/blog/potion-shop Elixir/Phoenix Security Live Coding: Preventing SQL Injection in Ecto Twitter - https://twitter.com/paraxialio LinkedIn - https://www.linkedin.com/company/paraxial-io/ GenServer Social - https://genserver.social/paraxial YouTube - https://www.youtube.com/@paraxial5874 Griffin Byatt on Sobelow: ElixirConf 2017 - Plugging the Security Holes in Your Phoenix Application (https://www.youtube.com/watch?v=w3lKmFsmlvQ) Erlang Ecosystem Foundation: Security Working Group - https://erlef.org/wg/security Article by Bram - Client-Side Enforcement of LiveView Security (https://blog.voltone.net/post/31) Special Guest: Michael Lubas.
This episode features a conversation between Robert Blumen, DevOps engineer at Salesforce, and Matthew Myers, principal public key interface (PKI) engineer at Salesforce. Matthew shares his experience running a certification authority (CA) within the Salesforce enterprise. He shares the rationale for the decision to take CA in-house, explaining that becoming a certificate authority means you can become the master of your universe by establishing internal trust. A private or in-house CA can act in ways not dissimilar to a PKU but can issue its own certificates, trusted only by internal users and systems. Using a public certificate authority can be expensive at scale, particularly for enterprises with millions (or even billions) of certificates. However, an enterprise CA can be an important cost-saving measure. It adds a granular level of control in certificate issuing, such as naming conventions and the overall lifecycle. You can effectively have as many CAs as you can afford to maintain as well as the ability to separate them by use case and environment. Further, having the ability to control access to data and to verify the identities of people, systems, and devices in-house removes the cybersecurity challenges such as the recent SolarWinds supply chain attack. Matthew notes that Information within a PKI is potentially insecure “as the information gets disclosed to the internet and printed on the actual certificates which leave them vulnerable to experienced hackers.” Matthews shares the importance of onboarding and people management and the need to ensure staff doesn’t buy SSL certificates externally. Myerss offers some thoughts for businesses considering the DIY route discussing the advantages and limitations of open source resources such as OpenSSL and Let's Encrypt. Identity mapping and tracking are particularly important as you’re giving certificates to people, systems, and services that will eventually expire. Matthew shares the benefits of a central identity store, its core features, and how it works in tandem with PKI infrastructure. There’s also the need to know how many certificates you have in the wild at any given time. As a manager, the revocation infrastructure for PKI implementation means that you're inserting yourself in the middle of every single deal, because if you’re doing it correctly everything needs to validate that the certificates are genuine. When you have a real possibility of slowing down others’ connections, you want to ensure that your supporting infrastructure is positioned in such a way that you are providing those responses as quickly as possible. Network latency becomes a very real thing. Auditability and the ability to trust a certificate authority are paramount. The service that creates and maintains a PKI should provide records of its development and usage so that an auditor or third party can evaluate it. Links from this episode Salesforce Wikipedia page on Public Key Infrastructure Wikipedia page on Certificate Authorities OpenSSL Let’s Encrypt
Epicenter - Learn about Blockchain, Ethereum, Bitcoin and Distributed Technologies
Namebase is a top-level domain (TLD) name registrar that operates on the Handshake blockchain. It creates an ecosystem of TLDs that may be bought and sold using an on-chain auction mechanism. It takes a different approach to other decentralized domain name systems as Namebase is compatible with the ICANN namespace, the organization governs domain names globally. Users may register TLDs that don't yet exist in the ICANN namespace, like .epicenter or .ethereum, for example, creating the opportunity for new niche domain registrars to emerge. Tieshun Roquerre, CEO of Namebase, joins us to discuss his vision for Namebase and his ambitious goal to decentralize ICANN.Topics covered in this episode:Tieshun's background and how he got into cryptoWhy and how Namebase was created and its relationship to HandshakeDomain name systems on blockchainThe history of ICANN and how it functionsDomain name censorship and security issues surrounding certificate authoritiesHow are they preparing for the inevitable fork between ICANN and HandshakeNamebase and Handshake improve on DNS and certificate authoritiesNamebase's business model and roadmapEpisode links: NamebaseHandshakeNamebase on TwitterTieshun on TwitterThis episode is hosted by Sebastien Couture & Sunny Aggarwal. Show notes and listening options: epicenter.tv/380
SD file recovery (use Recuva), RandomStreetView (fun view of the world), Google outage (resource allocation failure), powered USB hub (when needed), what does Google know about you (use takeout), social media at work (a bad idea), Certificate Authorities (what is their function), WiFi router beamforming (a great feature), Profiles in IT (Norman Abramson, father of wireless networking and AlohaNet), importance of education (in changing times), Idea of the Week (using gravity to store energy), Trivia of the Week (first emoticon), Twitter is shuttering Periscope, and SolarWinds hack is serious (massive penetration of government and corporate networks). This show originally aired on Saturday, December 19, 2020, at 9:00 AM EST on WFED (1500 AM).
SD file recovery (use Recuva), RandomStreetView (fun view of the world), Google outage (resource allocation failure), powered USB hub (when needed), what does Google know about you (use takeout), social media at work (a bad idea), Certificate Authorities (what is their function), WiFi router beamforming (a great feature), Profiles in IT (Norman Abramson, father of wireless networking and AlohaNet), importance of education (in changing times), Idea of the Week (using gravity to store energy), Trivia of the Week (first emoticon), Twitter is shuttering Periscope, and SolarWinds hack is serious (massive penetration of government and corporate networks). This show originally aired on Saturday, December 19, 2020, at 9:00 AM EST on WFED (1500 AM).
Handshake is a decentralized, permissionless naming protocol where every peer is validating and in charge of managing the root DNS naming zone with the goal of creating an alternative to existing Certificate Authorities and naming systems. Names on the internet (top level domains, social networking handles, etc.) ultimately rely upon centralized actors with full control over a system which are relied upon to be honest, as they are vulnerable to hacking, censorship, and corruption. Handshake aims to experiment with new ways the internet can be more secure, resilient, and socially useful with a peer-to-peer system validated by the network’s participants. Links: Website- Handshake Website- Namebase Website- Zeit Website- NextDNS Twitter- Namebase Twitter- Tieshun Roquerre Twitter- HandShake AIRDROP Sponsor Status Website Status APP DAPPS Website DAPPS Email AD Music One:Josh Woodward Release AD Music Two: Pictures of the Floating- World BumblingDonate to Hashing It OutDiscuss
Welcome to this episode of Kickstart Commerce podcast where we’re doubling up to interview Mike Carson — serial entrepreneur, software developer, and founder of Park.io, and Steve Webb — partner and researcher, developer, and marketer at Park.io. In today’s episode, we’ll discuss: How Mike scripted and stumbled upon founding what has become a multi-million dollar business in Park.io How Hacker News inspired Mike to embark upon another scripting journey, Gateway.io, centered around Handshake — a decentralized, permissionless naming protocol where every peer is validating and in charge of managing the root DNS naming zone with the goal of creating an alternative to existing Certificate Authorities and naming systems. Mike and Steve reveal need-to-know tips, tricks, commission structures and steps to take for people to own a TLD, also known as a top-level domain — including emojis (WHAAAAATTTT???), using NameBase.io In closing, don’t forget to subscribe as you enjoy this week's episode via iTunes, GooglePlay, Stitcher or how ever you desire to listen.
In this interview, Steve sits down with Tieshun Roquerre CEO of Namebase. The platform is an exchange, cloud wallet, and registrar for Handshake (HNS) names. Handshake is a decentralized, permissionless naming protocol where every peer is validating and in charge of managing the root DNS naming zone with the goal of creating an alternative to existing Certificate Authorities and naming systems. Names on the internet (top-level domains, social networking handles, etc.) ultimately rely upon centralized actors with full control over a system. (GoDaddy, etc) Handshake aims to experiment with new ways the internet can be more secure, resilient, and socially useful with a peer-to-peer system validated by the network's participants. Check out more at https://www.namebase.io/ --- Support this podcast: https://anchor.fm/soundmoney/support
Russia has stated that it will disconnect from the internet as a trial exercise for full-blown cyber warfare. This idea presents many problems for Russian services, systems, and businesses, especially since they depend on global systems such as DNS and public Certificate Authorities. Join us to learn some of the problems facing Russia will face if indeed it disconnects.
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Microsoft December 2018 Patch Tuesday https://isc.sans.edu/forums/diary/Microsoft+December+2018+Patch+Tuesday/24404/ Adobe Patch Tuesday https://helpx.adobe.com/security/products/acrobat/apsb18-41.html Certificate Authority Weaknesses https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Microsoft December 2018 Patch Tuesday https://isc.sans.edu/forums/diary/Microsoft+December+2018+Patch+Tuesday/24404/ Adobe Patch Tuesday https://helpx.adobe.com/security/products/acrobat/apsb18-41.html Certificate Authority Weaknesses https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf
Google is cracking down on slipshod Certificate Authorities, a fake strongman duo from Reddit, fish rain in Honduras, SpaceX scraps Mars shot for now, and we discuss the flatness of the universe. Links from this episode: - Google drops the boom on WoSign, StartCom certs for good - Firefox ready to block certificate authority that threatened Web security - Wikipedia: Idiot light - SHA-1 Broken - Fake strongman duo, Chop & Steele, that pranked a news station, started a GoFundMe to pay for legal fees after the news station sued them. - Every Year, the Sky ‘Rains Fish.’ Explanations Vary. - Aerial stocking of fish in the Uintas (Utah) - SpaceX drops plans for powered Dragon landings - Everything About Mars Is The Worst - Was the Space Shuttle a Mistake? - How Long Does it Take to get to the Asteroid Belt? - Our flat universe - How many particles in the Universe? - Numberphile
Josh and Kurt discuss airplane laptop bans, ATM hacking, pointing at things, and Certificate Authorities.
Materials Available here: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Evilrob-Xaphan-TLS-Canary-Keeping-Your-Dick-Pics-Safer.pdf Canary: Keeping Your Dick Pics Safe(r) Rob Bathurst (evilrob) Security Engineer and Penetration Tester Jeff Thomas (xaphan) Senior Cyber Security Penetration Testing Specialist The security of SSL/TLS is built on a rickety scaffolding of trust. At the core of this system is an ever growing number of Certificate Authorities that most people (and software) take for granted. Recent attacks have exploited this inherent trust to covertly intercept, monitor and manipulate supposedly secure communications. These types of attack endanger everyone, especially when they remain undetected. Unfortunately, there are few tools that non-technical humans can use to verify that their HTTPS traffic is actually secure. We will present our research into the technical and political problems underlying SSL/TLS. We will also demonstrate a tool, currently called “Canary”, that will allow all types users to validate the digital certificates presented by services on the Internet. Evilrob is a Security Engineer and Penetration Tester with over 14 years of experience with large network architecture and engineering. His current focus is on network security architecture, tool development, and high-assurance encryption devices. He currently spends his days contemplating new and exciting ways to do terrible things to all manner of healthcare related systems in the name of safety. Twitter: @knomes xaphan is a "Senior Cyber Security Penetration Testing Specialist" for a happy, non-threatening US government agency. He has been a penetration tester for 17 years, but maintains his sanity with a variety of distractions. He is the author of several ancient and obsolete security tools and the creator of DEFCOIN. Twitter: @slugbait
In dieser Episode des Hackerfunks erläutert uns Fabian Wenk, wie Secure Socket Layer (SSL) funktioniert, wo die Schwachstellen liegen und wo es im Internet deswegen schon geknallt hat. Trackliste Heifervescent – Liberty Girl Fresh Body Shop – Wizard Nächste Sendung am Samstag, 04. Mai 2013 Fabian Wenk :: Fabian's Webseite Comodo Hack :: Zertifikatsklau bei Comodo Diginotar Hack :: Protokoll eines Verbrechens: Einbruch bei Diginotar Fox-IT Analyse :: Fox-IT Analyse zum Diginotar Hack als PDF Panne bei Türktrust :: Fatale Panne bei Türktrust Explanation by Türktrust :: Türktrust explains what exactly happened Thread at CABforum :: Thread following Türktrust's explanation at CABforum Latest Update from Türktrust :: Latest Update on the Türktrust case CABforum :: Certificate Authorities/Browser Forum Convergence Beta :: Distributed strategy for replacing Certificate Authorities DANE :: DNS-based Authentication of Named Entities Certificate Patrol :: Certificate Patrol Add-On für Firefox EFF SSL Observatory :: SSL Observatory der Electronic Frontiers Foundation CA Security Council :: CA Security Council Blog iX Artikel zu SSL :: iX Artikel zu SSL in Ausgabe 2/2012 iX Artikel zu SSL :: iX Artikel zu SSL in Ausgabe 4/2012 c't Artikel zu SSL :: c't Artikel zu SSL in Ausgabe 9/2013 File Download (58:57 min / 88 MB)
In dieser Episode des Hackerfunks erläutert uns Fabian Wenk, wie Secure Socket Layer (SSL) funktioniert, wo die Schwachstellen liegen und wo es im Internet deswegen schon geknallt hat. Trackliste Heifervescent – Liberty Girl Fresh Body Shop – Wizard Nächste Sendung am Samstag, 04. Mai 2013 Fabian Wenk :: Fabian's Webseite Comodo Hack :: Zertifikatsklau bei Comodo Diginotar Hack :: Protokoll eines Verbrechens: Einbruch bei Diginotar Fox-IT Analyse :: Fox-IT Analyse zum Diginotar Hack als PDF Panne bei Türktrust :: Fatale Panne bei Türktrust Explanation by Türktrust :: Türktrust explains what exactly happened Thread at CABforum :: Thread following Türktrust's explanation at CABforum Latest Update from Türktrust :: Latest Update on the Türktrust case CABforum :: Certificate Authorities/Browser Forum Convergence Beta :: Distributed strategy for replacing Certificate Authorities DANE :: DNS-based Authentication of Named Entities Certificate Patrol :: Certificate Patrol Add-On für Firefox EFF SSL Observatory :: SSL Observatory der Electronic Frontiers Foundation CA Security Council :: CA Security Council Blog iX Artikel zu SSL :: iX Artikel zu SSL in Ausgabe 2/2012 iX Artikel zu SSL :: iX Artikel zu SSL in Ausgabe 4/2012 c't Artikel zu SSL :: c't Artikel zu SSL in Ausgabe 9/2013 File Download (58:57 min / 88 MB)
Richard flies solo to talk to Barry Dorrans, now at Microsoft, about the recent spate of security breaches at Certificate Authorities like Comodo and DigiNotar. What can you as an IT Pro do about this recent set of hacks? Other than replacing your potentially exploited certificate, not a lot. Barry talks about how these exploits have happened, what Microsoft, Google and others are doing about it and some possible long term solutions to the problems. Check out Barry's blog at idunno.org. Barry also mentions an alternative solution to Certificate Authorities called Convergence and why Chrome won't be implementing it.
Concerned organizations say basic flaws in Web-security design may be causing many websites that display padlock icons-designed to show that they're secure-to be unsafe.