digital certificates

Pierluigi Paganini April 11, 2016
WordPress pushes Free HTTPS Encryption for all its blogs

WordPress announces “HTTPS Everywhere, Encryption for All WordPress.com Sites,” millions websites will be secured without users’ effort. WordPress is pushing free default SSL for all the website running the popular CMS and hosted on WordPress.com, that means over 26% of websites based on the most popular CMSs on the web will be secured (Statistics by W3techs). […]

Pierluigi Paganini March 09, 2016
Let’s Encrypt has already issued one Million certificates

The Electronic Frontier Foundation announced that the Let’s Encrypt Certificate Authority issued its millionth certificate. The open Certificate Authority (CA) Let’s Encrypt seems to be a success, the EFF is reaching its goals with the creation of this new certificate authority run by Internet Security Research Group (ISRG). IT giants like Mozilla, Cisco, Akamai, Automattic and […]

Pierluigi Paganini January 07, 2016
Authors digitally signed Spymel Trojan to evade detection

Zscaler ThreatLabZ detected a new infostealer malware family dubbed Spymel that uses stolen certificates to evade detection. In late December, security experts at Zscaler ThreatLabZ detected a new infostealer malware family dubbed Spymel that uses stolen certificates to evade detection. “ThreatLabZ came across yet another malware family where the authors are using compromised digital certificates to evade detection. The malware family in […]

Pierluigi Paganini October 28, 2015
The US DoD still uses SHA-1 signed certificates for use by military agencies

The United States Department of Defense is still issuing SHA-1 signed certificates for its military agencies, despite they are considered insecure. Today I have published a blog post on the Army Vulnerability Response Program (AVRP), a sort of bug bounty program specific for the US military environment. The idea is to incentive  the ethical disclosure of vulnerabilities […]

Pierluigi Paganini October 21, 2015
Businesses Using Millions of insecure SHA-1 Certificates

Experts at Netcraft discovered that nearly a million SSL SHA-1 certificates were signed with the potentially vulnerable SHA-1 hashing algorithm. Businesses Using Millions of Flawed Certificates, the news is shocking and refers the adoption of SHA-1 certificates, despite the algorithm is considered no more secure. Many big businesses, including firms like Deloitte, are still using SHA-1 certificates, […]

Pierluigi Paganini October 10, 2015
Cost of Breaking SHA-1 decreases due to a new Collision Attack

A group of researchers has demonstrated that the cost of breaking the SHA-1 hash algorithm is lower than previously estimated. The SHA-1 is still one of the most used cryptographic hash algorithm, but bad news for its supporters, a New Collision Attack Lowers Cost of Breaking it. The news is worrying, the cost and time […]

Pierluigi Paganini July 10, 2015
OpenSSL fixes Alternative chains certificate forgery flaw

OpenSSL Foundation fixed a critical issue that impacts any application that uses the popular crypto library in the authentication processes. OpenSSL Foundation has issued a security update as announced weeks ago. The patch just released fixes a mysterious security flaw affecting the OpenSSL code library, in the last weeks, the details of the vulnerability weren’t disclosed […]

Pierluigi Paganini April 23, 2015
The CozyDuke, the last Russian APT group

Kaspersky Lab discovered another APT group dubbed CozyDuke which is believed to have hacked the US Department of State and the White House. Experts at Kaspersky Lab have uncovered a new advanced persistent threat (APT) dubbed CozyDuke that targeted several high-profile organizations in the second half of 2014. Kaspersky experts have published an interesting blog post that includes […]

Pierluigi Paganini March 24, 2015
Chinese CA issued bogus digital certificates for Google domains

Google security team has recently discovered and blocked fraudulent digital certificates issued for several Google domains by a Chinese CA. On March 20, Google security team has discovered and blocked fraudulent digital certificates issued for several Google domains. The investigation revealed that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the bogus […]

Pierluigi Paganini February 05, 2015
Risks related to the use of digital certificates

A recent report published by experts at Kaspersky Lab revealed that the number of abuses for digital certificates is in constant increase. According to a recent report published by Kaspersky Lab the number of untrusted certificates used to sign malicious code is doubled in the last year. The reason is that there is the wrong […]