PKI

Pierluigi Paganini September 25, 2017
Adobe accidentally leaked online its Private PGP Key

The Adobe product security incident response team (PSIRT) accidentally published a private PGP key on its blog, once discovered the issue it quickly revoked it. On Friday, the Adobe PSIRT updated its Pretty Good Privacy (PGP) key and published the new public key on the blog post. The new key should have been valid until September […]

Pierluigi Paganini February 24, 2017
SHAttered attack, Google and CWI conducted the first SHA-1 collision attack

Experts at Google and CWI conducted the first real world collision attack against popular SHA-1 hashing algorithm, so called shattered-attack. Researchers at Google and Centrum Wiskunde & Informatica (CWI) in the Netherlands succeeded in conducting the first real world collision attack against popular SHA-1 hashing algorithm. The researchers created two documents with different content but […]

Pierluigi Paganini January 04, 2017
Kaspersky fixing a serious problem with inspection digital certificates

Google hacker Tavis Ormandy discovered a serious flaw that affects the Kaspersky antivirus software and the way it manages inspection digital certificates. Experts from Kaspersky are solving a problem that disabled certificate validation for 400 million users. The problem was spotted by the notorious Google hacker Tavis Ormandy, the vulnerability affects the Kaspersky antivirus software […]

Pierluigi Paganini September 30, 2016
Mozilla plans to ban the Chinese CA WoSign due to trust violations

Mozilla is at the point of banning Chinese certificate authority WoSign due to a number of severe violations that could impact Internet users. Mozilla is at the point of banning Chinese certificate authority WoSign due to a number of violations, including backdating SHA -1 certificates in order to subvert deprecating certs from being trusted. According […]

Pierluigi Paganini March 09, 2016
Let’s Encrypt has already issued one Million certificates

The Electronic Frontier Foundation announced that the Let’s Encrypt Certificate Authority issued its millionth certificate. The open Certificate Authority (CA) Let’s Encrypt seems to be a success, the EFF is reaching its goals with the creation of this new certificate authority run by Internet Security Research Group (ISRG). IT giants like Mozilla, Cisco, Akamai, Automattic and […]

Pierluigi Paganini December 09, 2015
xboxlive digital certificate exposed opens users to MITM attacks

Microsoft has issued an advisory to notify customers that the private keys for an SSL/TLS digital certificate for *xboxlive.com have been disclosed. According to a security advisory published by Microsoft, the company is propagating a new certificate for the *.xboxlive.com domain because it has “inadvertently disclosed” the certificate’s contents. Microsoft confirmed the accidental disclosure of the […]

Pierluigi Paganini October 28, 2015
The US DoD still uses SHA-1 signed certificates for use by military agencies

The United States Department of Defense is still issuing SHA-1 signed certificates for its military agencies, despite they are considered insecure. Today I have published a blog post on the Army Vulnerability Response Program (AVRP), a sort of bug bounty program specific for the US military environment. The idea is to incentive  the ethical disclosure of vulnerabilities […]

Pierluigi Paganini October 21, 2015
Businesses Using Millions of insecure SHA-1 Certificates

Experts at Netcraft discovered that nearly a million SSL SHA-1 certificates were signed with the potentially vulnerable SHA-1 hashing algorithm. Businesses Using Millions of Flawed Certificates, the news is shocking and refers the adoption of SHA-1 certificates, despite the algorithm is considered no more secure. Many big businesses, including firms like Deloitte, are still using SHA-1 certificates, […]

Pierluigi Paganini October 10, 2015
Cost of Breaking SHA-1 decreases due to a new Collision Attack

A group of researchers has demonstrated that the cost of breaking the SHA-1 hash algorithm is lower than previously estimated. The SHA-1 is still one of the most used cryptographic hash algorithm, but bad news for its supporters, a New Collision Attack Lowers Cost of Breaking it. The news is worrying, the cost and time […]

Pierluigi Paganini October 09, 2015
Code Signing certificates becoming popular cybercrime commodity

Learn what Certificates as a Service stand for, discover why Code Signing certificates are a precious commodity and find out how to protect yourself online. A recent phenomenon tracked by IBM Security X-Force researchers is the CaaS (Certificates as a service). Cybercriminals would use the Dark Web for selling high-grade code certificates -which they have […]