TLS

Pierluigi Paganini January 23, 2017
Roughly 200,000 Devices still affected by the Heartbleed vulnerability

More than two years after the disclosure of the HeartBleed bug, 200,000 services are still affected. Systems susceptible to Heartbleed attacks are still too many, despite the flaw was discovered in 2014 nearly 200,000 systems are still affected. Shodan made a similar search in November 2015 when he found 238,000 results, the number dropped to 237,539 […]

Pierluigi Paganini July 07, 2016
Unmasking malware’s use of TLS without flow decryption

Researchers devised a method to unmask malware’s use of TLS without decrypting the data flow. The technique relies on analysis of observable data features. A team of security experts from Cisco demonstrated that it is possible to detect a malware in TLS connections without decrypting the traffic and block it. The researchers Blake Anderson, Subharthi Paul […]

Pierluigi Paganini May 31, 2016
CVE-2016-2107 OpenSSL Flaw still affects many Alexa Top Sites

According to the security firm High-Tech Bridge many of the Alexa Top 10,000 websites are still vulnerable to the OpenSSL flaw CVE-2016-2107. The CVE-2016-2107 flaw affecting the open-source cryptographic library could be exploited to launch a man-in-the-middle attack leveraging on the ‘Padding Oracle Attack’ that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI. According […]

Pierluigi Paganini May 26, 2016
Dozens of VISA HTTPS-protected sites vulnerable to Forbidden attack

  Dozens of HTTPS-protected websites belonging to Visa are vulnerable to Forbidden Attack, nearly 70,000 servers are at risk. A new attack technique dubbed ‘Forbidden attack’ expose dozens of HTTPS Visa sites vulnerable to cyber attacks and roughly another 70,000 servers are at risk. A group of international researchers (Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, […]

Pierluigi Paganini May 05, 2016
A High-Severity flaw in OpenSSL allows the HTTPS Traffic decryption

OpenSSL has the patches for six flaws including two high-severity bugs that could allow attackers to decrypt HTTPS traffic and execute malicious code on the server. OpenSSL just released several patches to fix vulnerabilities in the open-source cryptographic library, including a couple of high-severity flaws (CVE-2016-2107, CVE-2016-2108) that could be exploited to decrypt HTTPS Traffic. The CVE-2016-2107 could […]

Pierluigi Paganini January 30, 2016
A severe flaw in OpenSSL allows hackers to decrypt HTTPS traffic

Developers of OpenSSL issued a patch that fixes a high-severity vulnerability that allows attackers to decrypt secure traffic. The development team at the OpenSSL has issued a security patch to fix a flaw, coded as CVE-2016-0701, that could be exploited by hackers to decrypt secure traffic. The flaw was reported on January 12 by Antonio Sanso […]

Pierluigi Paganini May 08, 2015
PCI DSS 3.1 and SSLv3: It’s best time to remove the 20 year old SSL protocol

To address the risk PCI DSS 3.1 updates requirements 2.2.3, 2.3 and 4.1 to remove SSL and early TLS as examples of strong cryptography.  “The National Institute of Standards and Technology (NIST) has identified the Secure Socket Layers (SSL) v3.0 protocol as no longer being acceptable for protection of data due to inherent weaknesses within the […]

Pierluigi Paganini March 27, 2015
Bar Mitzvah attack exploits the Invariance Weakness in RC4

Bar Mitzvah is the name of a new attack on RC4-Based SSL/TLS encryption that allows disclosure of sensitive data by exploiting  a 13-Year-Old Vulnerability. Both Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) cryptographic protocols rely on the Rivest Cipher 4 (RC4) algorithm to encrypt data transfers. The problem is that the […]

Pierluigi Paganini March 21, 2015
Qualys provides SSL Labs APIs and a tool to automate SSL/TLS tests

Qualys announced the availability of free assessment SSL Labs APIs and a tool that could be used by users to automate SSL vulnerability testing for websites. The Qualys security firm recently created the Qualys SSL Labs that provided a free tool to conduct free assessment by using its APIs and a new tool that enable SSL […]

Pierluigi Paganini December 10, 2014
POODLE SSL flaw is threatening also TLS Security Protocol

Researchers at Qualys revealed that POODLE is likely to hit some of the most popular websites because the flaw also affects implementations of newer TLS. POODLE (Padding Oracle On Downgraded Legacy Encryption) is a critical vulnerability affecting SSL that was discovered in October 2014. The researchers at Google that discovered it, explained that the POODLE flaw is related […]