People have been asking (me of all persons) about a Security Audit for Enpass, or crowdfunding one.
That is actually not the problem here. Check out their thread on the support forum.
“Memory leaks on missiles don’t matter so long as the missile explodes before too much leaks. A 1995 memo: Google Groups
Apparently, between being asked to behave responsibly by Google and the Certificate Transparency project, and LetsEncrypt eating into the profit margins in the Cert market in general, Symantec are reconsidering their presence in the CA market completely.
Cybersecurity firm Symantec Corp is considering selling its website certification business, in a deal that could fetch more than $1 billion and extricate it from a feud with Alphabet Inc’s Google, people familiar with the matter said on Tuesday.
We remember that Symantec have proven themselves to be unable to run a CA properly earlier. The Reuters article also nicely reminds us which other toxic snake oil assets are still part of Symantec (i.e. Blue Coat) and which are possibly recovering after having been sold off (i.e. Veritas).
»Some, er, fascinating novelties in Intel’s AMT11: uploading web apps into your firmware.«
In order to move customers from a “purchase a license” to a subscription model, AgileBits is experimenting with dropping support for local vaults, requiring cloud storage of passwords.
Discussion on Facebook pointed to Enpass, and that is actually looking like a pretty good 1Password clone.
In their continuing quest to ground the certificate market, LetsEncrypt now offers wildcard Certificates.
TLS Certificates are digital passports that provide proof of identity in encrypted connections. In the past, a duopoly of two companies has been selling these through many differently branded outlets.
LetsEncrypt managed to break into this, providing TLS Certificates for free and fixing other problems on the way. For example, previously these certificates had a very long lifetime, making revocation of compromised certificates a complicated affair and discouraging users of these certificates from automating rollover and renewal, driving up costs for running encrypted connections.
By doing what they do, LetsEncrypt also forced the existing TLS brands of the CA duopoly to adjust their prices and rework procedures and APIs in order to make automation simpler.
Wildcard certificates are TLS identities that work on an entire domain (*.koehntopp.info, “any name in the koehntopp.info domain”), where regular certificates only work on one specific name.
Next step are EV certificates.
In »Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery« (PDF) a bunch of researchers from TU Berlin, TU Braunschweig and Trend Micro are testing the hypothesis that people copy code from Stack Overflow even if it is bad code.
That is, one rotten tutorial can spoil the lot:
Based on our assertion, we hypothesize that vulnerability discovery can be seeded by code snippets such as those found in top-ranked tutorials. Viewed from an adversarial standpoint, we present a novel approach for bootstrapping vulnerability discovery at scale. Our main intuition is that recurring vulnerabilities can be found by recognizing, and subsequently looking for patterns in code that correspond to the original vulnerability. We refer to instances of these patterns as code analogues throughout the rest of the paper. Our expectation is that if such a pattern recurs, so will the corresponding vulnerability.
If you do not know what Project Zero is and why it is important, it’s a good starting point.
If you know about Project Zero, it’s still a fun read because of all the parentheses that read »x declined to be interviewed for this story.«