Skip to content

Category: Hackerterrorcybercyber

Symantec considers exiting the Certification business

Apparently, between being asked to behave responsibly by Google and the Certificate Transparency project, and LetsEncrypt eating into the profit margins in the Cert market in general, Symantec are reconsidering their presence in the CA market completely.

Reuters reports:

Cybersecurity firm Symantec Corp is considering selling its website certification business, in a deal that could fetch more than $1 billion and extricate it from a feud with Alphabet Inc’s  Google, people familiar with the matter said on Tuesday.

We remember that Symantec have proven themselves to be unable to run a CA properly earlier. The Reuters article also nicely reminds us which other toxic snake oil assets are still part of Symantec (i.e. Blue Coat) and which are possibly recovering after having been sold off (i.e. Veritas).

1 Comment

Moving from 1Password to Enpass

In order to move customers from a “purchase a license” to a subscription model, AgileBits is experimenting with dropping support for local vaults, requiring cloud storage of passwords.

There is a lot of blowback in Blogs and the 1Password support forums. Also, the security professionals on Twitter frown on this, quite a bit (Thread).

Discussion on Facebook pointed to Enpass, and that is actually looking like a pretty good 1Password clone.

Enpass on Mac, Main Screen
10 Comments

LetsEncrypt Wildcard Certs

In their continuing quest to ground the certificate market, LetsEncrypt now offers wildcard Certificates.

TLS Certificates are digital passports that provide proof of identity in encrypted connections. In the past, a duopoly of two companies has been selling these through many differently branded outlets.

LetsEncrypt managed to break into this, providing TLS Certificates for free and fixing other problems on the way. For example, previously these certificates had a very long lifetime, making revocation of compromised certificates a complicated affair and discouraging users of these certificates from automating rollover and renewal, driving up costs for running encrypted connections.

By doing what they do, LetsEncrypt also forced the existing TLS brands of the CA duopoly to adjust their prices and rework procedures and APIs in order to make automation simpler.

Wildcard certificates are TLS identities that work on an entire domain (*.koehntopp.info, “any name in the koehntopp.info domain”), where regular certificates only work on one specific name.

Next step are EV certificates.

Leave a Comment

Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery

In »Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery« (PDF) a bunch of researchers from TU Berlin, TU Braunschweig and Trend Micro are testing the hypothesis that people copy code from Stack Overflow even if it is bad code.
That is, one rotten tutorial can spoil the lot:

Based on our assertion, we hypothesize that vulnerability discovery can be seeded by code snippets such as those found in top-ranked tutorials. Viewed from an adversarial standpoint, we present a novel approach for bootstrapping vulnerability discovery at scale. Our main intuition is that recurring vulnerabilities can be found by recognizing, and subsequently looking for patterns in code that correspond to the original vulnerability. We refer to instances of these patterns as code analogues throughout the rest of the paper. Our expectation is that if such a pattern recurs, so will the corresponding vulnerability.

1 Comment

Project Zero

Fortune has a kind of home story on Project Zero, explaining what it is, how it came to be and who the people in there are.

If you do not know what Project Zero is and why it is important, it’s a good starting point.

If you know about Project Zero, it’s still a fun read because of all the parentheses that read »x declined to be interviewed for this story.«

1 Comment