Microsoft blacklists fraudulently issued SSL certificate
Microsoft released an update to blacklist an SSL certificate for one of its domain names that was issued to an unauthorized third party.
Microsoft released an update to blacklist an SSL certificate for one of its domain names that was issued to an unauthorized third party.
New cases of insecure HTTPS traffic interception are coming to light as researchers probe software programs for implementations that could enable malicious attacks. The latest software to open a man-in-the-middle hole on users' PCs is a new version of PrivDog, an advertising product with ties to security vendor Comodo.
While many (but not all) users are familiar with the concept of security software, there are more basic ways to protect unwary surfers from phishing sites, botnets, intrusive advertising and other unwanted visitors: DNS services.
As a safety precaution to prevent SSL server certificates being exploited for network man-in-the-middle attacks on organizations, vendors that issue SSL server certificates will begin adhering to new issuance guidelines as of Nov. 1. These new rules, as described by members of the industry group Certificate Authority/Browser Forum, mean certificate authorities (CAs) will not issue certificates that contain "internal names" and expire after Nov. 1, 2015.
It's generally accepted that antivirus programs provide a necessary protection layer, but organizations should audit such products before deploying them on their systems because many of them contain serious vulnerabilities, a researcher warned.
There's a story that when the notorious bank robber "Slick Willie" Sutton was asked why he robbed banks he replied "Because that's where the money is" (see Sutton's Law). As a strategy for maximizing the potential "take home" Sutton was, if you'll forgive the pun, right on the money even if the risk was higher than, say, knocking over a supermarket.
Tens of thousands of new digital certificates have been issued by Comodo in the wake of the "Heartbleed" security flaw, which has put Internet users' data at risk.
McAfee research indicates that a steep rise in the amount of malware signed with legitimate digital certificates -- not forged or stolen ones -- is a growing threat that raises the question whether there should be some kind of "certificate reputation services" or other method to stop certificate abuse.
Several Certificate Authorities (CAs) have formed an advocacy group called the Certificate Authority Security Council (CASC), which will focus on promoting new security standards, policies and best practices for SSL (Secure Sockets Layer) deployment on the Web.
With cyber-criminals increasingly exploiting digital certificates to undermine security the vendors with the most influence as certificate authorities have banded together to try and speak as an industry group to advocate for security best practices.
Although vendor-written, this contributed piece does not advocate a position that is particular to the author's employer and has been edited and approved by Network World editors.
An attack on a Dutch company that issues certificates used to authenticate websites was state-sponsored, according to the chief executive of Comodo, a company that also issues digital certificates and suffered a similar setback in March.
The hacker who claimed credit for breaking into systems belonging to digital certificate vendor Comodo said he has compromised another certificate authority, along with two more Comodo partners, a move that could further undermine trust in the system used to secure websites on the Internet.
Comodo Internet Security Premium came in fifth in our late 2010 roundup of free antivirus products. Although it was last among the products we tested, it did a very good job at blocking brand-new malware. Its detection of known malware lagged behind top performers, though, and it tied for the most false positives.
Ever wish there was a magical computer genie that could help you install software, set up printers, remove viruses, and solve everyday problems?