Google on Tuesday released a security update for Chrome 49 to resolve three vulnerabilities assessed with a High risk score.
Google on Tuesday released a security update for Chrome 49 to resolve three vulnerabilities assessed with a High risk score.
The RSA Conference in San Francisco is the largest annual gathering of people working in, selling to, reporting on or analyzing the security industry. Each year there are general trends that come out of the show, although trends can be in the eye of the beholder.
Free and open Certificate Authority (CA) Let’s Encrypt announced this week that it has issued more than 1 million certificates since issuing its first Digital Certificate last year.
Originally proposed by the Electronic Frontier Foundation (EFF), the initiative has already attracted support from industry leaders such as Mozilla, Cisco, Akamai, Automattic and IdenTrust, among others. Backed by the Linux Foundation, its goal is to encrypt website traffic using Transport Layer Security (TLS) to protect user data from eavesdroppers.
The organization issued its first free live digital certificate in mid-September 2015, while receiving cross signature for it only in October. Before Let’s Encrypt, CloudFlare was offering digital certificates at no cost, but the launch of this new CA was seen as a big step toward improved privacy and authentication online.
The CA launched publicly last fall and came out of private beta in early December, but its certificates have already been abused by cybercriminals. The one million certificates that Let’s Encrypt has issued in the 3 months and 6 days since launching its service in public beta are valid for 2.5 million fully-qualified domain names.
According to the EFF, 90 percent of the 2.5 million domain names that take advantage of Let’s Encrypt one million free certificates had never been reachable by browser-valid HTTPS before. Users accessing those websites can now enjoy a more secure, encrypted browsing experience.
While the initiative ultimately aims at bringing encryption to all areas of the web, there are still many more websites that are still affected by insecure protocols. Domain owners continue to rely on HTTP because of the costs and bureaucracy involved in obtaining certificates, but Let’s Encrypt wants to eliminate this hurdle by offering certificates for free and by automating the issuance and renewal process.
Internet giants such as Google also support the move to HTTPS and more secure Internet protocols, and the company has made various changes lately to encourage site owners adopt better security. It even announced that it will favor HTTPS pages over their HTTP counterparts in search results.
Despite its good intentions, Let’s Encrypt’s existence, which has already sparked Amazon to start offering free certificates too, didn’t manage to convince everyone.
David Holmes, an evangelist for F5 Networks' security solutions, has long suggested that the CA will not make the Internet more trustworthy, and argues that it will challenge the CA industry.
In a recent SecurityWeek column, Holmes explains why there was a high demand for free certificates when Let’s Encrypt launched in public beta. He also voiced fears that, because Let’s Encrypt certificates are valid for only 90 days, some website operators might forget to renew their certificates in due time, and that the overall “good” that LE is supposedly bringing along might be nothing more than a Placebo Effect.
Adobe released updates on Tuesday for its Acrobat, Reader and Digital Editions products to address several critical vulnerabilities that can lead to code execution.
Google has patched another series of Critical vulnerabilities in Android, including a remote code execution (RCE) flaw in mediaserver and several elevation of privilege (EoP) issues in various drivers and components.
The 13 security bulletins released by Microsoft as part of the March 2016 Patch Tuesday address tens of vulnerabilities in Windows, Internet Explorer, Edge, Office, Server Software, and the .NET Framework.
The Internal Revenue Service (IRS) announced on Monday that it has temporarily suspended its Identity Protection (IP) PIN tool while it further strengthens its security.
The landscape of enterprise endpoints has shifted dramatically in the last few years, as typical endpoints have evolved from laptops to mobile devices—a shift that’s likely to grow as mobile devices offer increased screen sizes and resolutions, better onscreen keyboards and more processing power.