Filed under Security
Tagged as gmail, google, SSL
A day after confirming a major security breach by Chinese hackers looking for GMail account information, Google has turned on default “https:” access for its popular Web mail service.
Google had previously added the option for GMail users to “always use https” back in July 2008 but it was turned off by default.
Last June, a group of researchers and academics released an open-letter calling on Google protect users’ communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.
Now comes word that this is indeed happening:
“We are currently rolling out default https for everyone. If you’ve previously set your own https preference from Gmail Settings, nothing will change for your account. If you trust the security of your network and don’t want default https turned on for performance reasons, you can turn it off at any time by choosing “Don’t always use https” from the Settings menu. Gmail will still always encrypt the login page to protect your password. Google Apps users whose admins have not already defaulted their entire domains to https will have the same option.”
Source: ThreatPost
Filed under Security
Tagged as SSL
User complacency over certificates for applications is increasing IT security risks, an expert has suggested.
Calum Macleod, regional director of Tufin Technologies, said workers have become too used to accepting warnings that certificates for applications have expired and are accepting them without thought.
“Ask any organisation and I can guarantee you that nine out of ten have … no idea how many [security] certificates they have in their infrastructure,” he continued.
Mr Macleod also suggested that most companies will be unaware which certificates have expired and which have been undated to address any known vulnerabilities.
In addition, the expert claimed that a lack of effective key management tools has made it easier for hackers to gain credentials for firms’ IT networks.
Recent research from data security company Imperva predicted that hacking will become increasingly sophisticated in the next ten years.
The group also suggested that this will make it more important for IT security to adopt a more proactive rather than reactive approach.
Source: ihotdesk
Filed under Patches, Software
Tagged as SSL, VPN
OpenVPN released an update to respond to the OpenSSL vulnerability described in CVE-2009-3555. OpenVPN has identified a vulnerability caused by an error in OpenSSL which could be exploited by attackers to manipulate certain data and information.
OpenVPN recommend upgrading to version 2.1_rc21 which is available here.
Source: SANS Internet Storm Center
Thierry Zoller has written a nice summary of the TLS & SSLv3 renegotiation vulnerability. He covers examples, impacts, solutions, and a conclusion. It can be found here: http://www.g-sec.lu/practicaltls.pdf. The ISC previously discussed the vulnerability here: http://isc.sans.org/diary.html?storyid=7534 and the OpenSSL update here: http://isc.sans.org/diary.html?storyid=7543.
Source: SANS ISC
