In-brief: Carnegie Mellon’s CERT issued a warning that many certificate authorities continue to issue domain certificates with no more proof than the right e-mail address. Updated to include comment from GlobalSign. Paul 3/27/2015
SSL
Updated: Google warns of unauthorized TLS certificates trusted by almost all OSes | Ars Technica
In-brief: Google warned its users that unauthorized digital certificates have been issued for several of its domains. The certificates are linked to an intermediary certificate authority for CNNIC, which administers China’s domain name registry. Updated with comment from Kevin Bocek of Venafi. Paul 3/27/2015
Symantec: Common Security Ailments In Smart Home Technology
In-brief: A Symantec survey of smart home products found a raft of common security mistakes, from weak (or missing) authentication to exploitable software vulnerabilities.
Sabotaging Encryption Software – The Perfect Crime?
In-brief: A report from Bruce Schneier and researchers at the Universities of Wisconsin and Washington surveys the (many) ways that cryptographic protections can be weakened or subverted, and calls for research on fool-proof technologies.
EFF: SSL Records Show Superfish Attacks in the Wild
In-brief: The Electronic Frontier Foundation warned that it has evidence of man-in-the-middle attacks that take advantage of the same encryption-busting technology that Lenovo and Superfish implanted on consumer laptops.
