So the other shoe dropped on April Fools Day, April 1st, but this was no joke. So that alerted, immediately alerted Google on March 20th, just last month, to this invalid certificate that they tracked down to CNNIC, China NIC, essentially, a major Chinese certificate authority. So the second it sees something that appears to come from Google, but isn't, it sends alarms out.
So Chrome comes with the knowledge of Google's valid certificate.
You cannot give somebody a certificate that looks like a Google certificate, that appears to be signed validly, but was signed by someone who is not actually trusted. You have pinned its hash, essentially, the actual entity of the certificate, and that's what you're checking against. When you "pin" a certificate, you're no longer relying upon its signature, that is, that it is signed by someone you trust, sort of a one-degree-removed trust. Chrome has all of the valid certificates pinned, that is, essentially "pinned" is the cryptographic term. Remember that somebody within MCS Holdings' network made the mistake of using Chrome to try to go to a Google property. So probably something maybe not surprising, but still certainly another example of Google throwing its weight around, was the upshot to that certificate that was discovered installed in MCS Holdings' proxy. Let's start with the security news, Steve.
Truecrypt download chip archive#
Steve: I put up an archive and said, "Here it is." Leo: Well, I think there was some concern because when the guy abandoned the project he said, "Don't use TrueCrypt, it's not safe." So this ends up improving the future and, in my feeling, giving people a calibration on where they are now, if they're TrueCrypt users. So really useful, I mean, just across the board. And to the degree that there have been forks of the source, and we know there have, it also gives those people who forked the source some specific things that they could look at and improve on. It gives people who are using it and want to keep using it an exact calibration on that. What it gives us is two things that I think are really nice. This isn't going to solve the mystery of what happened to the TrueCrypt programmer, but it's at least going to let us know whether we should be able to use TrueCrypt. Leo: Matt is, of course, Matthew Green from Johns Hopkins, the cryptographer who's doing the audit.
Truecrypt download chip full#
And I've got Matt's short version from his blog, and an analysis of the full audit and what it means. I found an interesting little blurb, actually someone tweeted it to me, I thought it was interesting, about the market in IPv4 space heating up as it becomes increasingly rarefied.Īnd the big news of the week, for our audience, at least, is that TrueCrypt, the second phase of TrueCrypt audit was completed. I'm not sure that's true, so we'll take a look at that. Microsoft, there were announcements that Microsoft was abandoning Do Not Track, the DNT header. The other part is what they replaced it with, which I found interesting. Google had another mistake where on Saturday a critical certificate of theirs expired.
Firefox has jumped forward with a really interesting idea known as "opportunistic encryption," to allow HTTP sites that don't have strong certificates to still encrypt. Google threw their weight around with China NIC that we'll talk about. It's time for Security Now!, the show where we protect your security and privacy online, 502 episodes of secure insanity with Mr.
Leo Laporte: This is Security Now! with Steve Gibson, Episode 502, recorded Tuesday, April 7th, 2015: The TrueCrypt Audit. Steve will tell us the good and the bad news next on Security Now!. How long ago was it that the TrueCrypt audit was begun? It's finally done. Quarter size (16 kbps) mp3 audio file URL: High quality (64 kbps) mp3 audio file URL: Then we take a close look at the results of the just-completed second phase of the TrueCrypt audit, which focused upon the implementation of TrueCrypt's security and privacy guarantees. Description: Leo and I catch up on a busy and interesting week of security events.
0 kommentar(er)
