Facebook farewells flaky SHA-1

Facebook has set the date: on September 30, the ancient and creaking SHA-1 hashing algorithm will make its tumbril trip and get the chop. SHA-1, designed by the NSA in 1995, is a one-way algorithm: a block of data is turned into a message digest. The digest can’t be turned back into the original message, but serves as a digital signature confirming the authenticity of (for example) the software you’ve downloaded....

June 5, 2015 · 2 min · 255 words · Omid Farhang

Firefox switching to encrypted Google search

The H-Online: An inconspicuous “s” added to various ​lines of code in its latest nightly builds means that future versions of Firefox will send all search queries to Google in encrypted form. This means that instead of HTTP, the open source browser will use the HTTPS protocol, which encrypts traffic between the web site and browser using SSL. The nightly builds will feed through, over the next few months, until the feature is, most probably, in Firefox 14....

March 22, 2012 · 2 min · 246 words · Omid Farhang

Google is globally switching its search to HTTPS by default

The H-Online: Google has announced on its Inside Search blog that it is enabling SSL encryption by default on its global search pages. The US site Google.com has been switching users to the secured HTTPS protocol since last year and now, to improve security and privacy for all its users, the company is rolling the behavior out to its international properties such as google.co.uk. As is the case on the US site, this only affects users who are signed into their Google account when visiting the site....

March 9, 2012 · 1 min · 127 words · Omid Farhang

HTTPS Everywhere reaches 2.0, comes to Chrome as beta

H-Online: Version 2.0 of the HTTPS Everywhere browser extension has been released. Where possible, the add-on automatically redirects users to more secure HTTPS connections when they access certain web pages. HTTPS Everywhere 2.0 includes an optional “Decentralised SSL Observatory” feature that detects weaknesses in encryption. When the extension detects an encryption issue, such as weak keys, it notifies users that the site they are visiting may contain security vulnerabilities that could be used to for man-in-the-middle (MITM) attacks....

March 1, 2012 · 2 min · 237 words · Omid Farhang

Twitter enables HTTPS for all signed-in users

The H-Online: Twitter has announced that it has now enabled HTTPS by default for all users signed into the micro-blogging service. By using HTTPS, all user information including log-in credentials transmitted to the company’s servers are sent using SSL encryption. This means that all data is transmitted in encrypted form and can no longer be read and exploited for fraudulent activities by attackers using tools such as the Firesheep extension for Firefox....

February 15, 2012 · 1 min · 151 words · Omid Farhang

Google plans to turn off online checks for SSL certificate validity

The H-Online: Google plans to turn off online checks for SSL certificate validity in its Chrome browser soon, according to a blog post by Adam Langley, the developer in charge of that element of the browser. Instead, the browser will use the update mechanism to receive lists of revoked certificates. When browsers make a connection, they check whether the certificate presented by the server has already been blocked by the certificate authority, using either the certificate authority’s certificate revocation lists (CRLs) or, directly and interactively, the Online Certificate Status Protocol (OCSP)....

February 7, 2012 · 2 min · 276 words · Omid Farhang

An update on attempted man-in-the-middle attacks

Google: Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate....

August 31, 2011 · 1 min · 164 words · Omid Farhang