3.1 C
London
Saturday, November 18, 2017
Home Tags Secure Sockets Layer

Tag: Secure Sockets Layer

Hackers are increasingly using Secure Sockets Layer encryption to conceal device infections, shroud data exfiltration and hide botnet communications, according to cloud security company Zscaler.
A vulnerability in the Decrypt for End-User Notification configuration parameter of Cisco AsyncOS Software for Cisco Web Security Appliances could allow an unauthenticated, remote attacker to connect to a secure website over Secure Sockets Layer (S...
An update for openssl is now available for Red Hat Enterprise Linux 6.2 AdvancedUpdate Support, Red Hat Enterprise Linux 6.4 Advanced Update Support, Red HatEnterprise Linux 6.5 Advanced Update Support, Red Hat Enterprise Linux 6.5 TelcoExtended Update Support, Red Hat Enterprise Linux 6.6 Advanced Update Support,Red Hat Enterprise Linux 6.6 Telco Extended Update Support, and Red HatEnterprise Linux 6.7 Extended Update Support.Red Hat Product Security has rated this update as having a security impact ofImportant.

A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) andTransport Layer Security (TLS) protocols, as well as a full-strengthgeneral-purpose cryptography library.Security Fix(es):* A memory leak flaw was found in the way OpenSSL handled TLS status requestextension data during session renegotiation.

A remote attacker could cause a TLSserver using OpenSSL to consume an excessive amount of memory and, possibly,exit unexpectedly after exhausting all available memory, if it enabled OCSPstapling support. (CVE-2016-6304)Red Hat would like to thank the OpenSSL project for reporting this issue.Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the originalreporter. Red Hat Enterprise Linux Server AUS (v. 6.2) SRPMS: openssl-1.0.0-20.el6_2.9.src.rpm     MD5: 678db7d7dd2c4dcaa0a732a778643d6eSHA-256: 802262a26e568ca280dd9680652cdb8717396a3e26c91eeaf69582d0e101847d   x86_64: openssl-1.0.0-20.el6_2.9.i686.rpm     MD5: a730658fdb06fc3148fb201f7d4f2218SHA-256: e2972aee87e81b7c58cafeae4f40a315af5cdd6d7cedb3b988e8869a77a1b22f openssl-1.0.0-20.el6_2.9.x86_64.rpm     MD5: ecbe7d773f891c73b64272804b80215eSHA-256: 7a7e8f76a1fa470d700cfac625689800a115c1f7c2b83b23629d3276604514b1 openssl-debuginfo-1.0.0-20.el6_2.9.i686.rpm     MD5: b3f0b2cdbaf0fc81cfe2c099792a88cdSHA-256: 8eac3fa85e5887749b1d06076e5b40a632df6a5d068aeafd2edaa32574b28478 openssl-debuginfo-1.0.0-20.el6_2.9.x86_64.rpm     MD5: 1e183471a3527699430632a0c210cf91SHA-256: 445eecf53f78a137a506574603013b08a999b86cf378a7a9655def8536065da2 openssl-devel-1.0.0-20.el6_2.9.i686.rpm     MD5: 26b8d8aa050491a6f14e94be027405f1SHA-256: c175b3464a418246595a7f3070178377faf95780385026e8fb7f9930d94f8fde openssl-devel-1.0.0-20.el6_2.9.x86_64.rpm     MD5: 1cb03b2a7f80b584e7d7d338d38e9b69SHA-256: 9c90af6fcefce7f4d42be5f58ce38ca4a7ca0dbac7c84c6388ad6346a53c47b0 openssl-perl-1.0.0-20.el6_2.9.x86_64.rpm     MD5: d13ab64f99e5ab8a5887e948c8ba2e6bSHA-256: fe003f156e1dda7a24b034c2bc2f1ccd368609df22bb12d96371087c08ac82ec openssl-static-1.0.0-20.el6_2.9.x86_64.rpm     MD5: ffad7a0711a15a344b42bc1fc6df66a5SHA-256: 33a93a2352c9114ab91c118050ee9d76be2a5748570f6f8f20ebb8f6b74c1547   Red Hat Enterprise Linux Server AUS (v. 6.4) SRPMS: openssl-1.0.0-27.el6_4.6.src.rpm     MD5: a31d6a7363a323d6d6cd3b2b86d8e3b7SHA-256: 544f6cbb9702b2cc940a63bc4f5e4815dedeb6b0bb9fb0b460da8593f719f249   x86_64: openssl-1.0.0-27.el6_4.6.i686.rpm     MD5: 1eed7aacfca90f99fc22a8f0616b7a3eSHA-256: baba8346a7e35f68bb571cff1e69dadc09665303aebbdb28da03b6ad2db34efb openssl-1.0.0-27.el6_4.6.x86_64.rpm     MD5: a2dd16a44e38c681138519d99e82abebSHA-256: 601031a0711fb2f591ad0cbc22bb236687f1f270296269dfa4100c7e7abe07fd openssl-debuginfo-1.0.0-27.el6_4.6.i686.rpm     MD5: 52d4b73b26921cecded0b5eb49295b85SHA-256: 2c66121cb6d5d93d7d407ae4f9101a7d708b93940ea8b9d2ef3049925d2ef41b openssl-debuginfo-1.0.0-27.el6_4.6.x86_64.rpm     MD5: cf962176014fbcfac9fe611ffc9204d7SHA-256: 2802864bf25f34cbe8eb9bd442d1b0b8944ae48ad2f2eb1863eb76d2f9826f28 openssl-devel-1.0.0-27.el6_4.6.i686.rpm     MD5: bce39dd7b66222f5aa048aeb55d95038SHA-256: 9c69da3f1e06676b7e893a47e1aafeda436e6e645713a43b953874cbee686d2f openssl-devel-1.0.0-27.el6_4.6.x86_64.rpm     MD5: 219df41ce6653efba18c31bf19c6159cSHA-256: 96040b82037ca1d80f2757a59fa3a2e1189caa11c5dcc3e6eb90964ed6615cb4 openssl-perl-1.0.0-27.el6_4.6.x86_64.rpm     MD5: 2312173a2cd99700dd37af87f28607a1SHA-256: 8cb1bc37241a68550dcbbbf6f3c5f642f5747941d54cd58420263dc477a99d2b openssl-static-1.0.0-27.el6_4.6.x86_64.rpm     MD5: debebf325d388f14d7e4e5e5aed51424SHA-256: c032bdd91bf082810e3e1055ad8e82d7d92fb76cbeea793a6655bc161b7a0b20   Red Hat Enterprise Linux Server AUS (v. 6.5) SRPMS: openssl-1.0.1e-16.el6_5.17.src.rpm     MD5: 5ac58715fa3acc201bfbbf9a815e00f6SHA-256: 15a580360f7ffa8fe9d0016342e14e02d87d4b0539b53289b2ec64f306507737   x86_64: openssl-1.0.1e-16.el6_5.17.i686.rpm     MD5: da3de0115faed9ec745cc09b0a741345SHA-256: 9864089c87d87ca41eecc1dcd38eee99717b09f5d6c846d253d9f3a52c6b354a openssl-1.0.1e-16.el6_5.17.x86_64.rpm     MD5: dd0b349d5565f02b9af39fb17c138806SHA-256: 340745effdd83effe7eb1984ae8e8d09d227daa53db132e8dae1b8e499e4b0eb openssl-debuginfo-1.0.1e-16.el6_5.17.i686.rpm     MD5: f11a92be85d4aa1d23028e678898d43bSHA-256: 60644b64ef5ba9cdb3402f03cc434b5b2ea4d85c5d4d32cd19d2cbd4ca21aafa openssl-debuginfo-1.0.1e-16.el6_5.17.x86_64.rpm     MD5: de2bb10419348c499ff0955dfc687ffaSHA-256: 3f66efe726b4eea71cebe2092af5a0773113a8f7e8f91be83b75dc12886c2f12 openssl-devel-1.0.1e-16.el6_5.17.i686.rpm     MD5: 1cacc5dd456079b99d3a875e079bcfc8SHA-256: 7a7291a9058caad5df7c7dc9fb62612dbc4789281236f3868e7c774b44ba772a openssl-devel-1.0.1e-16.el6_5.17.x86_64.rpm     MD5: 34739629b756a888943e1c0e493ea4e4SHA-256: 634c600ada6775c86a5267b582a95a217edb7b84297f5db70203ea4b8dd67eb9 openssl-perl-1.0.1e-16.el6_5.17.x86_64.rpm     MD5: 48e9c87355d20a6de39c9a884b80b62fSHA-256: abb5d288d401308ab477aa50facc17124233c63d4bb693f95fc5e424e3a0230e openssl-static-1.0.1e-16.el6_5.17.x86_64.rpm     MD5: 1cabfe4d64643d0a221fed979f209129SHA-256: f52f764cf6435fff35ec8c17fffb5685b6e57c9cfa8eb2235c11b89dfba8f926   Red Hat Enterprise Linux Server EUS (v. 6.7.z) SRPMS: openssl-1.0.1e-42.el6_7.6.src.rpm     MD5: 07ce97b5305e7659d4162d1c16d82131SHA-256: 212e2a96caf1698cf7fc0237d7c16074b13d105c791256b94d0dab9698b6bc28   IA-32: openssl-1.0.1e-42.el6_7.6.i686.rpm     MD5: 2d850e7fb5f534d05e1f9bdd521b60e5SHA-256: f0b4a62fd13063cf99834a2288465d96427d8de97bda125cf5ef797b471f8b0a openssl-debuginfo-1.0.1e-42.el6_7.6.i686.rpm     MD5: 68eb1904283608de2220307d4fd7e496SHA-256: e225c8183e6e4d50c727245882610e2a2b1564c28d432cc130ca096198afbb3c openssl-devel-1.0.1e-42.el6_7.6.i686.rpm     MD5: e17d833d9ad11e8a012b5e9a965d5db5SHA-256: 0215c8d9d0c317c612f3261872558cd6ff0da13e239c4ff5896f907fcd5064cc openssl-perl-1.0.1e-42.el6_7.6.i686.rpm     MD5: 36f81f537ca51c70bc6143559ef099c5SHA-256: 9cf86e465f0558e641fca393fa6a685ab72864c03f34caf807478c904dbafa14 openssl-static-1.0.1e-42.el6_7.6.i686.rpm     MD5: e48d0416cef97c8a46e5210942afd8bcSHA-256: 43cf82fd605f1091f5a89e021f49e6bdd29bdd63972a3b190faecc7437ce502d   PPC: openssl-1.0.1e-42.el6_7.6.ppc.rpm     MD5: 94bcde30fa845895a9c9034f1d8a9f4fSHA-256: 493c2374648acf21f4b8cba285425656297e3c527b26d1cf89577a2fa3aae4c6 openssl-1.0.1e-42.el6_7.6.ppc64.rpm     MD5: 818946d8d93e8108008b7ab8a31c1d6bSHA-256: f501ef06d9b628d13c3b78fada647e490e06f309c6093e72dc4ce5d40af86165 openssl-debuginfo-1.0.1e-42.el6_7.6.ppc.rpm     MD5: 114cfd8655d09ad4b019b1753988ed0aSHA-256: a8074ad5a140c41a41d7d2b4289418c59694fdd050ee6cc68a554527fefb7439 openssl-debuginfo-1.0.1e-42.el6_7.6.ppc64.rpm     MD5: a93a53db1b4f1d355aff4ae9cd671bf7SHA-256: 3e54f30f40346f962233ae365e0c339e49324da4f487f6863f4767952c235671 openssl-devel-1.0.1e-42.el6_7.6.ppc.rpm     MD5: b6a8687edf10f458fda128828a986371SHA-256: 5a3f688e979ea361e5a3cfb4ce36c7f1cd63b86a4d0c7cbbd8d00de1379a104b openssl-devel-1.0.1e-42.el6_7.6.ppc64.rpm     MD5: ec8c7064b06d0adb5f86b24e973cf45dSHA-256: 598f464c0891147622ea9b00d8d84d8513ac53a1f1f9a3c99468a68dc73467e4 openssl-perl-1.0.1e-42.el6_7.6.ppc64.rpm     MD5: d39e8b062d3a04404473c8b1b36f7ed8SHA-256: 5858a178f4e8c35c9e4b7bc8bd4685d60b5dd38b6a8d0f5e8fcb28dc934994e5 openssl-static-1.0.1e-42.el6_7.6.ppc64.rpm     MD5: d262d5ef30f00f5e9189b53eee433c1dSHA-256: 2480b54187f61f0a4425c73d519fb662d703b9e5b50a13e6377da41de549af30   s390x: openssl-1.0.1e-42.el6_7.6.s390.rpm     MD5: 9a4509252069bf9060a747a42e426d8cSHA-256: e8e20846787b5edc60ca53b9f97795fda2aaca677eb7d2d98aee3ed287b93d2f openssl-1.0.1e-42.el6_7.6.s390x.rpm     MD5: f71f70909bb665f51e417e42b61ef877SHA-256: 9551ff1a71e2900434fc3ce7a47775c9137aa8284d6872cd32a67c1e15774c01 openssl-debuginfo-1.0.1e-42.el6_7.6.s390.rpm     MD5: b97586ad6482539e6df0c8fea77284a5SHA-256: dfe1226730560b3af6a70cd8f1f9ccb1105dd0cf678f7e8127d549242abc082c openssl-debuginfo-1.0.1e-42.el6_7.6.s390x.rpm     MD5: 8d502bd0b86e00d4f23c82afe7cafb94SHA-256: 0eb08bb81f826cadae97ebfcbde564ee56561b2c6c43d504f63335dee9050679 openssl-devel-1.0.1e-42.el6_7.6.s390.rpm     MD5: 4150e836ad7f94894684d9753080a181SHA-256: 3d98fb0dda48a64bb6757e3331fec7e5bbc65680b503df169f1089f2fd196702 openssl-devel-1.0.1e-42.el6_7.6.s390x.rpm     MD5: 37fecbfb17f31b8adea2d960117671d5SHA-256: 79065e19ddf490fe0533446af42915e66e1644f41472b4635dbe508dcfbaf4c9 openssl-perl-1.0.1e-42.el6_7.6.s390x.rpm     MD5: aac3bedc311301938bbfbee0267a38bcSHA-256: 0c8ae68aa72fcbfc174e6ea364a0923c35e61c94b68026828fefcf0f28ef09c3 openssl-static-1.0.1e-42.el6_7.6.s390x.rpm     MD5: 8f6c78cd1bd5ce68bd84b8f74de5dc47SHA-256: 613730ac20110d721ed8518015bb61e0d5d0e75ca0112bdc8444bc6dca130759   x86_64: openssl-1.0.1e-42.el6_7.6.i686.rpm     MD5: 2d850e7fb5f534d05e1f9bdd521b60e5SHA-256: f0b4a62fd13063cf99834a2288465d96427d8de97bda125cf5ef797b471f8b0a openssl-1.0.1e-42.el6_7.6.x86_64.rpm     MD5: 9dfe30dcbf8cbc742fb2f1568a320814SHA-256: f54cc08bc502563a9a48bdb532d65c7ade3f867a4be2f4ce2cf438764af58292 openssl-debuginfo-1.0.1e-42.el6_7.6.i686.rpm     MD5: 68eb1904283608de2220307d4fd7e496SHA-256: e225c8183e6e4d50c727245882610e2a2b1564c28d432cc130ca096198afbb3c openssl-debuginfo-1.0.1e-42.el6_7.6.x86_64.rpm     MD5: de98ab289a3aa1df54815ba4512e8f5eSHA-256: 28e6292f764b38c42cd9dab8a98a445d46f7bef7de94d85e7d9aa0550eba937a openssl-devel-1.0.1e-42.el6_7.6.i686.rpm     MD5: e17d833d9ad11e8a012b5e9a965d5db5SHA-256: 0215c8d9d0c317c612f3261872558cd6ff0da13e239c4ff5896f907fcd5064cc openssl-devel-1.0.1e-42.el6_7.6.x86_64.rpm     MD5: 83e88397f1da07e20cb92144b5ecb783SHA-256: 42d008f28ae13d4e1811672ea2a5b77bb87d7bb53f06e296e1d96ba1564d3d15 openssl-perl-1.0.1e-42.el6_7.6.x86_64.rpm     MD5: 146a8a64862a157f6e954dbf1f48a3a8SHA-256: 70558d1c059dd9001e142c689f6b734328db9ed22a5f8967a05a0ec69e877a22 openssl-static-1.0.1e-42.el6_7.6.x86_64.rpm     MD5: 127c31812e733703993cd9b271cad932SHA-256: de82b2a347d095e09f3abdc086a241c8e560c817c40dba2725064bf85768fbc4   Red Hat Enterprise Linux Server TUS (v. 6.5) SRPMS: openssl-1.0.1e-16.el6_5.17.src.rpm     MD5: 5ac58715fa3acc201bfbbf9a815e00f6SHA-256: 15a580360f7ffa8fe9d0016342e14e02d87d4b0539b53289b2ec64f306507737   x86_64: openssl-1.0.1e-16.el6_5.17.i686.rpm     MD5: da3de0115faed9ec745cc09b0a741345SHA-256: 9864089c87d87ca41eecc1dcd38eee99717b09f5d6c846d253d9f3a52c6b354a openssl-1.0.1e-16.el6_5.17.x86_64.rpm     MD5: dd0b349d5565f02b9af39fb17c138806SHA-256: 340745effdd83effe7eb1984ae8e8d09d227daa53db132e8dae1b8e499e4b0eb openssl-debuginfo-1.0.1e-16.el6_5.17.i686.rpm     MD5: f11a92be85d4aa1d23028e678898d43bSHA-256: 60644b64ef5ba9cdb3402f03cc434b5b2ea4d85c5d4d32cd19d2cbd4ca21aafa openssl-debuginfo-1.0.1e-16.el6_5.17.x86_64.rpm     MD5: de2bb10419348c499ff0955dfc687ffaSHA-256: 3f66efe726b4eea71cebe2092af5a0773113a8f7e8f91be83b75dc12886c2f12 openssl-devel-1.0.1e-16.el6_5.17.i686.rpm     MD5: 1cacc5dd456079b99d3a875e079bcfc8SHA-256: 7a7291a9058caad5df7c7dc9fb62612dbc4789281236f3868e7c774b44ba772a openssl-devel-1.0.1e-16.el6_5.17.x86_64.rpm     MD5: 34739629b756a888943e1c0e493ea4e4SHA-256: 634c600ada6775c86a5267b582a95a217edb7b84297f5db70203ea4b8dd67eb9 openssl-perl-1.0.1e-16.el6_5.17.x86_64.rpm     MD5: 48e9c87355d20a6de39c9a884b80b62fSHA-256: abb5d288d401308ab477aa50facc17124233c63d4bb693f95fc5e424e3a0230e openssl-static-1.0.1e-16.el6_5.17.x86_64.rpm     MD5: 1cabfe4d64643d0a221fed979f209129SHA-256: f52f764cf6435fff35ec8c17fffb5685b6e57c9cfa8eb2235c11b89dfba8f926   Red Hat Enterprise Linux Server TUS (v. 6.6) SRPMS: openssl-1.0.1e-30.el6_6.13.src.rpm     MD5: 38dececcfb75ac52da2a72f17bb9661eSHA-256: d8761c3fe41190614eea8c1b5ae644c4a22eb6e68e60bd1a605b8c3d6d90337f   x86_64: openssl-1.0.1e-30.el6_6.13.i686.rpm     MD5: 8859f2839c16d4230e432a5257459bd6SHA-256: d0b7efd479b4d8687f11f4918eb56c2f89f23147e842662d8fa7c8e93f04df81 openssl-1.0.1e-30.el6_6.13.x86_64.rpm     MD5: 9150eaceabd0c059edc9f8c1217a17c3SHA-256: d8762b2951728c697acbf15d75d8765947b40553ccbe627e75b1735aca4fd18a openssl-debuginfo-1.0.1e-30.el6_6.13.i686.rpm     MD5: a426f6f0b7fd346aa183d5661ea6793aSHA-256: 16f51845dc05eb7a9c964e42cbfd7a158fe465c92edd335977ef94d56147badb openssl-debuginfo-1.0.1e-30.el6_6.13.x86_64.rpm     MD5: 521ccd1d7d80eaa5f6a16106fbfe6d7fSHA-256: 4daddf87dd85e0c6237e623cb6d18bc932646c754e23e1976f0c6713fa76e367 openssl-devel-1.0.1e-30.el6_6.13.i686.rpm     MD5: 06958bfdf9a50af710e43d71d7c48562SHA-256: 516ed3f5d52e218d11ed28113c8f0bec46cc0ba0328a98a3f0df20c7b77d9cbd openssl-devel-1.0.1e-30.el6_6.13.x86_64.rpm     MD5: c98a4d9d2f67bd7620799afe5c1b81c6SHA-256: 0fe271b6e90a2edf720a680bce5a95001c5691331278e35dd2b814663071be0d openssl-perl-1.0.1e-30.el6_6.13.x86_64.rpm     MD5: 9a21ef88e31dc1295b3a9f83fc009d4fSHA-256: 07cdde29869342623d2af74affcec8f13b3f829b6d4bdbd330cb14d86ebe50ce openssl-static-1.0.1e-30.el6_6.13.x86_64.rpm     MD5: f6cbe50b60223456f98f789b8de4acb1SHA-256: 9d926dba715cdcd676c8917992ab11d4c9d9997aa815fdf8941b90b4652f94dc   (The unlinked packages above are only available from the Red Hat Network) These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
Google, Apple and Mozilla will not recognize SSL/TLS certificates from WoSign and its affiliate StartCom in 2017. Here's a look at the implications. A foundational element of the Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate system is that browser vendors need to trust the certificate authorities that issue certificates.For China-based CA WoSign, that trust has been lost and, as a result, hundreds of thousands of sites could have trouble in 2017 as Google, Microsoft and Mozilla will not recognize certificates issued by WoSign or its affiliate StartCom.Security experts eWEEK contacted said CA's breach of trust is serious and that they support the browser vendors' moves to distrust WoSign. Users should also heed warnings from browser vendors regarding untrusted sites. Reasons for Certificate Revocation The revocation of trust in WoSign has been debated since at least August 2016, when it was revealed that WoSign issued an SSL/TLS certificate for GitHub without its authorization. Mozilla conducted an extensive investigation of WoSign documenting at least 14 different security issues. "The investigation concluded that WoSign knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and CA requirements," Andrew Whalley from the Google Chrome Security team wrote in a blog post. Google's Chrome 56 browser will no longer trust certificates that were issued by either WoSign or StartCom issued after Oct. 21, 2016."Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further mis-issuance," Whalley wrote. "As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56."Mozilla revealed on Oct. 24 that it, too, would not trust WoSign and StartCom certificates issued after Oct. 21.

Apple announced that it would no longer trust WoSign and StartCom certificates on Sept. 30. Thousands of Websites Affected The impact of the removal of trust of WoSign and StartCom is non-trivial.
Security vendor RiskIQ estimates that approximately 762,649 websites use SSL/TLS certificates issued by either WoSign or StartCom."I absolutely think that browsers are justified in these actions," James Pleger, director of threat and security research at RiskIQ, told eWEEK. "This is an egregious breach of trust, and browser vendors must respond severely to it."Much of the web, in its current form, is built on this trust, and when companies do not adhere to trust guidelines, swift action needs to be taken, he added.Tom Kellermann, CEO of Strategic Cyber Ventures, applauds the browser vendors for attempting to civilize cyber-space through this collective action. "I do feel that they are justified as these certificates are being exploited and manipulated by cyber-adversaries for malicious purposes," Kellermann told eWEEK.WoSign and StartCom won't be the first Certificate Authorities to be blocked by the browser vendors. In 2011, Dutch CA DigiNotar was found to have issued fraudulent SSL certificates as well, and was eventually blocked and distrusted by the major browser vendors.At the time, DigiNotar was found to have issued a fraudulent SSL certificate for Google.com.

The wildcard certificate could have enabled an attacker to spoof any HTTPS secured Google domain. After an investigation, DigiNotar found that an intrusion into its CA infrastructure resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com."Vendors are correct to block the CA," Georgia Weidman, founder and CTO of Shevirah, told eWEEK. "The browser vendors dragged their feet on blocking DigiNotar and that allowed the hack to proliferate further and faster than it should have."By distrusting WoSign and StartCom, browser users that visit sites that use SSL/TLS issued by the two CAs will get a warning window identifying that the site security isn't trusted.

A user could still choose to click through to a site as well as to add an exception for a given site."Users should be very careful when creating security exceptions if the browser throws a certificate warning," Scott Petry, CEO and founder of Authentic8, told eWEEK. "If you don't know what it means, don't click.

The tradeoff may be as simple as no access to the site versus compromised access to the site."Petry added that the browser vendors' response is necessary to signal to the CAs that their practices won't work.

The CAs can choose to fix the underlying practices when issuing certs or be blocked, he said.Shane Macaulay, director of cloud security at IOActive, said a somewhat more aggressive approach to trust should be adopted by users when it comes to trusting CAs.

Every pre-installed top-level trusted CA should be disabled by default, Macaulay said, adding that in such a model, the SSL/TLS libraries in a browser should present a pop-up "permission to use this CA" when you first see the use of a certificate."Users should be more aware and selective about the CAs they have enabled," Macaulay told eWEEK. "But providers don't make it easy to start with a secure device.

For instance, if I disable the majority of CA's and then move to a new phone, they are all enabled again. "Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter
@TechJournalist.
Tens of thousands of websites are affected by Google's decision to distrust the two certificate authorities. This move follows similar decisions by Apple and Mozilla. Tens of thousands of websites using digital certificates issued by two certificate authorities to verify their online identities have been affected by a Google decision this week to discontinue trusting those certificates because of concerns over their validity.In a blog post Oct. 31, Google said that its Chrome browser would stop trusting any certificate issued after Oct. 21 by Chinese certificate authority WoSign and Israel-based CA StartCom.Certificates issued by the two CAs before this date may continue to be trusted for a limited time, but only if the certificates comply with Google's requirements for digital certificates in Chrome, or are being used by known customers of the CAs, the company said.Google is the third major browser maker to announce that it would no longer trust certificates from the two CAs. Apple and Mozilla announced similar decisions a few days ago. Andrew Whalley, a member of Google's Chrome security team, said the company's decision follows an investigation into WoSign and StarCom's certificate issuance processes that it conducted along with Mozilla and members of the broader security community. "The investigation concluded that WoSign knowingly and intentionally mis-issued certificates in order to circumvent browser restrictions and CA requirements," Whalley said in the blog post.The investigation also showed that WoSign had quietly acquired StartCom and replaced the latter's infrastructure, policies and issuance systems with its own, without notifying the browser community of the development. Instead, executives from WoSign and StartCom actively tried to hide the relationship, Whalley said, without saying how that might have benefited either CA.In a blog post last month, Mozilla said the investigation showed WoSign intentionally backdated certain Secure Sockets Layer (SSL) certificates so it could continue issuing them even after Jan. 1, 2016—the deadline for CAs to stop issuing the certificates.Mozilla also noted the active efforts by executives from WoSign and StartCom to deny the relationship between the two companies until they were forced to acknowledge it when presented with evidence. "The levels of deception demonstrated by representatives of the combined company have led to Mozilla's decision to distrust future certificates," issued by the two companies, the blog posting noted.When a Chrome, Safari or Firefox user accesses a website that uses digital certificates issued by WoSign or StartCom, they will receive an alert saying the sites cannot be trusted or that their identities cannot be verified.Initially, Google Chrome 56 will only stop trusting WoSign and StartCom certificates issued after Oct. 21. But future versions of the browser will stop trusting certificates issued by the two companies entirely. The staged approach is designed to give websites using certificates from the two to move to other CAs, Whalley said.Arian Evans, vice president of product strategy at security firm RiskIQ, said the company's global index shows that 762,649 websites currently use digital certificates from WoSign and StartCom.People visiting these websites will see a "Secure Connection Failed" browser warning, he said in a blog post this week.Sites that continue using inadmissible SSL certificates could be exposed to several security threats, including man-in-the-middle attacks, domain squatting and situations where visitors are redirected to phishing and other malicious sites, Evans said.In a statement posted on Oct. 24 and then updated Nov. 1 after Google's decision, WoSign said it would continue to carry out a thorough investigation and internal audit on all its systems. The company claimed it would also build what it described as an internal standards research team to ensure that its operations confirm to international standards going forward. Employees will be required to work within those policies or face punishment, the statement claimed."Although Mozilla's sanctions are too severe … WoSign accept[s] it," the statement said.
An update for openssl is now available for Red Hat Enterprise Linux 6.7 ExtendedUpdate Support.Red Hat Product Security has rated this update as having a security impact ofImportant.

A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) andTransport Layer Security (TLS) protocols, as well as a full-strengthgeneral-purpose cryptography library.Security Fix(es):* A flaw was found in the way OpenSSL encoded certain ASN.1 data structures.

Anattacker could use this flaw to create a specially crafted certificate which,when verified or re-encoded by OpenSSL, could cause it to crash, or executearbitrary code using the permissions of the user running an application compiledagainst the OpenSSL library. (CVE-2016-2108)* Two integer overflow flaws, leading to buffer overflows, were found in the waythe EVP_EncodeUpdate() and EVP_EncryptUpdate() functions of OpenSSL parsed verylarge amounts of input data.

A remote attacker could use these flaws to crash anapplication using OpenSSL or, possibly, execute arbitrary code with thepermissions of the user running that application. (CVE-2016-2105, CVE-2016-2106)* It was discovered that OpenSSL leaked timing information when decryptingTLS/SSL and DTLS protocol encrypted records when the connection used the AES CBCcipher suite and the server supported AES-NI.

A remote attacker could possiblyuse this flaw to retrieve plain text from encrypted packets by using a TLS/SSLor DTLS server as a padding oracle. (CVE-2016-2107)* Several flaws were found in the way BIO_*printf functions were implemented inOpenSSL.

Applications which passed large amounts of untrusted data through thesefunctions could crash or potentially execute code with the permissions of theuser running such an application. (CVE-2016-0799, CVE-2016-2842)* A denial of service flaw was found in the way OpenSSL parsed certainASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs.

An applicationusing OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocatean excessive amount of data. (CVE-2016-2109)Red Hat would like to thank the OpenSSL project for reporting CVE-2016-2108,CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, and CVE-2016-0799.Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and DavidBenjamin (Google) as the original reporters of CVE-2016-2108; Guido Vranken asthe original reporter of CVE-2016-2842, CVE-2016-2105, CVE-2016-2106, andCVE-2016-0799; and Juraj Somorovsky as the original reporter of CVE-2016-2107. For details on how to apply this update, which includes the changes described inthis advisory, refer to:https://access.redhat.com/articles/11258For the update to take effect, all services linked to the OpenSSL library mustbe restarted, or the system rebooted.Red Hat Enterprise Linux Server EUS (v. 6.7.z) SRPMS: openssl-1.0.1e-42.el6_7.5.src.rpm     MD5: 808b585b4187578b53d016624dc79da0SHA-256: e33f45dc75eefcad482aa713a5ec3f0cee83f38f194cd7556f36a4d178480a2c   IA-32: openssl-1.0.1e-42.el6_7.5.i686.rpm     MD5: 21579d2ac312c85e41bfaef3f5415c22SHA-256: 63e48e423226c883de90593cb8e59c858d48220de1ea31f9d67b6cafd3436a73 openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm     MD5: 676d21489252d459503ac25b57070907SHA-256: 58762bee1d33a1331a2dcc483bc5b7f594748d46a53908e8e9871c0222df1747 openssl-devel-1.0.1e-42.el6_7.5.i686.rpm     MD5: fc844473e0d330f30c0cfb88bf787dd0SHA-256: b83d8ca7aca242e30c4aace64f27f19eda1393135256eefe0147d58c458a3069 openssl-perl-1.0.1e-42.el6_7.5.i686.rpm     MD5: fcae62c5af4f881950f2f200d14e4dd8SHA-256: 6ce53f4157afbf3c7e6998c1b5cafa2154e54b437a9834cb3737ac9b497a36e1 openssl-static-1.0.1e-42.el6_7.5.i686.rpm     MD5: 33c843d59c6184c9a3612c39f98b5785SHA-256: f73dd7d146f301687bb75292d98aff63f29ca52e50bcac69bfb81b0585e2785f   PPC: openssl-1.0.1e-42.el6_7.5.ppc.rpm     MD5: 7cf9f81f18e9513cf1fe64e7bb33b61fSHA-256: 22741c8de5de710adf566993daac53a02367fbd6098380f4ce5f74eca24873b0 openssl-1.0.1e-42.el6_7.5.ppc64.rpm     MD5: 7f9b161559f07d601337ba5c089f58f3SHA-256: 6ea58950e5b6a775d132bbb218b2b6b747658b8bab9788f05e92cdfcee96ba8f openssl-debuginfo-1.0.1e-42.el6_7.5.ppc.rpm     MD5: 434620e6eff6c7a1759ec0513c8280a8SHA-256: 55015ec5a98f38441c2921edf789da14239cca674547a6fedaf7fe8984fb0d81 openssl-debuginfo-1.0.1e-42.el6_7.5.ppc64.rpm     MD5: a5defabb08799810d935377f7433aa93SHA-256: cb37ec839ea6bda905fb1f3ef0615c640a7c6c8ff5f22d07ce2f164b4f71a025 openssl-devel-1.0.1e-42.el6_7.5.ppc.rpm     MD5: 8cb7bbc52e378ce38f8c401e5c6284eaSHA-256: f06c3832920c086df7ef1c6ef87a6137b3644486484fb22438cd7ef270b2c71d openssl-devel-1.0.1e-42.el6_7.5.ppc64.rpm     MD5: 1784c9589265c2c4b24768260f870a60SHA-256: d71888e97d397d29c913b7ad17483279a1af9109d7f5876c9a85e759fbb84b88 openssl-perl-1.0.1e-42.el6_7.5.ppc64.rpm     MD5: 3da9f5bbf9ae33bdad9dbfa85c5f9572SHA-256: 35739470ca0b02c076b4d55f6b864d773668e67d2c5bf2e7d9a708f320610e9b openssl-static-1.0.1e-42.el6_7.5.ppc64.rpm     MD5: cb6a96ae40f64e2af7a145773e9ee02cSHA-256: 11e3e866f579e641be1ac9120b010c398e9bfebfe0aac1d26e14e3e861c399f6   s390x: openssl-1.0.1e-42.el6_7.5.s390.rpm     MD5: 9e882af414d9523c01da85d464d50af0SHA-256: 50c8c5cd64e72a8459553beed4dffe3fc564203824c5fc64d1f9d2aa1d8fee05 openssl-1.0.1e-42.el6_7.5.s390x.rpm     MD5: b58c35692c5d36a6f3bd85c886352991SHA-256: a67ff7592297e8bcb28f6d3b2b20d5aae256bf33f466a587aac5d693dcd5755d openssl-debuginfo-1.0.1e-42.el6_7.5.s390.rpm     MD5: 46f7ff2e882aa2a91e4b148e7e5055f7SHA-256: 249f5b02580eb3c009b854225ad8b821d058785c189186502976a347fcf956e6 openssl-debuginfo-1.0.1e-42.el6_7.5.s390x.rpm     MD5: 9a1a7624e5cc8a6fc92bc85be8dac443SHA-256: 19cbe27a1d2a5b86866b660a93c8ec38151b88ecc653231bfa556af7ff6228cb openssl-devel-1.0.1e-42.el6_7.5.s390.rpm     MD5: e0eb00b0d229cd055b388ed96c76447cSHA-256: 113bf5ab2de457a71d2c8b0960553677562d92a0427a647dbb9037bf14656b0e openssl-devel-1.0.1e-42.el6_7.5.s390x.rpm     MD5: c7ba6b5878f3d6dbacfee6abb7f72e50SHA-256: 4e87879e27924c303db690f4fb2d48c3a2e78143c5a2091a644fe76a7cb33189 openssl-perl-1.0.1e-42.el6_7.5.s390x.rpm     MD5: c9d4e49bd5aa41c507af4308d8b7f25eSHA-256: 89a943afdb385785bef11a05ac17accf688c69555d527cc070a20ec0754e670e openssl-static-1.0.1e-42.el6_7.5.s390x.rpm     MD5: 05fdd32e33253976e81dbad1e76fac09SHA-256: 242faa58b512c13bb5c30a4abd9058e6051758ded923019795800fd7a73bc80c   x86_64: openssl-1.0.1e-42.el6_7.5.i686.rpm     MD5: 21579d2ac312c85e41bfaef3f5415c22SHA-256: 63e48e423226c883de90593cb8e59c858d48220de1ea31f9d67b6cafd3436a73 openssl-1.0.1e-42.el6_7.5.x86_64.rpm     MD5: 165c782875707fb1736822f2b127d0dbSHA-256: 75f214edc3107de2462ee82a2b790ee1a3f8c8c4922340d89f771233e3eb6ea6 openssl-debuginfo-1.0.1e-42.el6_7.5.i686.rpm     MD5: 676d21489252d459503ac25b57070907SHA-256: 58762bee1d33a1331a2dcc483bc5b7f594748d46a53908e8e9871c0222df1747 openssl-debuginfo-1.0.1e-42.el6_7.5.x86_64.rpm     MD5: 6fadcd4088a390d726d3685a5afabc3cSHA-256: 1491ca7530461ccb82aab3a443652f20a2ef48b18fc7f426124491603da7b48b openssl-devel-1.0.1e-42.el6_7.5.i686.rpm     MD5: fc844473e0d330f30c0cfb88bf787dd0SHA-256: b83d8ca7aca242e30c4aace64f27f19eda1393135256eefe0147d58c458a3069 openssl-devel-1.0.1e-42.el6_7.5.x86_64.rpm     MD5: 9447f2e521f9b328c52dd1b7820c26d0SHA-256: 15946bb4bda18fa516d8b2a9c9695087b31022f9b99a80bf9fa6ca49cfdd84de openssl-perl-1.0.1e-42.el6_7.5.x86_64.rpm     MD5: 5c421903cab35c54ff29059098f38e85SHA-256: 497b8dcc8e74f5563a7779f2b09a25f2a63b65e7cece3f3d77df278a5b4f94a5 openssl-static-1.0.1e-42.el6_7.5.x86_64.rpm     MD5: db9752d6f5c22c0844ab9eab17baad9fSHA-256: 74f423f4371d78a4f7d2e089e4bebb2cb6a15c0e31aa647fbdc43028f8851d25   (The unlinked packages above are only available from the Red Hat Network) 1312219 - CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions1314757 - CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder1331426 - CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
CloudFlare aims to jump-start adoption of the next generation of internet encryption by supporting a draft standard. The Transport Layer Security 1.3 specification is not yet a finalized Internet Engineering Task Force (IETF) official standard, but that's not stopping content delivery network provider CloudFlare from implementing it.

CloudFlare announced on Sept. 20 that it is now supporting several advanced encryption technologies on its platform, including TLS 1.3, Opportunistic Encryption and HTTPS Rewrites.TLS 1.3 is the latest incarnation of the standard for encrypting data in motion across the internet that originally was known as Secure Sockets Layer (SSL).

Following SSL 3.0, which is no longer considered to be safe, TLS became its successor in 1999 with the TLS 1.0 specification.

The most recent formal version of TLS is the 1.2 specification that was defined in 2008."CloudFlare supports the latest draft of the TLS 1.3 specification, which is very close to the final version of the protocol," Nick Sullivan, head of cryptography at CloudFlare, told eWEEK. "We expect this draft to be standardized soon."Both the Mozilla Firefox and Google Chrome web browsers support the latest draft of TLS 1.3 as well. Sullivan noted that anyone using Firefox or Chrome with TLS 1.3 will automatically connect to CloudFlare sites with TLS 1.3. "With about 4 million CloudFlare customers today, this will encourage browser vendors to enable TLS 1.3, and we hope that this is a call for action to make that happen," he said. Among the promises of TLS 1.3 is that it can enable encrypted traffic to be as fast as nonencrypted traffic. Historically, one of the most cited reasons why organizations have not deployed SSL/TLS is because of the performance impact that it has on traffic."TLS 1.3 decreases connection time compared to previous versions of TLS, which has remained the same since the beginning of SSL," Sullivan said.In addition, TLS 1.3 builds on top of the next-generation HTTP/2 web standard for even faster page loads.

The HTTP/2 standard was declared by the IETF to be final on Feb. 18, 2015, providing improved web traffic prioritization, control and security capabilities.
Sullivan added that encrypted sites are already faster than unencrypted sites today as a result of CloudFlare's launching support for HTTP/2 back in 2015.While support for TLS 1.3 is helpful for encouraging the use of encryption, CloudFlare is also taking additional measures, including support for HTTPS Rewrites and Opportunistic Encryption.
Sullivan said the HTTPS Rewrite technology was developed by CloudFlare security experts in collaboration with technologists from the Electronic Frontier Foundation (EFF) who manage the HTTPS Everywhere project."The main difference between the two is that with HTTPS Rewrites we rewrite links on your page, and with Opportunistic Encryption we tell the browser that the site is available over an encrypted connection via an HTTP header," Sullivan explained. "Rewriting links helps fix mixed content on all browsers, while Opportunistic Encryption only works with Firefox."The reason why HTTPS Rewrites and Opportunistic Encryption are needed is because many websites will still mix non-HTTPS content, including images, links and videos, with HTTPS pages.
Sullivan said that CloudFlare's Automatic HTTPS Rewrites solves the problem of mixed content errors, which occur when content is loaded using unencrypted HTTP on an HTTPS site."These errors result in a warning message or the removal of the green lock icon in the address bar," Sullivan said. "With Automatic HTTPS Rewrites, images or content that use HTTP will automatically be secured using HTTPS whenever possible."Overall, CloudFlare is working to make encryption as simple and as accessible as possible, he said."We believe online services should be available using encryption, and that encryption should be enabled by default," Sullivan said. "These three features make it easier and more appealing than ever for customers to make encryption their default. However, the choice is ultimately up to our customers.

That's why we created these features—to make the decision to encrypt a no-brainer."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.
VIDEO: Josh Aas, executive director of the Internet Security Research Group, discusses Let's Encrypt's mission and the technology that enables it. By default, the web is not secure, enabling data to travel in the clear, but that's a situation that is e...
Starting January 2017, Chrome will explicitly mark web pages as insecure if they use HTTP for transmitting sensitive data. In its self-assumed quest to make the internet a safer place for everyone, Google will soon start publicly shaming websites that ...
Updated cman packages that fix one bug are now available for Red Hat EnterpriseLinux 5. The Cluster Manager (cman) utility provides user-level services for managing aLinux cluster.This update fixes the following bug:* Due to security concerns, the Secure Sockets Layer version 3 (SSLv3)has been deprecated on the Cisco Unified Computing System (UCS) hardwarewith the UCS firmware. However, the prior version of the fence_cisco_ucs fenceagent did not allow the Transport Layer Security version 1 (TLSv1) protocolversion to be used instead.

As a consequence, fence_cisco_ucs did not work withCisco UCS devices running the latest firmware, which could cause securityissues.

The underlying code has been fixed so that fence_cisco_ucs now usesTLSv1.3 instead of SSLv3. Now, fence_cisco_ucs works as expected with Cisco UCShardware running the latest firmware. (BZ#1321592)* Fence agents that connected using the SSH protocol previously failed to log inif an identity file was used as the method of authentication.

The bug has beenfixed, and the aforementioned fence agents now successfully authenticate throughan identity file. (BZ#1206604)Users of cman are advised to upgrade to these updated packages, which fix thisbug. Before applying this update, make sure all previously released errata relevantto your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258RHEL Desktop Workstation (v. 5 client) SRPMS: cman-2.0.115-124.el5_11.4.src.rpm     MD5: 0cd4c310cb2d44a46705865d90546c0cSHA-256: ab843c608e31717612603dffc446f902b9a008096dfd0ecdbdb8414be5fc74ea   IA-32: cman-2.0.115-124.el5_11.4.i386.rpm     MD5: 2cc37de7a2acd4a5567fcf3a9d6a2fc5SHA-256: 05cd28f8443ef67c1d422c45a3821c8db2b7957fdb9af70dc488b69aede81355 cman-debuginfo-2.0.115-124.el5_11.4.i386.rpm     MD5: 8e4bc3e8a8127b8fa80e18c6b714fbf3SHA-256: 3f3c6dd30b7cfbf2269e1cea417b334988fb8b48a1f6674a8d2d6db790cf17ae cman-devel-2.0.115-124.el5_11.4.i386.rpm     MD5: 20021f42927f751e7708e421bf4fb7c2SHA-256: 38bbfe171a4af360a336e8abcf42450d820f04a7911d829e2197eb40e70c14d9   x86_64: cman-2.0.115-124.el5_11.4.x86_64.rpm     MD5: 8237f89ba5aebcad80265e0781f1c74fSHA-256: 1bf7cc78d8e79792d6d7fe7d04b1e898cda72b68171678e7fe7254ea43fae7db cman-debuginfo-2.0.115-124.el5_11.4.i386.rpm     MD5: 8e4bc3e8a8127b8fa80e18c6b714fbf3SHA-256: 3f3c6dd30b7cfbf2269e1cea417b334988fb8b48a1f6674a8d2d6db790cf17ae cman-debuginfo-2.0.115-124.el5_11.4.x86_64.rpm     MD5: de0cf386fd1e17255a7f85badc10a714SHA-256: eb60e793cf5750ebf204fe4f4841f1081319662d9cf1267b32a8ec92c8bd8811 cman-devel-2.0.115-124.el5_11.4.i386.rpm     MD5: 20021f42927f751e7708e421bf4fb7c2SHA-256: 38bbfe171a4af360a336e8abcf42450d820f04a7911d829e2197eb40e70c14d9 cman-devel-2.0.115-124.el5_11.4.x86_64.rpm     MD5: 7cc7e687fa963883c4542f96ca75a0d8SHA-256: 3e5e7c3d276293462924c7159664aaba6f6e98a63f0b48d526ca0823917e2f90   Red Hat Enterprise Linux (v. 5 server) SRPMS: cman-2.0.115-124.el5_11.4.src.rpm     MD5: 0cd4c310cb2d44a46705865d90546c0cSHA-256: ab843c608e31717612603dffc446f902b9a008096dfd0ecdbdb8414be5fc74ea   IA-32: cman-2.0.115-124.el5_11.4.i386.rpm     MD5: 2cc37de7a2acd4a5567fcf3a9d6a2fc5SHA-256: 05cd28f8443ef67c1d422c45a3821c8db2b7957fdb9af70dc488b69aede81355 cman-debuginfo-2.0.115-124.el5_11.4.i386.rpm     MD5: 8e4bc3e8a8127b8fa80e18c6b714fbf3SHA-256: 3f3c6dd30b7cfbf2269e1cea417b334988fb8b48a1f6674a8d2d6db790cf17ae cman-devel-2.0.115-124.el5_11.4.i386.rpm     MD5: 20021f42927f751e7708e421bf4fb7c2SHA-256: 38bbfe171a4af360a336e8abcf42450d820f04a7911d829e2197eb40e70c14d9   IA-64: cman-2.0.115-124.el5_11.4.ia64.rpm     MD5: d411a596435843a651ddb170e63bf9f1SHA-256: 432b80f6b44906b4a0741a23187b3bc924a14bf5002d2d2f7257bca5d85a3ffc cman-debuginfo-2.0.115-124.el5_11.4.ia64.rpm     MD5: c5f4ce9dfe0ddfb6edbd8303e9b82653SHA-256: 4fece127b75939db425a2b587a69141a2b155660a48188956f36372a72f9df8f cman-devel-2.0.115-124.el5_11.4.ia64.rpm     MD5: 24d9a949bd51cee244aa164dfea15080SHA-256: 241ee0a0e1a08e0660e7e283a34a7346f3c247f724c4e481e9afd99213a337c0   PPC: cman-2.0.115-124.el5_11.4.ppc.rpm     MD5: c3265f78836ce9161fbc4084e79db278SHA-256: 20df42c3fb5d9b815bef9f8b7fc43236b2fe39c7def1d2665c5594b8b7f9c513 cman-debuginfo-2.0.115-124.el5_11.4.ppc.rpm     MD5: e5872e47dc00db37c63d8c1c93022913SHA-256: 9d2a0baf2c4253b1a007d2be7ab374fa02c88d274520b64154d2855ff06d7cc5 cman-debuginfo-2.0.115-124.el5_11.4.ppc64.rpm     MD5: 8a82b20cedb4b7c2f849166182d1f756SHA-256: e497cb246dc08184858a5a183731c84df96fa76e2c9c8b3235129987f4b67dcd cman-devel-2.0.115-124.el5_11.4.ppc.rpm     MD5: 5b1c64eb8be181b66b751981a87b08d0SHA-256: 61961739df2cdc9ef4e91cadb55e439f4261580b1074f6d0746c280729395936 cman-devel-2.0.115-124.el5_11.4.ppc64.rpm     MD5: 4758506f7b83855ac30693dcd79d22ebSHA-256: 7bdaf482f4c1189bc7fba60f37cd9ee5993c1484e8782159d81bde0aa4ae36a3   x86_64: cman-2.0.115-124.el5_11.4.x86_64.rpm     MD5: 8237f89ba5aebcad80265e0781f1c74fSHA-256: 1bf7cc78d8e79792d6d7fe7d04b1e898cda72b68171678e7fe7254ea43fae7db cman-debuginfo-2.0.115-124.el5_11.4.i386.rpm     MD5: 8e4bc3e8a8127b8fa80e18c6b714fbf3SHA-256: 3f3c6dd30b7cfbf2269e1cea417b334988fb8b48a1f6674a8d2d6db790cf17ae cman-debuginfo-2.0.115-124.el5_11.4.x86_64.rpm     MD5: de0cf386fd1e17255a7f85badc10a714SHA-256: eb60e793cf5750ebf204fe4f4841f1081319662d9cf1267b32a8ec92c8bd8811 cman-devel-2.0.115-124.el5_11.4.i386.rpm     MD5: 20021f42927f751e7708e421bf4fb7c2SHA-256: 38bbfe171a4af360a336e8abcf42450d820f04a7911d829e2197eb40e70c14d9 cman-devel-2.0.115-124.el5_11.4.x86_64.rpm     MD5: 7cc7e687fa963883c4542f96ca75a0d8SHA-256: 3e5e7c3d276293462924c7159664aaba6f6e98a63f0b48d526ca0823917e2f90   (The unlinked packages above are only available from the Red Hat Network) These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
Not long ago, the sharing economy seemed to take over. Privacy was dead, and no one cared.

That was until revelations about government spying and worse came to light.

Today, it seems just as many people are sharing...but many do so with more caution. For some of us, the need to go truly anonymous is more important than ever.

But when you go to a service online and its first three choices for signup are to use your existing Google, Facebook, or Twitter account credentials, it's almost like a subtle background check. Other services—like Google—expect you to share a phone number and older email address—to sign up (and if not at initial signup, you'll need them for activations later).
So you're not exactly hiding your tracks. What do you do if you want to set up an email address that is completely secret and nameless, with no obvious connection to you whatsoever, but you don't necessarily want the hassle of (or have the chops for) setting up your own servers? This goes beyond just encrypting messages.

Anyone can do that with a Web-based email like Gmail by using a browser extension like Secure Mail by Streak.

For desktop email clients, GnuPG (Privacy Guard) or EnigMail is a must. But those don't hide who sent the message. Here are the services you should use to create that truly nameless, unidentifiable email address.

But be sure to use your powers for good. First Step: Browse Anonymously Your Web browser is tracking you.
It's that simple.

Cookies, and so-called unstoppable "super cookies" know where you've been and what you've done and they're willing to share.
Sure, it's mostly about making sure you see targeted ads, but that's not much consolation for those looking to surf in private. Your browser's incognito/private mode can only do so much—sites are still going to record your IP address, for example. If you want to browse the Web anonymously (and use that private time to set up an email), you need not only a virtual private network, but also the Tor Browser, a security-laden, Mozilla-based browser from the Tor Project.
If you don't know about Tor, it's what used to be called The Onion Router; it's all about keeping you anonymous by making all the traffic you send on the Internet jump through so many servers, people on the other end can't begin to know where you really are.
It'll take longer to load a website than it would with Firefox or Chrome, but that's the price of vigilance. The Tor Browser is available in 16 languages, for Windows, Mac OS, and Linux.
It's self-contained and portable, meaning it'll run off a USB flash drive if you don't want to install it directly.
It's totally free.

Even Facebook has a Tor-secure address to protect the location of users—and let users get access in places where the social network is illegal or blocked, like China.

An estimated 1 million people use it.

There are also a version for getting Tor access to Facebook on Android devices. Don't get the impression that Tor is utterly perfect and will keep you 1,000 percent anonymous.

The criminals behind the Silk Road, among others, tried that and failed.

But it's a lot more secure than openly surfing.
It took law enforcement agencies with a lot of resources to get those bad guys. Anonymous Email You can set up a relatively anonymous Gmail account, you just have to lie like a bathroom rug.

That means creating a full Google account, but not providing Google your real name, location, birthday, or anything else they can use when you sign up (while using a VPN and the Tor Browser, naturally). You will eventually have to provide Google some other identifying method of contact, such as a third-party email address or a phone number. With a phone, you could use a burner/temp number; use an app like Hushed or Burner or buy a pre-paid cell phone and lie through your teeth when asked for any personal info. (Just know that even the most "secure" burner has its limits when it comes to keeping you truly anonymous.) As for that third-party email, there are anonymous email services you can use, so why use Gmail at all? The Electronic Frontier Foundation (EFF) says it's smart to use a different email provider from your personal account if you crave anonymity—that way you're less likely to get complacent and make a compromising mistake. Note that you also should use an email service that supports secure sockets layer, or SSL, encryption.

That's the basic encryption used on a Web connection to prevent casual snooping, like when you're shopping at Amazon. You'll know it's encrypted when you see HTTPS in the URL, instead of just HTTP. Or a lock symbol shows up on the address bar or status bar.

The big three webmail providers (Gmail, Yahoo Mail, and Outlook.com) all support HTTPS.

Get the HTTPS Everywhere extension for Firefox, Chrome, Opera, and on Android, to ensure that websites default to using the protocol. That's great for Web surfing, but neither HTTPS nor VPN is enough to stay hidden when emailing. You know that. Pseudonyms in email (like anonguy55@gmail.com) aren't enough, either. Just one login without using Tor means your real IP address is recorded.

That's enough for you to be found (if the finder can get your provider to give up some records).

That's how General Petraeus got nailed. The point is, once you've gone this far, there's no reason to go back. Use a truly anonymous Web-based mail service to send your messages. Here are some of the best. Hushmail Recommended by the EFF and others, Hushmail's entire claim to fame is that it's Web-based, easy to use, doesn't do advertising, and has built-in encryption between members. Of course, to get all that, you have to pay for it, starting at $49.99 per year for 10GB of online storage.

There is a free version with 25MB of storage.

Businesses can use it for $5.99 per user per month, and they get their own domain name (though then you need to obfuscate your info for the Whois database). Note that Hushmail has turned over records to the feds before, and its terms of service state you can't use it for "illegal activity," so they're not going to fight court orders.

But at least they're honest about it up front. Hide My Ass! Anonymous Email Hide My Ass is a well-liked private VPN service that makes it a breeze for users to access content blocked at their location, not to mention providing a much higher level of privacy (hence the name).

Base price is $4.99 a month; the price goes down if you pay for multiple months at a time. HMA's Anonymous Email service is not just for VPN customers. You get an address @hmamail.com that can be set to last 24 hours, one week, one month, six months, or 12 months.

There's a countdown clock to indicate just how long you have left when reading messages.

At signup, it does ask for your existing email address, so HMA can send it a note when you get a message on the anonymous account, but it's not required.

The interface won't win any awards—Hushmail's is infinitely nicer—but it gets the job done. Note that this is for receiving only; you can't send a message out. HMA also has iOS and Android apps that provide secure mobile connections, plus privatized SMS texts and chat services with other HMA users. Guerrilla Mail Guerilla Mail provides disposable, temporary email.

Technically, the address will exist forever, and never be used again.

Any messages received at the address, accessible at guerrillamail.com, only last one hour. You get a totally scrambled email address that's easily copied to the clipboard.

There's an option to use your own domain name as well, but that's probably not keeping you under the radar. Guerrilla Mail is the perfect way to create an email address to sign up for a different, more permanent-yet-anonymous email address, or to send a quick, anonymous email instantly—no signup required. You can even attach a file if it's less than 150MB in size, or use it to send someone your excess bitcoins.

Coupled with the Tor browser, Guerilla Mail makes you practically invisible. Mailinator Mailinator's free, disposable email has a slick interface, but you probably don't even need it. Whenever you're asked for an email, just make up a name and stick @mailinator.com at the end.

Then visit the site, enter the name, and you'll see if it's received any messages. No signup required, though you can sign in with a Google account. Here's the problem.
If someone else comes up with the same name, then you both get access to the messages received.

There are no passwords.

There's also no sending possible.
Its FAQ states if you get an email from Mailinator, it's a guaranteed forgery.

This one is for quick service signups only, and only with the most obfuscated, obscure name you can come up with. Of course, you can pay $29/month if you want to get a 10MB storage inbox that is private just for you. Hide-Your-Email.com You don't get interfaces as simple as this very often. With no signup required, you enter the email name you want for an @pidmail.com address you can hand out.

The messages sent to it immediately show up.
It's that simple, though it's not for sending messages. You can reserve the address of your choice with a password, again at no cost to you. Email On Dek There's a two-step process to getting a free email for receiving messages at Email On Deck, but only because step one is a CAPTCHA to make sure you're a human being, not a Web-based robot.
It randomly assigns you an obfuscated email address (like "cynthia@l7b2l48k.com"). You can click a button to get assigned another, but they're all temporary. You don't want to use this service if you plan to ever use the address assigned beyond, say, an hour or two. TorGuard Email TorGuard is another global VPN service.

This one goes for around $9.95/month to start.

The service also provides a separate Anonymous Email, with service from free (10MB offshore storage) all the way up to $49.95/year service with unlimited storage.

They all have secure G/PGP encryption of mail and no ads. TrashMail.com TrashMail.com isn't just a site, but also a browser extension for Google Chrome and Firefox, so you don't even have to visit the site.

Create a new email from a number of domain options, and TrashMail.com will forward it to your regular address for the lifespan of the new address, as determined by you.

The only limit is how many forwards you can get; to go unlimited, you pay $12.99 a year.

The site provides a full address manager interface so setup as many addresses as you like to stay anonymous and ubiquitous.
VIDEO: How do you build an app that is secure enough for a hacker conference? LAS VEGAS—The DefCon hacker conference here at the Bally's and Paris Hotels is a massive affair with many rooms, events and workshops spread across multiple times and days. While there is a paper schedule, many hackers now rely on Hacker Tracker, which has become the de facto mobile app of the DefCon conference.The Hacker Tracker was developed by two volunteers, Whitney Champion, systems engineer at SPARC, and Seth Law, chief security officer at nVisium.

Champion built the Android version of the app while Law built the iOS version.In a video interview at DefCon, Law provided details on how Hacker Tracker is built and the steps he and Champion have taken to keep it and hacker data secure.Making a mobile app safe is not a trivial task, and in fact, DefCon's sister conference, Black Hat, had to update its app this year after security firm Lookout identified multiple privacy risks. Hacker Tracker gets the information for DefCon by way a JSON (Javascript Object Notation) API call. "It takes quite a bit of effort to bring in all the different events and talks and make sure that they are up-to-date and proper," Law said. "So we have worked with the DefCon information booth to make sure the information is proper; then we created a JSON service that we pull the data from."The JSON call is secured with HTTPS Certificate Pinning, a security mechanism that makes use of Secure Sockets Layer/Transport Layer Security {SSL/TLS) certificates that are "pinned" or specifically linked to a given certificate in an effort to limit the risk of a man-in-the-middle attack."We keep it very simple so we don't have things like data leakage; the only call that is made is to the single API, but everything else happens on the device itself," Law explained. "There is a small database that is there and encrypted for the user that is actually using the app."Watch the full video below. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter
@TechJournalist.