Apple, Google, Microsoft, and Mozilla come together to end TLS 1.0

Almost everyone has now migrated to TLS 1.2, and a few have moved to TLS 1.3.

A green exterior door is sealed with a padlock.

Enlarge (credit: Indigo girl / Flickr)

Apple, Google, Microsoft, and Mozilla have announced a unified plan to deprecate the use of TLS 1.0 and 1.1 early in 2020.

TLS (Transport Layer Security) is used to secure connections on the Web. TLS is essential to the Web, providing the ability to form connections that are confidential, authenticated, and tamper-proof. This has made it a big focus of security research, and over the years, a number of bugs that had significant security implications have been found in the protocol. Revisions have been published to address these flaws.

The original TLS 1.0, heavily based on Netscape's SSL 3.0, was first published in January 1999. TLS 1.1 arrived in 2006, while TLS 1.2, in 2008, added new capabilities and fixed these security flaws. Irreparable security flaws in SSL 3.0 saw support for that protocol come to an end in 2014; the browser vendors now want to make a similar change for TLS 1.0 and 1.1.

Read 2 remaining paragraphs | Comments

Underwriters Labs refuses to share new IoT cybersecurity standard

“Too many unhealthy products will pass the bare-minimum certification process.”

UL, the 122-year-old safety standards organisation whose various marks (UL, ENEC, etc.) certify minimum safety standards in fields as diverse as electrical wiring, cleaning products, and even dietary supplements, is now tackling the cybersecurity of Internet of Things (IoT) devices with its new UL 2900 certification. But there's a problem: UL's refusal to share the text of the new standard leaves some experts wondering if UL knows what they're doing.

When Ars requested a copy of the UL 2900 docs to take a closer look at the standard, UL (formerly known as Underwriters Laboratories) declined, indicating that if we wished to purchase a copy—retail price, around £600/$800 for the full set—we were welcome to do so. Independent security researchers are also, we must assume, welcome to become UL retail customers.

"It's very concerning," Brian Knopf of I Am The Cavalry, a group of security researchers focused on public safety issues, told Ars. "Without transparency, the research community cannot help improve or audit the standards." As Ars has previously reported, Knopf is leading an effort to develop a five-star cybersecurity rating system for IoT devices.

Read 20 remaining paragraphs | Comments

Why Algebraic Eraser may be the riskiest cryptosystem you’ve never heard of

Researchers say there’s a fatal flaw in proposed “Internet of things” standard.

(credit: SecureRF)

A potential standard for securing network-connected pacemakers, automobiles, and other lightweight devices has suffered a potentially game-over setback after researchers developed a practical attack that obtains its secret cryptographic key.

Known as Algebraic Eraser, the scheme is a patented way to establish public encryption keys without overtaxing the limited amounts of memory and computational resources that often constrain so-called Internet of Things (IoT) devices. Developed by scientists from Shelton, Connecticut-based SecureRF, it's similar to the Diffie-Hellman key exchange in that it allows two parties who have never met to securely establish a key over an insecure channel.

The big advantage Algebraic Eraser has had is its ability to work using only a tiny fraction of the power and computing resources required by more traditional key exchanges. Algebraic Eraser has looked so promising that it's an underlying technology in ISO/IEC AWI 29167-20, a proposed International Organization for Standardization specification for securing radio frequency identification-enabled technologies, wireless sensors, embedded systems, and other devices where security is paramount and computing resources are minimal.

Read 13 remaining paragraphs | Comments

NSA employee will continue to co-chair influential crypto standards group

Standards boss rejects claims that the appointment opens standards up to NSA sabotage.

Rein it in, report says.

A National Security Agency employee will continue to co-chair an influential group that helps to develop cryptographic standards designed to protect Internet communications, despite calls that he should be removed.

Kevin Igoe, a senior cryptographer with the NSA's Commercial Solutions Center, is one of two co-chairs of the Crypto Forum Research Group (CFRG), which provides cryptographic guidance to working groups that develop widely used standards for the Internet Engineering Task Force (IETF). On Sunday, the chair of the group that oversees appointments to the CFRG rejected a recent call that Igoe be removed in light of recent revelations that the NSA has worked to deliberately weaken international encryption standards.

"Widespread wiretapping by nation-state adversaries is a threat unlike any other in the history of the Internet, but I do not believe that preventing interested people from participating in the IRTF or IETF based solely on their affiliation will help us combat that threat," Lars Eggert, chair of the Internet Research Task Force (IRTF), wrote in an e-mail. The IRTF focuses on long-term research and is responsible for the CFRG and eight other research groups. Meanwhile, the IETF is a parallel organization that focuses on shorter term engineering standards that are crucial for the Internet, such as the Transport Layer Security (TLS) protocol for Web encryption.

Read 8 remaining paragraphs | Comments