×
Encryption

HTTP 2.0 May Be SSL-Only 320

Posted by Soulskill from the take-that-nsa dept.
An anonymous reader writes "In an email to the HTTP working group, Mark Nottingham laid out the three top proposals about how HTTP 2.0 will handle encryption. The frontrunner right now is this: 'HTTP/2 to only be used with https:// URIs on the "open" Internet. http:// URIs would continue to use HTTP/1.' This isn't set in stone yet, but Nottingham said they will 'discuss formalising this with suitable requirements to encourage interoperability.' There appears to be support from browser vendors; he says they have been 'among those most strongly advocating more use of encryption.' The big goal here is to increase the use of encryption on the open web. One big point in favor of this plan is that if it doesn't work well (i.e., if adoption is poor), then they can add support for opportunistic encryption later. Going from opportunistic to mandatory encryption would be a much harder task. Nottingham adds, 'To be clear — we will still define how to use HTTP/2.0 with http:// URIs, because in some use cases, an implementer may make an informed choice to use the protocol without encryption. However, for the common case — browsing the open Web — you'll need to use https:// URIs and if you want to use the newest version of HTTP.'"
The Internet

The Operations of a Cyber Arms Dealer 18

Posted by Soulskill from the you-can't-hug-your-children-with-cyber-arms dept.
An anonymous reader writes "FireEye researchers have linked eleven distinct APT cyber espionage campaigns previously believed to be unrelated (PDF), leading them to believe that there is a shared operation that supplies and maintains malware tools and weapons used in them. The eleven campaigns they tied together were detected between July 2011 and September 2013, but it's possible and very likely that some of them were active even before then. Despite using varying techniques, tactics, and procedures, the campaigns all leveraged a common development infrastructure, and shared — in various combinations — the same malware tools, the same elements of code, binaries with the same timestamps, and signed binaries with the same digital certificates."
Encryption

Microsoft Warns Customers Away From RC4 and SHA-1 92

Posted by Soulskill from the avoiding-collisions dept.
Trailrunner7 writes "The RC4 and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said it is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm. RC4 is among the older stream cipher suites in use today, and there have been a number of practical attacks against it, including plaintext-recovery attacks. The improvements in computing power have made many of these attacks more feasible for attackers, and so Microsoft is telling developers to drop RC4 from their applications. The company also said that as of January 2016 it will no longer will validate any code signing or root certificate that uses SHA-1."

Slashdot Top Deals