CBR: Symantec dealt major blow as Google loses trust in security certificates

CBR: Symantec dealt major blow as Google loses trust in security certificates. “Google are aiming to boost the confidence of Chrome users with engineers announcing plans to reduce trust in Symantec certificates. This gradual shift is set to reach a point in early 2018 when Chrome 64 will only trust certificates that are issued from Symantec for 279 days or less. The scale of the misissuance by Symantec has exploded from an initial 127 certificates under scrutiny, to a figure noted as at least 30,000.”

WIRED: After 3 Years, Why Gmail’s End-to-End Encryption Is Still Vapor

WIRED: After 3 Years, Why Gmail’s End-to-End Encryption Is Still Vapor. “NEARLY THREE YEARS have passed since Google announced it would offer an end-to-end encryption add-on for Gmail, a potentially massive shift in the privacy options of a piece of software used by more than a billion people. It still hasn’t materialized. And while Google insists its encryption plugin isn’t vaporware, the company’s latest move has left critics with the distinct impression that Gmail’s end-to-end encrypted future looks cloudy at best—if not altogether evaporated.”

PC World: Google’s Collision Shakes Up Computer Cryptography

PC Magazine: Google’s Collision Shakes Up Computer Cryptography. “after years of trying, Google found a way to crack the SHA-1 cryptographic hash function, a security building block that enables digital signatures and HTTPS encryption. Cracking SHA-1 requires creating a cryptographic hash collision, which is essentially when a single hash, or ‘digest’ applies to two different files.”

Washington Post: Here’s why your browser may tell you the White House website isn’t secure

The security certificate for WhiteHouse.gov is apparently invalid at this writing. “Experts told the Post that the messages are appearing because the site’s security certificate — or, very simply put, the thing that verifies that a site is what it says it is — isn’t valid. It appears the White House’s equipment isn’t configured correctly, and the old certificate was revoked or allowed to expire without getting replaced, said Kenneth White of the Open Crypto Audit project, a nonprofit dedicated to improving cybersecurity. There are perhaps hundreds of pieces of equipment and servers that need to be just right to keep the White House site up and running correctly, so it’s easy to miss something, he said.”

Ars Technica: Firefox, Chrome start calling HTTP connections insecure

Ars Technica: Firefox, Chrome start calling HTTP connections insecure. “The non-secure labelling will occur on pages delivered over HTTP that include forms. Specifically, pages that include password fields, and in Chrome, credit card fields, will put warnings in the address bar to explicitly indicate that the connection is not secure.”

TechCrunch: WhatsApp, Signal, and dangerously ignorant journalism

There is a big fight going on over whether or not WhatsApp is really secure and whether it has “backdoors.” Last week I linked to an article on the “yes” side. From TechCrunch, Here’s an article on the “no” side. “There is something about encryption that brings out the worst in journalists. Because to most of them it is magic, they are always searching desperately for the proverbial man behind the curtain, without knowing what to look for. Which may explain The Guardian’s recent bizarre attack on WhatsApp, which they accused, wrongly, of having a ‘backdoor.’ And the security community erupted in rage.”