Linux Foundation rounds up vendor posse to save OpenSSL

In the wake of the Heartbleed mess, a who’s-who of tech vendors — Amazon Web Services, Google, Cisco, Dell, Facebook, IBM, Intel and others — are all aboard an effort to bolster theOpenSSL security project.

Mitigating a Missing Mobile Safari Security Feature

In the event you were too distracted by the festivities associated with the ringing in of the new year and missed the news: the internets are broken (again).

To be more specific, what has actually happened is a portion of the trust system that is the foundation of secure transactions on public IP networks has been found to be deficient, mostly due to laziness of services such as Verisign and RapidSSL and lack of knowledge/skill on the part of site owners.

The key to this deficiency lies in how SSL certificates are “signed” (a way of proving their validity). This post is not about the intricacies of public key infrastructure (PKI), so the takeaway is that certificates signed with a hash algorithm called “MD5” really cannot be trusted anymore and those that are signed with the “SHA-1” hash algorithm can be trusted (at least to the extent you trust the site you are visiting or the issuer of the certificate). If you are a site owner, make sure your current SSL certs use SHA-1 and insist that your certificate provider/authority (CA) does not use MD5 anymore.
Read More about Mitigating a Missing Mobile Safari Security Feature