Tag: encryption

Let's encrypt beta invite

Fantastic! The same day as I was mentioning them on a post about UK HTTP sniffing logs retention perspectives, Let's encrypt sent me an invite for the closed beta I subscribed to a few weeks ago.

I'm very proud to be able to experiment early with the tools that'll help converting massive chunks of the Internet to encrypted connections for everyone.

And.. perfect timing really.

#supercurioBlog #encryption



Let’s Encrypt
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the Internet Security Research Group (ISRG). ISRG is a California public benefit corporation, and is recognized by the IRS as a tax-exempt organization under Section 501(c)(3) of the Internal Revenue Code.

Source post on Google+

Dear UK, what are you doing?!

It might be time to throw out your current leaders.

In case anyone was ever doubting that adult content filters were just a first step for control freak authorities having no limit on how ready they are to violate any citizen privacy… here's your proof.

On the positive side if there is any, it will only encourage every site owner to switch to HTTPS, either with their own certificates with http://letsencrypt.org or via +CloudFlare​​​​ free solution, sufficient to avoid HTTP requests logging from ISPs in a few clicks.

I've activated that for my sites until http://letsencrypt.org is shipping. Unless you prefer to obtain full-fledged certificates, I would strongly encourage you to do that too given the current direction of things.

#supercurioBlog #security #encryption

Originally shared by +TNW

UK bill forcing ISPs to store users’ browsing history to be published today http://tnw.me/gzmimWk



UK bill forcing ISPs to store users’ browsing history on its way
New surveillance laws in the works will require broadband providers to store details of every site citizens visited in the past 12 months, reports the BBC.

Source post on Google+

Compelling story, until you read the actual warrant

+Boing Boing​​​​​​'s article tells this story where Apple protects the user's data by providing a solution that prevents anyone including themselves to decrypt it.
The author even frames it as a malicious attack against software that's licensed instead of sold, which would make a terrible precedent if Apple lost.

But then if you read the warrant itself, you realize Apple indeed has the ability to bypass the locking mechanism because it's running iOS 7, which they did it multiple times previously – although increasingly reluctantly.
This time however they argue that helping the DoJ would be bad PR for their brand, changed their mind, now refuse and somehow we get a press article depicting them as a hero protector.

Warrant:
https://ia801501.us.archive.org/27/items/gov.uscourts.nyed.376325/gov.uscourts.nyed.376325.15.0.pdf

Apple describing how they can extract data from passcode-locked pre-iOS 8 iPhones:
http://www.apple.com/privacy/docs/legal-process-guidelines-us.pdf

Did I interpret the whole thing wrong or missed something here?

#supercurioBlog #Apple #encryption



DoJ to Apple: your software is licensed, not sold, so we can force you to decrypt
The DoJ is currently trying to force Apple to decrypt data stored on a defendant’s Iphone, and Apple, to its great credit, is fighting back, arguing that on the one hand, it doesn’t have the techni…

Source post on Google+

Looking at free SSL certificates options

While letsencrypt.org is still in beta phase, is StartSSL still the best option out here?

#supercurioBlog #web #security #encryption



Let’s Encrypt
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the Internet Security Research Group (ISRG). ISRG is a California public benefit corporation, and is recognized by the IRS as a tax-exempt organization under Section 501(c)(3) of the Internal Revenue Code.

Source post on Google+

The title of the article is kind of a spoiler tho

+Sony, your smartwatch has a vulnerability and it's known and used for some time on +xda-developers

#supercurioBlog #article #encryption #spectrastudy

Originally shared by +SpectraStudy

It's a good idea today to enable the encryption mechanisms offered on our mobile devices, if not a requirement in enterprise or medical environments.
Is using an Android Wear smartwatch a compromise in our professional or personal data protection?



No data protection on Sony Smartwatch 3 (Android Wear)
A few days ago, phoneArena published an article with this title: Hackers can grab personal data from your smartwatch. Because it was only linking to a teaser for a later release and we are using on…

Source post on Google+

Spoiler: sensitive work files are not stored encrypted beside the full disk encryption, which has been exploited with FROST:

https://www1.informatik.uni-erlangen.de/frost
http://www.extremetech.com/computing/150536-how-to-bypass-an-android-smartphones-encryption-and-security-put-it-in-the-freezer

And I didn't know that.

So everything is relying on bootloader security, that must be locked.

Via +Amon RA​​​

#supercurioBlog #security #encryption



Android for Work: Demystified
Android for Work has been announced by Google only some days ago and Google promises a secure but also usable way to combine sensitive company data and private data on a single device without incre…

Source post on Google+

Large change in how disk encryption is done in Android 5.0 Lollipop preview

In previous versions of Android, encrypting your phone aka encrypting the /data partition meant that you had to keep using a PIN or password, that would serve both as:
– decryption key to enter during the device boot (that is a component to decrypting the disk decryption key? need confirmation on that)
– lockscreen PIN or password

As you can see in the attached captures, the behavior is entirely different in Android 5.0 Lollipop (here on on Nexus 5).
The first capture show what you see after encrypting your phone after entering a PIN for the screen lock.
Just like before, during boot, the PIN will be asked during boot and to unlock the device.

But now, as you can see in the second capture, you can switch back your screen security to Swipe, or even None.
Then, no password will be asked during boot or in the lock screen.
Yet your data partition is still encrypted.

Question: Where is the disk decryption key stored, and how is it protected?

I look forward to learn that exactly, hopefully a security researcher will take a look at how this new implementation functions, and if it actually provide any security benefit after you revert Screen security to a PIN to Swipe or None.

A question to you, as all my 5.0 devices are already encrypted: can you also now trigger disk encryption without enabling a Screen security first?

Edit:
Yes, you can now indeed encrypt a tablet with Screen lock being set to Swipe or None.

#supercurioBlog #encryption

 

In Album Android 5.0 Preview encryption

Source post on Google+