PHP Now Supports Argon2 Next-Generation Password Hashing Algorithm

An anonymous reader quotes Bleeping Computer: PHP got a whole lot more secure this week with the release of the 7.2 branch, a version that improves and modernizes the language’s support for cryptography and password hashing algorithms. Of all changes, the most significant is, by far, the support for Argon2, a password hashing algorithm developed in the early 2010s. Back in 2015, Argon2 beat 23 other algorithms to win the Password Hashing Competition, and is now in the midst of becoming a universally recognized Internet standard at the Internet Engineering Task Force (IETF), the reward for winning the contest. The algorithm is currently considered to be superior to Bcrypt, today’s most widely used password hashing function, in terms of both security and cost-effectiveness, and is also slated to become a favorite among cryptocurrencies, as it can also handle proof-of-work operations. The other major change in PHP 7.2 was the removal


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/BFCAz2RcS2E/php-now-supports-argon2-next-generation-password-hashing-algorithm

Original article

It’s time to turn on HTTPS: The benefits are well worth the effort

After Edward Snowden revealed that online communications were being collected en masse by some of the world’s most powerful intelligence agencies, security experts called for encryption of the entire web. Four years later, it looks like we’ve passed the tipping point.
The number of websites supporting HTTPS — HTTP over encrypted SSL/TLS connections — has skyrocketed over the past year. There are many benefits to turning on encryption, so if your website does not yet support the technology it’s time to make the move.
Recent telemetry data from Google Chrome and Mozilla Firefox shows that over 50 percent of web traffic is now encrypted, both on computers and mobile devices. Most of that traffic goes to a few large websites, but even so, it’s a jump of over 10 percentage points since a year ago.To read this article in full or to leave a comment, please click here


Original URL: http://www.computerworld.com/article/3180690/security/its-time-to-turn-on-https-the-benefits-are-well-worth-the-effort.html#tk.rss_all

Original article

Google Open Sources Encrypted Email Extension For Chrome

Last week Google released E2EMail, “a Gmail client that exchanges OpenPGP mail.” Google’s documentation promises that “Any email sent from the app is also automatically signed and encrypted… The target is a simple user experience — install app, approve permissions, start reading or send sending messages.” Trailrunner7 quotes On The Wire:
People have been trying to find a replacement for PGP almost since the day it was released, and with limited success. Encrypted email is still difficult to use and painful to implement in most cases, but Google has just released a Chrome plugin designed to address those problems.

The new E2EMail extension doesn’t turn a user’s Gmail inbox into an encrypted mail client. Rather, it is a replacement that gives users a separate inbox for encrypted messages. The system is built on Google’s end-to-end encryption library, and the company has released E2EMail as an open-source project.

Wired quotes a web security


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/5yK8CVPJtFE/google-open-sources-encrypted-email-extension-for-chrome

Original article

Google has broken SHA-1 encryption

After two years of research, Google has shown that it has successfully broken SHA-1 encryption. The company is yet to release details of how it achieved the first SHA-1 “collision”, but has released a proof of concept. In keeping with its own disclosure policy, details of how the encryption was effectively broken will be released after 90 days. In the meantime, you can take a look at two specially-crafted PDF files that have identical SHA-1 hashes but different content (the definition of a collision). The implications of the revelation are perhaps not as far-reaching as some people might expect. While… [Continue Reading]


Original URL: https://betanews.com/2017/02/23/sha-1-collision-google/

Original article

Firefox Users Reach HTTPS Encryption Milestone

For the first time ever, secure HTTPS encryption was used for over half the pageloads served to Mozilla users, representing a big milestone for encryption. TechCrunch reports on the telemetry data tweeted by the Head of Let’s Encrypt:

Mozilla, which is one of the organizations backing Let’s Encrypt, was reporting that 40% of page views were encrypted as of December 2015. So it’s an impressively speedy rise…

The Let’s Encrypt initiative, which exited beta back in April, is doing some of that work by providing sites with free digital certificates to help accelerate the switch to HTTPS. According to [co-founder Josh] Aas, Let’s Encrypt added more than a million new active certificates in the past week — which is also a significant step up. In the initiative’s first six months (when still in beta) it only issued around 1.7 million certificates in all.

The “50% HTTPS” figure is just a one-day


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/kgfN56NOiBs/firefox-users-reach-https-encryption-milestone

Original article

Firefox blocks websites with vulnerable encryption keys

To protect users from cryptographic attacks that can compromise secure web connections, the popular Firefox browser will block access to HTTPS servers that use weak Diffie-Hellman keys.Diffie-Hellman is a key exchange protocol that is slowly replacing the widely used RSA key agreement for the TLS  (Transport Layer Security) protocol. Unlike RSA, Diffie-Hellman can be used with TLS’s ephemeral modes, which provide forward secrecy — a property that prevents the decryption of previously captured traffic if the key is cracked at a later time.However, in May 2015, a team of researchers devised a downgrade attack that could compromise the encryption connection between browsers and servers if those servers supported DHE_EXPORT, a version of Diffie-Hellman key exchange imposed on exported cryptographic systems by the National Security Agency in the 1990s and which limited the key size to 512 bits. In May 2015 around 7 percent of websites on the internet were vulnerable


Original URL: http://www.computerworld.com/article/3126030/security/firefox-blocks-websites-with-vulnerable-encryption-keys.html#tk.rss_all

Original article

Here’s what you should know, and do, about the Yahoo breach

Yahoo’s announcement that state-sponsored hackers stole the details of at least 500 million accounts shocks both through scale — it’s the largest data breach ever — and the potential security implications for users.
That’s because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users’ online lives. Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites.To read this article in full or to leave a comment, please click here


Original URL: http://www.computerworld.com/article/3123399/security/heres-what-you-should-know-and-do-about-the-yahoo-breach.html#tk.rss_all

Original article

Yahoo confirms ‘state-sponsored’ attack and theft of 500 million account details

Yahoo users who have not changed their passwords for a while are being advised to do so. The company has confirmed that it suffered a major security breach back in 2014 and information relating to 500 million accounts was stolen. Yahoo says that the attack was carried out by a “state-sponsored actor” but does not elaborate on who it might be. The data accessed includes “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers”. This is clearly a huge deal, and the one… [Continue Reading]


Original URL: http://feeds.betanews.com/~r/bn/~3/L20f2dE5FGM/

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: