There are so many questions to answer about the current mad rush to encrypt every single transaction on the web but a recent paper has at least indicated that Let's Encrypt is making it cheap and easy.
"The 2013 National Security Agency revelations of pervasive monitoring have lead to an "encryption rush" across the computer and Internet industry. To push back against massive surveillance and protect users privacy, vendors, hosting and cloud providers have widely deployed encryption on their hardware, communication links, and applications.
As a consequence, the most of web traffic nowadays is encrypted. However, there is still a significant part of Internet traffic that is not encrypted. It has been argued that both costs and complexity associated with obtaining and deploying X.509 certificates are major barriers for widespread encryption, since these certificates are required to established encrypted connections.
To address these issues, the Electronic Frontier Foundation, Mozilla Foundation, and the University of Michigan have set up Let's Encrypt (LE), a certificate authority that provides both free X.509 certificates and software that automates the deployment of these certificates. In this paper, we investigate if LE has been successful in democratizing encryption: we analyze certificate issuance in the first year of LE and show from various perspectives that LE adoption has an upward trend and it is in fact being successful in covering the lower-cost end of the hosting market."
And to LEs success:
By addressing the two major barriers inhibiting ubiquitous encryption (cost and complexity required in issuing X.509 certificates), LE has become one of the largest CAs within only one year after its first certificate was issued...
We have also shown that once these barriers are eliminated, it enables big hosting providers to issue and deploy certificates for their customers in bulk, thus quickly and automatically enable encryption across a large number of domains. For example, we have shown that currently, 47% of LE certified domains are hosted at three large hosting companies (Automattic/wordpress.com, Shopify, and OVH).
What hasn't been quantified or explored is the effect that LE might have had on the big certificate issuing companies and how this has changed the way end users view certificates just as a way of enabling encryption or as a way of proving who they are talking to.
The security of the IoT is a big topic but how to ensure that anything you create is secure? The key is obviously authentication but how does a machine authenticate with another machine? In this survey paper a range of possibilities is examined in detail:
In this paper, we present a comprehensive survey of authentication protocols for Internet of Things (IoT). Specifically, we select and in-detail examine more than forty authentication protocols developed for or applied in the context of the IoT under four environments, including:
(1) Machine to machine communications (M2M)
(2) Internet of Vehicles (IoV)
(3) Internet of Energy (IoE),
(4) Internet of Sensors (IoS).
We start by reviewing all survey articles published in the recent years that focusing on different aspects of the IoT idea. Then, we review threat models, countermeasures, and formal security verification techniques used in authentication protocols for the IoT. In addition, we provide a taxonomy and comparison of authentication protocols for the IoT in form of tables in five terms, namely, network model, goals, main processes, computation complexity, and communication overhead. Based on the current survey, we identify open issues and suggest hints for future research.
Obfuscation, don't you hate it when you are on the receiving end trying to figure out how some important piece of software works but don't you really wish there was a better way when you have some code to protect? Only the most true open source devote sees obfuscation as a simple evil. Now we have a suggestion that it might be possible to do better than simple semantic obfuscation:
Protecting source code against reverse engineering and theft is an important problem. The goal is to carry out computations using confidential algorithms on an untrusted party while ensuring confidentiality of algorithms.
This problem has been addressed for Boolean circuits known as `circuit privacy'. Circuits corresponding to real-world programs are impractical. Well-known obfuscation techniques are highly practicable, but provide only limited security, e.g., no piracy protection.
In this work, we modify source code yielding programs with adjustable performance and security guarantees ranging from indistinguishability obfuscators to (non-secure) ordinary obfuscation. The idea is to artificially generate `misleading' statements. Their results are combined with the outcome of a confidential statement using encrypted selector variables. Thus, an attacker must `guess' the encrypted selector variables to disguise the confidential source code.
We evaluated our method using more than ten programmers as well as pattern mining across open source code repositories to gain insights of (micro-)coding patterns that are relevant for generating misleading statements. The evaluation reveals that our approach is effective in that it successfully preserves source code confidentiality.
Scroll anchoring sounds painful, or even worse something that happens at sea. Thankfully it isn't and it is a really good idea. It is such a good idea, and so simple, that you can't really understand [ ... ]