Recent Blog Posts

From the SSL/TLS perspective, 2014 was quite an eventful year. The best way to describe what we at SSL Labs did is we kept running to stay in the same place. What I mean by this is that we spent a lot of time reacting to high profile vulnerabilities: Hearbleed,... MORE »

POODLE bites TLS

December 08, 2014

There’s a new SSL/TLS problem being announced today and it’s likely to affect some of the most popular web sites in the world, owing largely to the popularity of F5 load balancers and the fact that these devices are impacted. There are other devices known to be affected, and it’s... MORE »

Update (8 Dec 2012): Some TLS implementations are also vulnerable to the POODLE attack. More information in this follow-up blog post. After more than a week of persistent rumours, yesterday (Oct 14) we finally learned about the new SSL 3 vulnerability everyone was afraid of. The so-called POODLE attack (CVE-2014-3566)... MORE »

The news is that SHA1, a very popular hashing function, is on the way out. Strictly speaking, this development is not new. The first signs of weaknesses in SHA1 appeared (almost) ten years ago. In 2012, some calculations showed how breaking SHA1 is becoming feasible for those who can afford... MORE »

Since the official release of Bulletproof SSL and TLS last Tuesday, we've been busy submitting the book to print and ensuring it comes out just right. As a result, I now have three proofs sitting on my desk in all their glory! All the other copies are now on their... MORE »

It gives me great pleasure to announce that my book, Bulletproof SSL and TLS, has now been officially released. Writing it took me more than two years (I started in May 2012, believe it or not), during which I spent the equivalent of about 7 months of full time work.... MORE »

I've just released the June update of Bulletproof SSL and TLS. This batch completes the manuscript and brings about 80 new pages across three chapters: Chapter 1, SSL, TLS, and Cryptography, begins with a brief introduction to SSL and TLS and discusses where these secure protocols fit in the Internet... MORE »

In the 1.10.x code branch of SSL Labs, which was deployed to production last week, we made a change in how we handle assessments with trust issues. Previously, all certificates that we couldn't validate (largely because they were self-signed or issued from a private CA root) were given an F... MORE »

Last week (on June 5th), OpenSSL published an advisory detailing a number of serious problems. The CVE-2014-0224 vulnerability will be the most problematic for most deployments because it can be exploited via an active network (man in the middle) attack. This vulnerability allows an active network attacker to inject ChangeCipherSpec... MORE »

I've just released the May update of Bulletproof SSL and TLS. This batch brings 78 pages and three chapters to the book: Chapter 8, Deployment, is the map for the entire book and provides step by step instructions on how to deploy secure and well-performing TLS servers and web applications.... MORE »

View all posts »