YiSpecter threat shows iOS is now firmly on attackers’ agenda
YiSpecter Trojan abuses Apple’s iOS enterprise provisioning and private APIs to earn ad revenue. Avoid it by not installing apps from untrusted sources.
Read More
YiSpecter Trojan abuses Apple’s iOS enterprise provisioning and private APIs to earn ad revenue. Avoid it by not installing apps from untrusted sources.
Read More
YiSpecter Trojan abuses Apple’s iOS enterprise provisioning and private APIs to earn ad revenue. Avoid it by not installing apps from untrusted sources.
Read More
YiSpecter Trojan abuses Apple’s iOS enterprise provisioning and private APIs to earn ad revenue. Avoid it by not installing apps from untrusted sources.
Read More
YiSpecter Trojan abuses Apple’s iOS enterprise provisioning and private APIs to earn ad revenue. Avoid it by not installing apps from untrusted sources.
Read More
YiSpecter Trojan abuses Apple’s iOS enterprise provisioning and private APIs to earn ad revenue. Avoid it by not installing apps from untrusted sources.
Read More
summary
We have talked a lot about ECC (Elliptic Curve Cryptography) for the past year. Although the use of elliptic curves is not exactly new, their use in our industry is fairly recent: ECC is a new cryptographic algorithm used for key exchange and authentication purposes in the SSL/TLS protocols (see this previous blog article for more details).
It is expected that RSA – the current standard – will be replaced by ECC as its scalability is becoming an issue with the arrival of IoT (Internet of Things): explosion in number of devices, machine to machine (M2M) communications, ever-growing amount of data transfers, etc.
We expected this change to happen. This is why Symantec’s ECC roots have been added to all major root stores back in 2007. Most CAs followed years later.
The reliability and performances of ECC no longer need to be demonstrated. However, a significant obstacle to the adoption of ECC lies on the lack of support for this relatively new algorithm in legacy products. While all modern servers and browser fully support ECC, some legacy system will not trust ECC roots, or will not be able to support ECC at all.
Browser compatibility (root ubiquity) as of today
Client | ECC Support | Pure ECC | ECC & RSA Hybrid |
---|---|---|---|
PC |
Windows HP or older |
Not supported | Not supported |
Windows Vista or newer | Supported | Supported | |
Mac OSX | V10.9 or newer | V10.6 or newer | |
Mobile | Android | Android 3.x or newer | Android 4.0 or newer |
iOS | iOS 7.x or newer | iOS 3.x or newer | |
Ecosystem | Server to Server | Depends on the customer environment | Depends on the customer environment |
Current Server compatibility as of today
Vendor | Product | ECC CSR | ECC cert install |
---|---|---|---|
Mircrosoft | Win Server 2008 (IIS 7.0) or newer | Supported | Supported |
Apache, nginx | OpenSSL 1.0.1e | Supported | Supported |
Oracle | Sun Java System Web Server 7.0 | Supported | Supported |
F5 | 11.5 or newer | Supported | Supported |
IBM | HTTP Server 8.0 + PM80235 | Supported | Supported |
Citrix | Netscaler | Not Supported | Not Supported |
There are devices and systems that are unable to proceed with ECC due to a trust deficit due to the missing trusted ECC root certificate and it is not always possible to upgrade, change servers or switch to another application easily. To overcome this issue, Symantec has created a solution for devices and systems that can support ECC but don’t have ECC roots in their trust stores: hybrid ECC/RSA hybrid SSL certificates.
Hybrid certificates use ECC for encryption and authentication but are chained to a well-trusted RSA root. Hybrid ECC/RSA certificates enable you to benefit from the best protection for your current infrastructure and mitigate potential compatibility issues at the same time.
It’s fairly simple: when you enroll, we give you the choice between a full ECC certification chain (fig.1) and a hybrid ECC/RSA certification chain (fig.2). The full ECC chain comprises of your ECC SSL certificate, signed by an ECC intermediate, signed by an ECC root.
Fig. 1:full ECC chain
In order to offer hybrid RSA/ECC certificates, we have created a new ECC intermediate signed by an RSA root. This intermediate can be installed as direct intermediate, or as a cross certificate to a full ECC chain.
The direct intermediate is the solution we recommend. You benefit from ECC encryption for your infrastructure, while using a globally trusted RSA root.
Fig.2: hybrid ECC/RSA chain
If you are unsure which certification path is made for you, or if you have questions or concerns, please contact us! We are happy to help and to advise.
Our team had a wonderful time meeting and networking with the crème de la crème of security industry professionals at this year’s Virus Bulletin Conference in Prague, of which we were a proud platinum sponsor. Throughout the conference, a handful of Avast employees presented talks a variety of today’s most prominent security-centered topics. For those […]
Linux.Wifatch は、ルーターや他の IoT デバイスに感染しますが、不思議なことに、侵入先のデバイスのセキュリティ強化に努めているようです。
Read More
攻撃者が MP3 ファイルと MP4 ファイルを使うと、影響を受ける Android デバイスにアクセスして、マルウェアをインストールしたり情報を盗み出したりする恐れがあります。
Read More
圧縮ユーティリティに影響するリモートコード実行の脆弱性が新たに見つかりましたが、危険性は当初考えられていたより高くないようです。
Read More