On July 5, 2022 NIST announced its Round 3 PQC winners. What most people don't realize is that same day, the interested parties cleared a patent dispute that had the potential to prevent several of the winning primitives from moving forward. Join us as we explain who held that patent, what the potential impediment was, and how everything was resolved.
In this episode we discuss rising attacks that overcome the protections of Web Application Firewalls (WAF). We explain these attacks, why this bypass might effective against you even if think it doesn't, and what you should do to ensure you're safe.
Much has been made of Schor's algorithm and the inevitable defeat of RSA using quantum computers. But a new research paper suggests a quantum computer may be applied to the problem in a fundamentally different way, hastening RSA's demise beyond even our current expected timelines. In this episode we discuss this new research, reactions to it, and its potential implications.
Recent announcements from Apple lay out a set of expansions in the scope and capability of encryption throughout the Apple ecosystem. In this episode we detail the announced changes and some of their implications.
2022 was post-quantum cryptography's biggest year so far. Our hosts are joined by guest Bruno Couillard, CEO and CTO of Crypto4A. We go over many developments in PQC, including the announcement of the NIST round 3 winners, the defeat of several late candidate algorithms, isogeny-based cryptography, hybrid certificates, and the significance of April 14, 2030.
We define the important needs and initiatives that are changing the crypto agility landscape. We discuss topics including CA independence, cryptography in public clouds, post-quantum cryptography (PQC) agility, hybrid certificates, and FIDO 2/WebAuthn.
In this episode we discuss the three methods a user might choose for secure remote communications: VPN, SSH, and TOR. For each we discuss the reasons you might choose them and the pros and cons of each.
In one of our 2022 wrap up episodes, we look back at the continued erosion of the idea of reliable online identity throughout the year. We discuss the rise of deep fakes, celebrity phishing, voice biometrics, AI-generated art, trust models, and the failure of Twitter blue check marks.
The word spoof is a security industry term used in the context of social engineering attacks. In this episode we explore the word's connotations in different walks of life and why its connotations may not serve us well when applied to security concerns.
Public CA TrustCor has had its roots deprecated by Microsoft and Mozilla, following a public dialog about TrustCor's suitability as a public CA. This entire investigation was prompted by a Washington Post article articulating a series of connections between this CA and spyware purveyors. In this episode we explain these connections, the public dialog and investigation that occurred, and the ultimate deprecation of TrustCor.
The Twitter authenticated identity blue check marks made a big splash and then quickly went away. In this episode we explore the intent of these check marks and why they failed. In particular, we detail the challenges involved in authenticating and vouching for the identity of an individual or organization.
The CA/Browser Forum has passed new Baseline Requirements for S/MIME certificates, in effect late 2023. In this episode we explain the broad stipulations of the new S/MIME BRs, including the multiple available levels of authentication and use case profiles that will be allowed.
"If you don't hold the keys, you don't hold the cheese." Crypto exchange giant FTX recently collapsed, causing ripples through the cryptocurrency world. In this episode we focus on the cryptographic difference between cryptocurrency exchanges and other exchanges and how specific FTX user experience decisions led to the loss of valuable digital assets for investors.
As we prepare for the reality of quantum computers breaking RSA and ECC, a keenly important concept to understand is "Harvest and Decrypt." The practical impact of Harvest and Decrypt is that for secrets with a reasonable lifespan, the quantum computer threat is much closer than you might think, including as early as today. In this episode we explain why that's the case and how this attack is likely to roll out.
In this episode we describe privacy browsers, which quite simply are browsers designed to pay special attention to the user's privacy, including some of the strategies they use to protect privacy and the pros and cons of this approach.
In a recently exposed error, key material for a popular automobile manufacturer's PKI has been discovered on GitHub, resulting in exposure of sensitive information. In this episode we explain the dual errors that led to this breach.
Last week the OpenSSL project announced an upcoming critical patch, leading to a great deal of speculation about this flaw and its implications for SSL certificates. We explain what the flaw was, what you should do, and why it is that certificates are unaffected.
A recently revealed vulnerability in Microsoft Exchange encryption can be used potentially to break the encryption on stored emails. In this episode we explain ECB (Electronic Code Book encryption and how this attack can occur.
NIST has announced its new post-quantum cryptography primitives. So now what? In this episode we discuss the next steps required by the technology industry for widespread adoption of these algorithms and what the enterprise can do starting today to ready itself for quantum-safe encryption.
It's Root Causes episode 250! In this episode Tim and Jason indulge themselves in podcasting about podcasting. Hear about setting up a podcast, choosing topics, why we don't rehearse, why we have so few guests, and how we reacted the first time someone asked us for a media kit.
Recent months have seen several high profile attacks that were enabled by defeating the MFA accompanying user name and password login. In this episode we explain the concept of MFA fatigue and why it is an enabler for these attacks.
Microsoft has announced the upcoming availability of a Microsoft-run code signing solution inside the Azure platform. We explain this approach's advantages and what to expect from it.
A recent high-profile breach of Uber's systems led to widespread data loss. Join our experts as we unpack the specifics of how this attack came about.
Google Chrome recently announced the formation of its trusted root program. It may be surprising to learn that the world's most popular browser has existed for more than a decade without its own root program. In this episode we explain why that is the case, why Chrome is launching a root program now, and the implications of this announcement.
A recent article from Brian Krebs advances the idea that using OTP MFA may actually be a liability to security. In this episode we explain the reasoning behind this characterization.
A recent survey from PwC reports that cyber threats are no longer solely the domain on the CISO but instead have become every senior executive's concern. We dive deep into these survey results and talk about they correlate with our own experiences, IT skills gaps, and feeding the podcasting beast.
Many people don't realize that the CA/Browser Forum's Baseline Requirements actually came LATER THAN the Extended Validation Guidelines. In this episode we explain how this seemly backward turn of events came about and what it says about how online trust has evolved over the past few decades.
Electronic Frontier Foundation member and Let's Encrypt co-founder Peter Eckersley passed away recently at a young age. In this episode we pay respect to Peter's memory and his many contributions, including ACME, Certbot, and Let's Encrypt.
A December 2021 report appears to indicate that China as vastly outspending Western countries in quantum computing. In this episode we examine this claim, including the role of private industry as opposed to government funding, the importance of international cooperation, and the vast implications of winning the race for quantum computing.
A white hat researcher recently defeated a production automobile's PKI by searching for the private key on Google. Join us as we describe the implementation error making this possible and how it might have come about.
