Search the Community

Some Google Chrome users are reporting problems connecting to websites, servers and firewalls following the release of Chrome 124 earlier this month, according to Bleeping Computer. The latest version of the browser introduced the new quantum-resistant X25519Kyber768 encapsulation mechanism, which was enabled by default. Testing of the post-quantum secure TLS key encapsulation mechanism started last August, but since its public launch, it has already caused a headache for the browser’s users. Quantum-resistant cryptography is breaking Chrome for some users An email sent on behalf of Chrome’s security workers explains the necessity behind implementing quantum-resistant tools now, despite the current threat being minimal: “This protects users’ traffic from so-called “store now decrypt later” attacks, in which a future quantum computer could decrypt encrypted traffic recorded today.” A separate blog post confirms the nature of the advanced tool: “This is a hybrid X25519 and Kyber768 key agreement based on an IETF standard.” Despite months of testing, the problem seems to have risen from web servers failing to adequately implement TLS, rather than an issue with Chrome. The error results in the rejection of connections that use the Kyber768 quantum-resistant key agreement algorithm, including connections with Chrome’s hybrid key. Clearly, this is not a simple fix that can be implemented by Chrome, but it requires a larger and more orchestrated effort to transform the Internet into one that can handle sophisticated quantum-safe cryptography. For now, affected users are being advised to disable the TLS 1.3 hybridized Kyber support in Chrome. However, long-term post-quantum secure ciphers will be essential in TLS, and the ability to disable the feature will likely be removed in the future, highlighting the importance of addressing the issue’s route cause earlier on so that websites can be prepared for quantum-based attacks in the future. More from TechRadar Pro Apple future-proofing iMessage to protect against the scary future of quantum computing hackingThese are the best privacy tools and anonymous browsersWe’ve rounded up a list of the best VPNs View the full article

When it comes to security, there are many vulnerabilities that can leave your website or web app open to attack. In this article, we’ll go over 15 common web application security vulnerabilities and how you can prevent them. 1. Insufficient Cryptography Cryptography is a critical security measure that is used to protect data in transit […] The post Developer’s Guide to Web Application Security appeared first on DevOps.com. View the full article

This blog focuses primarily on helping customers understand software supply chain security in the context of integrity and provenance—specifically, how cryptographic signatures can be used to simplify the process of ensuring the integrity of container images as they move through your software supply chain. We will also discuss how signing can help organizations validate their container images are coming from a trusted publisher, and how signing can be integrated with code scanning and approval workflows to facilitate a secure software supply chain. To be successful, signing and verification should be easily implemented and integrated with DevOps processes, ideally not placing undue burden on development teams to manage cryptographic keys and certificates. While this blog primarily covers signing container image manifests and related artifacts, cryptographic signatures can also be used to sign/verify documents, authentication tokens, software packages, and more. Today, building containers involves creating an image and putting it in a registry such as Amazon Elastic Container Registry Public (ECR Public), or Amazon ECR private registry; developers can then deploy containers from these repositories. Developers use code pipelines to build and deploy their container images. Building integrity verification for open source container images (as well as images built locally) into your CI/CD pipeline can reduce the risk of software supply chain attacks and provide continuous confidence to businesses using these container images across multiple business units. Put simply, we will examine the questions: What are cryptographic signatures, and how can they be used in a container build pipeline? How can organizations use signing to ensure that their container images are approved for use and have been verified as meeting their security standards? How can developers use signing to verify the container images they create haven’t been tampered with after they’re vetted and approved for use? View the full article