Encryption is an interesting thing. On the surface it offers protection from prying eyes and sense of security in protecting your communication and files. At least that is what you should feel when talking about encryption. The problem is that encryption is only as secure as the protocol and API that is in use. Even if you have a rock solid certificate the protocol and APIs that you use to connect can be compromised to by-pass this. This is what has happened to almost every major SSL/TLS stack. So far in 2014 we have watched them fall one at a time to the dismay of security experts.
As we have reported on multiple occasions, Microsoft is working very hard to change the way that people see them. There are many reasons that they need to do this and it is a job that is not going to happen overnight. This has been a big part of what new CEO Satya Nadella has been doing since he took the top job at Microsoft. After changing the push for the Xbox One and Windows they are now trying to overcome the stigma dropped on them by Edward Snowden’s revelations of complicity with the NSA.
After taking a pretty big hit from the HeartBleed bug OpenSSL I back in the new for an additional six bugs that put user data at risk. Security researchers have discovered a number of additional bugs in OpenSSl that can be used to allow malicious persons to spy on communication. Fortunately for the masses (about two thirds of internet sites use OpenSSL) these new bugs are not as easy to exploit as Heartbleed was.
A couple of days ago Google started pushing encryption for e-mail. No, we are not talking about the typical https connection required for Gmail. We are talking about actually encryption of email as it moves from server to server using TLS (Transport Layer Security). In simplest terms this method creates connections between servers using a secure tunnel to each other for the purposes of transmitting the message. Once the message has been passed to the destination server the tunnel closes. However, despite the length of time TLS has been around not many companies use.
There is a lot of talk on the internet about how to keep corporate, government and of course financial networks secure and to protect them from outside intrusions and breaches. Almost all of these cover some pretty basic things. These are items like make sure you have good IT staff (and be prepared to pay for them), ensure patches and updates are run, and of course the biggest is watch your network.