Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Outdated Kerberos Vulnerability: A Critical Flaw in Microsoft Active Directory

2025-09-10
Outdated Kerberos Vulnerability: A Critical Flaw in Microsoft Active Directory

This article exposes a long-standing, low-tech, high-impact Kerberos vulnerability in Microsoft Active Directory—Kerberoasting. This vulnerability exploits outdated RC4 encryption and weak password mechanisms in Active Directory, allowing attackers to quickly crack service account passwords via dictionary attacks, gaining access to corporate networks. While Microsoft has published mitigations, their lack of proactive measures, such as enforcing upgrades of outdated configurations, has led to continued exploitation, as seen in the May 2024 ransomware attack on Ascension Health. This highlights Microsoft's shortcomings in security updates and the negligence of enterprise administrators in security.

Read more
(blog.cryptographyengineering.com)
Tech

XChat's End-to-End Encryption: The Juicebox Security Flaw

2025-06-09
XChat's End-to-End Encryption: The Juicebox Security Flaw

Matthew Garrett exposes security vulnerabilities in X's (formerly Twitter) new end-to-end encrypted messaging protocol, XChat. XChat uses the Juicebox protocol to store user private keys, distributing them across three servers. However, these servers are all controlled by X, meaning X can access all user keys, undermining end-to-end encryption. The article delves into Juicebox's mechanics and potential risks, highlighting critical flaws in XChat's deployment. User private keys are vulnerable to arbitrary access by X, leading to the recommendation to avoid using XChat.

Read more
(blog.cryptographyengineering.com)
Tech

Apple iMessage: Encryption Isn't Enough

2025-03-06
Apple iMessage: Encryption Isn't Enough

While Apple iMessage boasts end-to-end encryption since 2011, its messages are permanently stored on devices and default to iCloud backups, creating a privacy vulnerability. Despite strong encryption, including post-quantum security, the lack of features like disappearing messages puts it behind other messengers in protecting user privacy. The article urges Apple to improve and add a disappearing messages feature to better safeguard user data.

Read more
(blog.cryptographyengineering.com)
Tech

UK Secretly Demands Apple Weaken iCloud Encryption: A Privacy Nightmare

2025-02-12
UK Secretly Demands Apple Weaken iCloud Encryption: A Privacy Nightmare

The UK government secretly demanded Apple weaken the end-to-end encryption in its iCloud Advanced Data Protection (ADP) system, raising major privacy concerns. This system is designed to protect user data from unauthorized access, but the UK's request would allow it to secretly access user data. This not only threatens the privacy of UK users but also sets a dangerous precedent for other countries, potentially jeopardizing global data security. The author urges Apple to accelerate the rollout of end-to-end encryption and suggests US legislation prohibiting US companies from installing encryption backdoors at the request of foreign governments.

Read more
(blog.cryptographyengineering.com)
Tech iCloud encryption privacy security government regulation

The Random Oracle Model's Achilles' Heel: New Challenges to Blockchain Security

2025-02-06
The Random Oracle Model's Achilles' Heel: New Challenges to Blockchain Security

This post delves into a long-standing issue in cryptography: the Random Oracle Model (ROM). Widely used to prove the security of cryptographic schemes, ROM's assumptions are unrealizable in the real world. The author analyzes a paper by Khovratovich, Rothblum, and Soukhanov, revealing potential practical attacks on Fiat-Shamir based zero-knowledge proof systems. These attacks exploit vulnerabilities that can arise when replacing the ROM with real-world hash functions. As zero-knowledge proofs and their recursive applications in blockchain become more prevalent, the author highlights the significant security risks, potentially leading to system-wide failures. The post emphasizes the crucial need for rigorous security audits of programs used in proof systems and explores various attack scenarios, ranging from relatively mild to catastrophic, prompting a deeper examination of blockchain security.

Read more
(blog.cryptographyengineering.com)
Tech random oracle model blockchain security

AI vs. End-to-End Encryption: A Privacy Showdown

2025-01-17
AI vs. End-to-End Encryption: A Privacy Showdown

This article explores the clash between AI and end-to-end encryption. The rise of AI assistants necessitates off-device processing of increasingly sensitive data, challenging the privacy protections offered by end-to-end encryption. While companies like Apple are attempting to mitigate this with 'Private Cloud Compute' and trusted hardware, this approach relies on complex software and hardware security, falling short of a perfect solution. A deeper concern lies in the control of powerful AI agents; once deployed, access becomes paramount, raising the specter of government or corporate access compromising personal privacy.

Read more
(blog.cryptographyengineering.com)
Tech AI privacy end-to-end encryption