All news with #encryption in transit tag

CISOs Preparing for Shorter TLS Certificate Lifespans

🔐 Shorter maximum TLS certificate lifespans are imminent: starting 15 March 2026 the limit drops from 398 days to 200 days, then to 100 days a year later and eventually to 47 days by 2029. CISOs should prioritize complete, continuously updated certificate inventories and move to automated issuance and renewal — ideally via ACME — to avoid outages. Centralized governance, percentage-based renewal policies, and integrated alerts tied to ticketing systems reduce human error and operational risk.

Amazon EMR Serverless Removes Local Storage Provisioning

🚀 Amazon EMR Serverless now provides fully managed serverless local storage for Apache Spark workloads, removing the need to provision disk type or size per application. The service offloads intermediate operations such as shuffle to an auto-scaling, encrypted serverless storage with job-level isolation, so customers pay only for compute and memory consumed. This reduces disk-related job failures and can lower costs by up to 20%. It is generally available for EMR release 7.12 and later.

AWS Payments Cryptography Adds Hybrid Post-Quantum TLS

🔐 AWS Payments Cryptography now supports hybrid post-quantum TLS to protect API calls and long-lived data-in-transit using ML-KEM-based PQC. This helps enterprises mitigate “harvest now, decrypt later” risks by combining classical and post-quantum key establishment. Customers enable PQ-TLS by upgrading to a compatible AWS SDK or browser and can verify sessions via tlsDetails in CloudTrail. The capability is generally available across Regions at no added cost.

AWS VPC Encryption Controls: Audit and Enforce AES-256

🔒 AWS launched VPC Encryption Controls to simplify auditing and enforcement of encryption in transit within and across Amazon Virtual Private Clouds. You can enable it on existing VPCs to monitor encryption status of traffic flows, identify resources that permit plaintext, and generate audit logs for compliance. The feature can also transparently enable hardware-based AES-256 encryption on traffic between supported resources such as AWS Fargate, Network Load Balancers and Application Load Balancers.

AWS Load Balancers Add Post-Quantum TLS Key Exchange

🔐 AWS Application Load Balancers (ALB) and Network Load Balancers (NLB) now offer an opt-in post-quantum TLS (PQ-TLS) key exchange option. The new PQ-TLS security policies use hybrid key agreement that combines classical algorithms with post-quantum KEMs including the standardized ML-KEM, protecting against 'harvest now, decrypt later' attacks. Available at no extra cost across AWS Commercial, GovCloud (US), and China Regions, the feature requires explicit listener updates and supports monitoring via ALB connection logs and NLB access logs.

EC2 Fleet Adds Encryption Attribute for ABIS Selection

🔐 Amazon EC2 Fleet now supports an encryption attribute for Attribute-Based Instance Type Selection (ABIS). You can set RequireEncryptionInTransit in InstanceRequirements to limit launches to instance types that support encryption-in-transit, addressing compliance with VPC Encryption Controls in enforced mode. The GetInstanceTypesFromInstanceRequirements (GITFIR) API previews eligible instance types. The feature is available in all AWS commercial and GovCloud (US) Regions. To start, set RequireEncryptionInTransit=true when calling CreateFleet or GITFIR.

Amazon CloudFront Adds TLS 1.3 Support for Origins

🔒 Amazon CloudFront now supports TLS 1.3 for connections to origins, automatically enabled across custom origins, Amazon S3, and Application Load Balancers with no configuration changes required. The upgrade provides stronger encryption and reduced handshake latency, delivering up to 30% faster connection establishment when an origin supports TLS 1.3. CloudFront will negotiate TLS 1.3 where supported while maintaining backward compatibility with older TLS versions. This support is available at no additional charge in all CloudFront edge locations and benefits sensitive workloads such as financial services, healthcare, and e-commerce.

Amazon S3 Adds Post-Quantum TLS Key Exchange Support

🔐 Amazon S3 now supports post-quantum TLS key exchange on regional S3, S3 Tables, and S3 Express One Zone endpoints using the NIST-standardized Module Lattice-Based Key Encapsulation Mechanism (ML-KEM). PQ-TLS key exchange is available at no additional cost across all AWS regions and will be negotiated automatically when clients are configured for ML-KEM. Combined with server-side AES-256 encryption by default, S3 offers quantum-resistant protection for data both in transit and at rest.

Amazon API Gateway Adds Enhanced TLS Security Policies

🔐 Amazon API Gateway now supports enhanced TLS security policies for REST APIs and custom domain names, giving customers more granular control over encryption, cipher selection, and endpoint access. Policy options include TLS 1.3-only, Perfect Forward Secrecy, FIPS-compliant cipher suites, and Post Quantum Cryptography choices. The update, available in many AWS commercial Regions, aims to simplify compliance with stricter regulations and strengthen cryptographic posture.

Google Announces Private AI Compute for Cloud Privacy

🔒 Google on Tuesday introduced Private AI Compute, a cloud privacy capability that aims to deliver on-device-level assurances while harnessing the scale of Gemini models. The service uses Trillium TPUs and Titanium Intelligence Enclaves (TIE) and relies on an AMD-based Trusted Execution Environment to encrypt and isolate memory on trusted nodes. Workloads are mutually attested, cryptographically validated, and ephemeral so inputs and inferences are discarded after each session, with Google stating data remains private to the user — 'not even Google.' An external assessment by NCC Group flagged a low-risk timing side channel in the IP-blinding relay and three attestation implementation issues that Google is mitigating.

Digital Health Needs Security at Its Core to Scale AI

🔒 The article argues that AI-driven digital health initiatives proved essential during COVID-19 but simultaneously exposed critical cybersecurity gaps that threaten pandemic preparedness. It warns that expansive data ecosystems, IoT devices and cloud pipelines multiply attack surfaces and that subtle AI-specific threats — including data poisoning, model inversion and adversarial inputs — can undermine public-health decisions. The author urges security by design, including zero-trust architectures, data provenance, encryption, model governance and cross-disciplinary drills so AI can deliver trustworthy, resilient public health systems.

CISA, NSA and Partners Issue Exchange Server Best Practices

🔐 CISA, the NSA and international partners have published the Microsoft Exchange Server Security Best Practices to help organisations reduce exposure to attacks against hybrid and on‑premises Exchange deployments. The guidance reinforces Emergency Directive 25-02 and prioritises restricting administrative access, enforcing multi‑factor and modern authentication, tightening TLS and transport security, and applying Microsoft's Exchange Emergency Mitigation service. It also urges migration from unsupported or end‑of‑life systems and recommends use of secure baselines such as CISA's SCuBA. Agencies stress ongoing collaboration and a prevention-focused posture despite political and operational challenges.

ISO 15118-2 SLAC Vulnerability in EV Charging Protocol

🔒 ISO 15118-2-compliant EV charging implementations using the SLAC protocol are vulnerable to spoofed measurements that can enable man‑in‑the‑middle attacks between vehicles and chargers, tracked as CVE-2025-12357 (CVSS v4 7.2). The issue is an improper restriction of communication channel (CWE-923) and may be exploitable wirelessly at close range via electromagnetic induction. ISO recommends using TLS (required in ISO 15118-20) with certificate chaining; CISA advises minimizing network exposure, isolating control networks, and using secure remote access methods.

Blueprint for Hardening Microsoft Exchange Servers

🔒 CISA, the NSA, and international partners released the Microsoft Exchange Server Security Best Practices blueprint to help administrators of on‑premises and hybrid Exchange environments strengthen defenses against persistent cyber threats. The guidance builds on CISA’s Emergency Directive 25‑02 and emphasizes restricting administrative access, implementing multifactor authentication, enforcing strict transport security, and adopting zero trust principles. It also urges organizations to remediate or replace end‑of‑life Exchange versions, apply recommended mitigations, and consider migrating to cloud-based email to reduce operational complexity and exposure.

CISA Releases Microsoft Exchange Server Security Guide

🔐 Today, CISA, in collaboration with the National Security Agency and international partners, published Microsoft Exchange Server Security Best Practices to help defenders harden on-premises Exchange servers against ongoing exploitation. The guidance emphasizes strengthening user authentication and access controls, enforcing robust network encryption, and reducing application attack surfaces through configuration and feature management. CISA also urges organizations to decommission end-of-life or hybrid 'last Exchange' servers after migrating to Microsoft 365 to reduce exposure to continued exploitation.

Chrome to Enable HTTPS-First Mode by Default in 2026

🔒 Beginning in April 2026 and completing in October 2026, Google will make the Always Use Secure Connections feature the default in Chrome, attempting HTTPS for all public site navigations and prompting users before loading non-HTTPS pages. The phased rollout starts with Enhanced Safe Browsing users in Chrome 147 and expands to all global users in Chrome 154. Internal addresses such as routers and intranets will be exempt, and Google reports early tests showed warnings on fewer than 3% of navigations, typically under one alert per week, while the browser will avoid repeatedly warning about frequently visited sites.

Chrome to Enable Always Use Secure Connections by Default

🔒 Google will enable Always Use Secure Connections by default in Chrome 154 (October 2026), prompting users before the first access to any public site that lacks HTTPS. The browser will attempt HTTPS for every connection and show a bypassable warning when HTTPS is unavailable, while suppressing repeated warnings for frequently visited sites. A public-sites-only variant excludes private/local names to reduce noise and will roll out earlier to Enhanced Safe Browsing users. Administrators can disable the setting and Google provides migration guidance.

Significant Satellite Traffic Found Transmitted Unencrypted

⚠️Researchers used a commercial off-the-shelf satellite dish to perform the most comprehensive public study yet of geostationary satellite communications. They discovered a shockingly large volume of sensitive traffic—critical infrastructure telemetry, internal corporate and government communications, private voice calls and SMS, and consumer Internet streams such as in-flight Wi‑Fi—being broadcast unencrypted. Much of this data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware, and a single transponder's footprint may cover up to 40% of the Earth's surface.

Quantum Readiness: Why Incident Response Won't Work

🔐 The arrival of cryptographically relevant quantum computers will create a "silent boom" where adversaries can capture encrypted traffic today and decrypt it later, making intrusions neither observed nor observable. This undermines traditional incident response and shifts responsibility to engineering teams, not a vendor checkbox. Organizations must pursue quantum readiness by engaging developers to inventory algorithms and data, assess internet-facing assets for PQC support, and build testing capability for new ciphers within their release cycles.

Study Finds Major Security Flaws in Popular Free VPN Apps

🔍 Zimperium zLabs’ analysis of 800 Android and iOS free VPN apps found widespread privacy and security weaknesses, including outdated libraries, weak encryption, and misleading privacy disclosures. The report highlights concrete failures such as vulnerable OpenSSL builds (including Heartbleed-era versions), roughly 1% of apps permitting Man-in-the-Middle decryption, and about 25% of iOS apps lacking valid privacy manifests. Researchers warn excessive permission requests and private entitlements increase risk, especially in BYOD and remote-work environments, and recommend stronger security models, endpoint visibility and zero-trust approaches.