< ciso
brief />
Tag Banner

All news with #encryption in transit tag

48 articles

Declarative VPC Encryption Controls for AWS Organizations

🔐 You can now use declarative policies to enable VPC Encryption Controls in monitor or enforce mode across all VPCs in your environment. This capability lets security teams centrally define and apply consistent encryption-in-transit settings for an account, organization, or specific organizational unit. The feature provides centralized visibility into Encryption Controls status for all accounts and VPCs and is available in all AWS regions that support VPC Encryption Controls. There is no additional charge to use declarative policies in AWS Organizations.
read more →

Google Cloud advances Confidential Computing for AI

🔒 Google Cloud announces expanded Confidential Computing capabilities to protect data in use for AI workloads. The update includes Confidential G4 VMs with NVIDIA RTX PRO 6000 Blackwell GPUs, open-source Prompt Encryption SDKs, Intel TDX on C4 machines, and broader Confidential Space enhancements. These innovations aim to provide verifiable attestation, end-to-end encrypted inference, and support for multi-party collaboration while preserving performance and scalability.
read more →

Amazon MSK Replicator adds mTLS support for Express

🔒 Amazon MSK Replicator now supports mutual TLS (mTLS) authentication for replicating data from external Apache Kafka clusters — including on‑premises, self‑managed on AWS, or other cloud providers — to Amazon MSK Express brokers. This enables migrations, disaster recovery, and hybrid or multi‑cloud data distribution using mTLS‑configured external clusters. MSK Replicator automates replication while preserving topic names and avoiding infinite loops, and also synchronizes consumer group offsets bidirectionally to allow independent movement of producers and consumers.
read more →

XChat launch raises serious privacy and security doubts

🔒 Elon Musk’s XChat launched on iOS in April 2026 as a purportedly private messaging alternative, but its encryption model and key handling have raised alarm among experts. XChat stores users’ private keys on servers protected by HSMs and uses four-digit PINs to encrypt those keys for multi-device sync, a design that undermines classic end-to-end guarantees. Practical issues — message requests sent without E2EE, confusing PIN prompts, and weak brute-force protection — further complicate user security. The net result: XChat offers convenience at the cost of meaningful privacy assurances.
read more →

Amazon Aurora MySQL Adds MySQL 8.4 Support

🔒 Amazon Aurora MySQL-Compatible Edition now supports community MySQL 8.4, aligning Aurora version numbers with community releases and managing underlying patches for customers. The release enforces stronger security defaults—TLS 1.2/1.3 only and caching_sha2_password for new accounts—and offers customizable password validation via DB cluster parameter groups. Automated upgrade prechecks reduce upgrade risk, and multiple upgrade and migration paths are supported, including Blue/Green Deployments and AWS DMS.
read more →

Discord Rolls Out End-to-End Call Encryption Globally

🔒 Discord has enabled default end-to-end encryption (E2EE) for all voice and video calls after completing the deployment in March. The company extended the open-source DAVE protocol across desktop, mobile, web browsers, PlayStation, Xbox and Discord SDKs, and is removing legacy unencrypted fallback code. The encryption layer now covers DMs, group DMs, voice channels and Go Live streams, while Stage channels remain excluded. Discord says it has no current plans to apply DAVE to text due to major engineering constraints tied to its existing messaging architecture.
read more →

Apple and Google Enable Cross-Platform E2EE RCS Messaging

🔒 Apple and Google have initiated a beta rollout of end-to-end encrypted RCS messaging between iPhone and Android devices, closing a long-standing interoperability gap. The feature requires iOS 26.5 on supported iPhones and the latest Google Messages on Android, with carrier activation determining availability. Encryption is enabled by default, marked by a lock icon, and the rollout implements the GSMA Universal Profile 3.0 with MLS.
read more →

Apple Enables Default E2EE for RCS in iOS 26.5 Beta

🔐 Apple released iOS 26.5, adding beta support to enable end-to-end encryption for RCS messages across iPhone and Android devices when used with supported carriers and the latest Google Messages. The feature is enabled by default for new and existing conversations and displays a lock icon to indicate encryption. Apple and GSMA say this is part of a cross‑industry effort to modernize SMS. The update also patches over 50 vulnerabilities in iOS and iPadOS.
read more →

Elastic Beanstalk Adds TLS Listener Support for NLB

🔐 AWS Elastic Beanstalk now supports configuring TLS listeners for environments that use a Network Load Balancer. You can attach an SSL/TLS certificate and select a security policy so the load balancer terminates encrypted connections and forwards decrypted traffic to instances. TLS listener settings are configurable via the Elastic Beanstalk console or CLI, and the feature is available in all regions that support Beanstalk and NLBs.
read more →

Cloudflare Enables Post-Quantum IPsec with ML-KEM Standard

🔒 Cloudflare has made post-quantum encryption generally available for Cloudflare IPsec using hybrid ML‑KEM (FIPS 203), implementing draft-ietf-ipsecme-ikev2-mlkem. The rollout enables site-to-site WAN tunnels protected against harvest-now-decrypt-later attacks and has been tested interoperably with Cisco and Fortinet branch connectors. This brings post-quantum IPsec closer to Internet-scale deployment and supports Cloudflare’s goal of full post-quantum security by 2029.
read more →

AWS Managed Microsoft AD: Kerberos Encryption Logs

🔒 AWS Managed Microsoft AD can now forward Kerberos Encryption audit event logs (Event IDs 201–209) to Amazon CloudWatch Logs. These logs provide visibility into whether clients and services negotiate RC4 or AES encryption, helping you decide whether to upgrade clients for stronger protection or retain compatibility. Enable log forwarding from the directory's Network and Security tab in the Directory Service console. This feature is available in all AWS Regions offering the service except UAE and Bahrain.
read more →

Google Brings Client-Side Gmail E2EE to Mobile for Orgs

🔐 Google has extended client-side encryption (CSE) for Gmail to Android and iOS for organizations using the Enterprise Plus with Assured Controls edition. Messages and attachments are encrypted on-device with customer-managed keys and require admins to enable the mobile clients in the CSE admin console. The feature is opt-in, requires premium licensing, and disables some Gmail capabilities (including AI features and full search) for encrypted content. Non-Gmail recipients receive a secure web portal to read and reply.
read more →

Google enables Gmail end-to-end encryption on mobile

🔐 Google has rolled out native end-to-end encryption for Gmail on Android and iOS, allowing enterprise users to compose and read encrypted emails without installing extra apps. The capability uses client-side encryption (CSE) and is available to organizations with Enterprise Plus licenses plus the Assured Controls add-on after admins enable mobile clients. Encrypted messages and attachments are encrypted on the device and delivered as regular emails, and recipients using other services can read them in a web browser.
read more →

Amazon SES Mail Manager Adds mTLS, TLS Options and Actions

📧 Amazon Simple Email Service Mail Manager now supports optional TLS (including STARTTLS) and certificate-based mutual TLS (mTLS) on Ingress Endpoints, plus two new rule actions: Invoke Lambda function and Bounce. These additions let organizations preserve compatibility with legacy email systems while implementing stronger authentication and custom processing workflows. The Invoke Lambda action enables direct serverless email processing and automation, and the Bounce action issues RFC-compliant SMTP responses to senders. The features are available today in all Regions offering SES Mail Manager except the Middle East (UAE and Bahrain).
read more →

AWS Launches VPC Encryption Controls in GovCloud US

🔒 AWS VPC Encryption Controls is now available in AWS GovCloud (US-East) and GovCloud (US-West). The feature lets security teams enable monitoring and enforcement of encryption in transit across existing VPCs, automatically identifying flows that permit plaintext. It transparently activates hardware-based AES-256 encryption across VPC resources (including Fargate, NLB, and ALB) and produces audit logs to help demonstrate compliance with standards such as HIPAA, PCI DSS, FedRAMP, and FIPS 140-2.
read more →

Proton launches Meet: E2EE privacy-focused conferencing

🔒 Proton has launched Meet, a privacy-focused video conferencing service offering end-to-end encrypted calls as an alternative to mainstream platforms. Meet supports free one-hour meetings with up to 50 participants and offers a Pro tier starting at $7.99/month for longer sessions. The service uses the open-source MLS protocol, WebRTC with SFUs, and client-side encryption; authentication relies on SRP. Meetings are created via links containing an ID and locally held passwords, and Proton says it retains only non-sensitive meeting IDs, minimizing exposure even in server compromises.
read more →

Post-Quantum Roadmap for US Enterprises Targeting 2030

🔒 US organizations should begin operationalizing post-quantum cryptography now to protect long-lived secrets and meet an emerging 2030 readiness horizon. With NIST finalizing initial PQC standards in 2024 and agencies like NSA and CISA aligning guidance, a pragmatic hybrid strategy—pairing existing classical algorithms (ECDHE/TLS) with post-quantum primitives such as ML-KEM—reduces long-term confidentiality risk while preserving interoperability. Start with a comprehensive crypto inventory tied to data value, pilot internal mTLS, VPN and code-signing migrations in a lab, improve crypto agility, add telemetry for rollout metrics, and add PQC requirements into procurement to buy time and avoid last-minute disruption.
read more →

AWS Direct Connect: New Equinix SY5 location in Sydney

📡 AWS has opened a new AWS Direct Connect location at Equinix SY5 in Sydney, Australia. From this site you can establish private, direct network access to all public AWS Regions (except China), AWS GovCloud Regions, and AWS Local Zones. The location supports dedicated 10 Gbps and 100 Gbps connections and offers MACsec encryption. This is the fourth Direct Connect site in Sydney and the tenth in Australia, providing a more consistent private networking option than the public internet.
read more →

Meta to End Instagram End-to-End Encryption Support

🔒 Meta will discontinue support for end-to-end encryption for Instagram chats after May 8, 2026, and says affected users will receive instructions to download any messages or media they wish to keep. The company notes some users may need to update older versions of the app before downloading impacted chats. The encrypted-direct-messaging feature was first tested in 2021 and remains available only in select regions and not enabled by default.
read more →

AWS Pricing for VPC Encryption Controls Moves to Paid

🔒 AWS is introducing pricing for VPC Encryption Controls, a regional capability that audits and enforces encryption-in-transit for traffic within and across Virtual Private Clouds. The feature supports Monitor mode to detect unencrypted flows and Enforce mode to prevent the creation or operation of resources that allow unencrypted traffic. Beginning March 1, 2026, AWS will apply a fixed hourly charge to every non-empty VPC with Encryption Controls enabled; empty VPCs enabled with the feature are not charged. When encryption is enabled on a Transit Gateway, standard VPC Encryption Controls charges apply to all VPCs attached to that Transit Gateway regardless of each VPC's mode or whether they are empty.
read more →