All news with #encryption in transit tag

Amazon CloudFront Adds TLS 1.3 Support for Origins

🔒 Amazon CloudFront now supports TLS 1.3 for connections to origins, automatically enabled across custom origins, Amazon S3, and Application Load Balancers with no configuration changes required. The upgrade provides stronger encryption and reduced handshake latency, delivering up to 30% faster connection establishment when an origin supports TLS 1.3. CloudFront will negotiate TLS 1.3 where supported while maintaining backward compatibility with older TLS versions. This support is available at no additional charge in all CloudFront edge locations and benefits sensitive workloads such as financial services, healthcare, and e-commerce.

Amazon S3 Adds Post-Quantum TLS Key Exchange Support

🔐 Amazon S3 now supports post-quantum TLS key exchange on regional S3, S3 Tables, and S3 Express One Zone endpoints using the NIST-standardized Module Lattice-Based Key Encapsulation Mechanism (ML-KEM). PQ-TLS key exchange is available at no additional cost across all AWS regions and will be negotiated automatically when clients are configured for ML-KEM. Combined with server-side AES-256 encryption by default, S3 offers quantum-resistant protection for data both in transit and at rest.

Amazon API Gateway Adds Enhanced TLS Security Policies

🔐 Amazon API Gateway now supports enhanced TLS security policies for REST APIs and custom domain names, giving customers more granular control over encryption, cipher selection, and endpoint access. Policy options include TLS 1.3-only, Perfect Forward Secrecy, FIPS-compliant cipher suites, and Post Quantum Cryptography choices. The update, available in many AWS commercial Regions, aims to simplify compliance with stricter regulations and strengthen cryptographic posture.

Google Announces Private AI Compute for Cloud Privacy

🔒 Google on Tuesday introduced Private AI Compute, a cloud privacy capability that aims to deliver on-device-level assurances while harnessing the scale of Gemini models. The service uses Trillium TPUs and Titanium Intelligence Enclaves (TIE) and relies on an AMD-based Trusted Execution Environment to encrypt and isolate memory on trusted nodes. Workloads are mutually attested, cryptographically validated, and ephemeral so inputs and inferences are discarded after each session, with Google stating data remains private to the user — 'not even Google.' An external assessment by NCC Group flagged a low-risk timing side channel in the IP-blinding relay and three attestation implementation issues that Google is mitigating.

Digital Health Needs Security at Its Core to Scale AI

🔒 The article argues that AI-driven digital health initiatives proved essential during COVID-19 but simultaneously exposed critical cybersecurity gaps that threaten pandemic preparedness. It warns that expansive data ecosystems, IoT devices and cloud pipelines multiply attack surfaces and that subtle AI-specific threats — including data poisoning, model inversion and adversarial inputs — can undermine public-health decisions. The author urges security by design, including zero-trust architectures, data provenance, encryption, model governance and cross-disciplinary drills so AI can deliver trustworthy, resilient public health systems.

CISA, NSA and Partners Issue Exchange Server Best Practices

🔐 CISA, the NSA and international partners have published the Microsoft Exchange Server Security Best Practices to help organisations reduce exposure to attacks against hybrid and on‑premises Exchange deployments. The guidance reinforces Emergency Directive 25-02 and prioritises restricting administrative access, enforcing multi‑factor and modern authentication, tightening TLS and transport security, and applying Microsoft's Exchange Emergency Mitigation service. It also urges migration from unsupported or end‑of‑life systems and recommends use of secure baselines such as CISA's SCuBA. Agencies stress ongoing collaboration and a prevention-focused posture despite political and operational challenges.

ISO 15118-2 SLAC Vulnerability in EV Charging Protocol

🔒 ISO 15118-2-compliant EV charging implementations using the SLAC protocol are vulnerable to spoofed measurements that can enable man‑in‑the‑middle attacks between vehicles and chargers, tracked as CVE-2025-12357 (CVSS v4 7.2). The issue is an improper restriction of communication channel (CWE-923) and may be exploitable wirelessly at close range via electromagnetic induction. ISO recommends using TLS (required in ISO 15118-20) with certificate chaining; CISA advises minimizing network exposure, isolating control networks, and using secure remote access methods.

Blueprint for Hardening Microsoft Exchange Servers

🔒 CISA, the NSA, and international partners released the Microsoft Exchange Server Security Best Practices blueprint to help administrators of on‑premises and hybrid Exchange environments strengthen defenses against persistent cyber threats. The guidance builds on CISA’s Emergency Directive 25‑02 and emphasizes restricting administrative access, implementing multifactor authentication, enforcing strict transport security, and adopting zero trust principles. It also urges organizations to remediate or replace end‑of‑life Exchange versions, apply recommended mitigations, and consider migrating to cloud-based email to reduce operational complexity and exposure.

CISA Releases Microsoft Exchange Server Security Guide

🔐 Today, CISA, in collaboration with the National Security Agency and international partners, published Microsoft Exchange Server Security Best Practices to help defenders harden on-premises Exchange servers against ongoing exploitation. The guidance emphasizes strengthening user authentication and access controls, enforcing robust network encryption, and reducing application attack surfaces through configuration and feature management. CISA also urges organizations to decommission end-of-life or hybrid 'last Exchange' servers after migrating to Microsoft 365 to reduce exposure to continued exploitation.

Chrome to Enable HTTPS-First Mode by Default in 2026

🔒 Beginning in April 2026 and completing in October 2026, Google will make the Always Use Secure Connections feature the default in Chrome, attempting HTTPS for all public site navigations and prompting users before loading non-HTTPS pages. The phased rollout starts with Enhanced Safe Browsing users in Chrome 147 and expands to all global users in Chrome 154. Internal addresses such as routers and intranets will be exempt, and Google reports early tests showed warnings on fewer than 3% of navigations, typically under one alert per week, while the browser will avoid repeatedly warning about frequently visited sites.

Chrome to Enable Always Use Secure Connections by Default

🔒 Google will enable Always Use Secure Connections by default in Chrome 154 (October 2026), prompting users before the first access to any public site that lacks HTTPS. The browser will attempt HTTPS for every connection and show a bypassable warning when HTTPS is unavailable, while suppressing repeated warnings for frequently visited sites. A public-sites-only variant excludes private/local names to reduce noise and will roll out earlier to Enhanced Safe Browsing users. Administrators can disable the setting and Google provides migration guidance.

Significant Satellite Traffic Found Transmitted Unencrypted

⚠️Researchers used a commercial off-the-shelf satellite dish to perform the most comprehensive public study yet of geostationary satellite communications. They discovered a shockingly large volume of sensitive traffic—critical infrastructure telemetry, internal corporate and government communications, private voice calls and SMS, and consumer Internet streams such as in-flight Wi‑Fi—being broadcast unencrypted. Much of this data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware, and a single transponder's footprint may cover up to 40% of the Earth's surface.

Quantum Readiness: Why Incident Response Won't Work

🔐 The arrival of cryptographically relevant quantum computers will create a "silent boom" where adversaries can capture encrypted traffic today and decrypt it later, making intrusions neither observed nor observable. This undermines traditional incident response and shifts responsibility to engineering teams, not a vendor checkbox. Organizations must pursue quantum readiness by engaging developers to inventory algorithms and data, assess internet-facing assets for PQC support, and build testing capability for new ciphers within their release cycles.

Study Finds Major Security Flaws in Popular Free VPN Apps

🔍 Zimperium zLabs’ analysis of 800 Android and iOS free VPN apps found widespread privacy and security weaknesses, including outdated libraries, weak encryption, and misleading privacy disclosures. The report highlights concrete failures such as vulnerable OpenSSL builds (including Heartbleed-era versions), roughly 1% of apps permitting Man-in-the-Middle decryption, and about 25% of iOS apps lacking valid privacy manifests. Researchers warn excessive permission requests and private entitlements increase risk, especially in BYOD and remote-work environments, and recommend stronger security models, endpoint visibility and zero-trust approaches.

Trustworthy Oracle Architecture for Enterprise DLT

🔒 DZ BANK and Google Cloud present a blueprint for delivering trustworthy off‑chain data to smart contracts, addressing a key barrier to enterprise DLT adoption. The design pairs Google Cloud secure global infrastructure with DZ BANK’s deterministic financial protocols to guarantee data correctness at source, integrity in transit, and timely delivery. The Smart Derivative Contract (SDC) use case demonstrates deterministic valuation, automated margining, and cryptographic attestation of oracle outputs. Production controls such as Binary Authorization, Private Service Connect, Confidential Space (TEE), and TLS are used to mitigate software supply‑chain, transport, and runtime threats.

AWS Direct Connect opens MAD3 location in Madrid data center

🔌 AWS has opened a new AWS Direct Connect location at the Digital Realty MAD3 data center near Madrid, Spain. The site provides dedicated 10 Gbps and 100 Gbps connections with optional MACsec encryption and enables private network access to all public AWS Regions (except China), AWS GovCloud Regions, and AWS Local Zones. This is the third Direct Connect site in Madrid and the fourth in Spain, offering a lower-variance networking option compared with the public internet. It joins more than 146 Direct Connect locations worldwide, expanding options for colocations and hybrid deployments.

Security Hardening Essentials for Resource-Constrained SMBs

🔒 Security hardening boosts protection for organizations, especially SMBs, by reducing their attack surface without large additional investments. Key measures include strong authentication and authorization—enforcing strict passwords, multifactor authentication, least-privilege access and network access controls—alongside timely patching, data encryption and segmented, tested backups. Regular staff training, account audits and permission reviews complete a practical, low-cost defense posture.

AWS Kinesis Data Streams Adds IPv6 and FIPS in GovCloud

🌐 Amazon Web Services announced that Kinesis Data Streams now supports API requests over IPv6 in the AWS GovCloud (US) Regions, with optional dual-stack (IPv4/IPv6) public and VPC endpoints. The new endpoints have been validated under FIPS 140-3, enabling FIPS-compliant encryption for customers contracting with the US federal government. IPv6 support reduces address overlap and simplifies connectivity for devices and networks already using IPv6. This capability is available in all Regions where Kinesis Data Streams operates, including GovCloud and China Regions.

Amazon CloudFront Adds Post-Quantum and TLS1.3 Policy

🔐 Amazon CloudFront now supports hybrid post-quantum key establishment across all existing TLS security policies for client-to-edge connections, enabling quantum-resistant key exchange without customer configuration. CloudFront also introduces a new TLS1.3_2025 policy that enforces TLS 1.3 only. Both features are enabled by default at all edge locations and incur no additional charges. These updates help organizations strengthen long-term in-transit protection and simplify compliance planning.

Amazon Neptune Adds Public Endpoints for Developers

🌐 Amazon Neptune now supports Public Endpoints, enabling developers to connect to Neptune clusters directly from development desktops without VPNs, bastion hosts, or complex network setups. The capability can be enabled for new or existing clusters running engine version 1.4.6 or later via the AWS Console, CLI, or SDK. Security is maintained using IAM authentication, VPC security groups, and encryption in transit. The feature is available at no additional cost in all Regions where Neptune is offered.