All news with #encryption in transit tag

🔐 Amazon CloudFront now supports mutual TLS (mTLS) for origins, allowing origin servers to cryptographically verify that incoming requests originate from authorized CloudFront distributions. This certificate-based approach replaces custom solutions like shared-secret headers and IP allow-lists, reducing operational overhead and improving security for public and externally hosted origins. Customers may use client certificates issued by AWS Private Certificate Authority or third-party private CAs imported through AWS Certificate Manager, and can configure origin mTLS via the Console, CLI, SDK, CDK, or CloudFormation. Origin mTLS works with AWS-supported mutual TLS origins such as Application Load Balancer and API Gateway, as well as on-premises and custom origins, and is available at no additional charge.

✅ Microsoft has issued a fix for a known issue that prevented Microsoft 365 customers from opening Encrypt Only messages in classic Outlook after a December update. Impacted users saw a message_v2.rpmsg attachment instead of readable content and a 'restricted permission' notice in the Reading Pane. Microsoft says the repair is available in the Beta Channel now and will roll to Current Channel and Current Channel Preview in February. Temporary workarounds are provided for users who cannot upgrade immediately.

🔒 Microsoft is investigating a bug in the classic Outlook client introduced by Current Channel Version 2511 (Build 19426.20218) that prevents recipients from opening messages encrypted with Encrypt Only permissions. Impacted users may see a reading pane error asking them to verify credentials or encounter a message_v2.rpmsg attachment instead of readable content. The Outlook Team is working on a fix but has not provided an ETA. Microsoft recommends two temporary workarounds: have senders save encrypted messages before sending, or roll back to build 16.0.19426.20186.

🔌 AWS opened a new AWS Direct Connect location at the CMC Tower in Hanoi, Vietnam, enabling private, dedicated network access to all public AWS Regions (except China), AWS GovCloud Regions, and AWS Local Zones. The site offers dedicated 1 Gbps, 10 Gbps, and 100 Gbps connections, with MACsec encryption available for 10 Gbps and 100 Gbps links. This is the first Direct Connect location in Vietnam and is designed to deliver a more consistent network experience than internet-based connections. Organizations can use this location to establish private, physical connections between AWS and their data centers, offices, or colocation environments.

🔒 This AWS Security Blog post explains how to implement HTTP Strict Transport Security (HSTS) consistently across distributed AWS architectures using Amazon API Gateway, Application Load Balancers, and Amazon CloudFront. It presents concrete, service-specific configuration steps, example mappings and code snippets, and recommended curl commands to validate header delivery. The guidance highlights centralized header enforcement options to reduce fragmentation and align with the AWS Well-Architected Framework security principles. Practical advice covers testing, header override behaviors, and phased rollout using conservative max-age values before enabling preload in production.

🔐 Tor has replaced its legacy tor1 relay encryption with a new design called Counter Galois Onion (CGO) to strengthen circuit traffic confidentiality and integrity. CGO is built on a Rugged Pseudorandom Permutation (RPRP) construction named UIV+ and provides wide-block encryption, tag chaining, per-cell key updates for immediate forward secrecy, and a 16-byte authenticator that removes SHA-1. The change is currently experimental in the C Tor implementation and the Rust client Arti, will be deployed transparently to Tor Browser users, and aims to block tagging and other malleability attacks with only modest bandwidth cost.

🔐 AWS Payments Cryptography now supports hybrid post-quantum TLS to protect API calls and long-lived data-in-transit using ML-KEM-based PQC. This helps enterprises mitigate “harvest now, decrypt later” risks by combining classical and post-quantum key establishment. Customers enable PQ-TLS by upgrading to a compatible AWS SDK or browser and can verify sessions via tlsDetails in CloudTrail. The capability is generally available across Regions at no added cost.

🔒 AWS launched VPC Encryption Controls to simplify auditing and enforcement of encryption in transit within and across Amazon Virtual Private Clouds. You can enable it on existing VPCs to monitor encryption status of traffic flows, identify resources that permit plaintext, and generate audit logs for compliance. The feature can also transparently enable hardware-based AES-256 encryption on traffic between supported resources such as AWS Fargate, Network Load Balancers and Application Load Balancers.

🔐 Amazon EC2 Fleet now supports an encryption attribute for Attribute-Based Instance Type Selection (ABIS). You can set RequireEncryptionInTransit in InstanceRequirements to limit launches to instance types that support encryption-in-transit, addressing compliance with VPC Encryption Controls in enforced mode. The GetInstanceTypesFromInstanceRequirements (GITFIR) API previews eligible instance types. The feature is available in all AWS commercial and GovCloud (US) Regions. To start, set RequireEncryptionInTransit=true when calling CreateFleet or GITFIR.

🔒 Amazon CloudFront now supports TLS 1.3 for connections to origins, automatically enabled across custom origins, Amazon S3, and Application Load Balancers with no configuration changes required. The upgrade provides stronger encryption and reduced handshake latency, delivering up to 30% faster connection establishment when an origin supports TLS 1.3. CloudFront will negotiate TLS 1.3 where supported while maintaining backward compatibility with older TLS versions. This support is available at no additional charge in all CloudFront edge locations and benefits sensitive workloads such as financial services, healthcare, and e-commerce.

🔐 Amazon API Gateway now supports enhanced TLS security policies for REST APIs and custom domain names, giving customers more granular control over encryption, cipher selection, and endpoint access. Policy options include TLS 1.3-only, Perfect Forward Secrecy, FIPS-compliant cipher suites, and Post Quantum Cryptography choices. The update, available in many AWS commercial Regions, aims to simplify compliance with stricter regulations and strengthen cryptographic posture.

🔭 Researchers at UC San Diego and the University of Maryland showed that a <$750 motorized satellite‑TV kit can intercept large volumes of geostationary traffic. They captured 3.7TB from 411 transponders across 39 satellites and found roughly half of sensitive streams — including VoIP, SMS, in‑flight Wi‑Fi and military telemetry — were unencrypted. Some operators patched rapidly, but many did not respond. Users should adopt VPNs, end‑to‑end messaging and prefer encrypted cellular services.

🔐 Amazon announced that Amazon OpenSearch Serverless now offers FIPS compliant endpoints for Data Plane APIs in US East (N. Virginia), US East (Ohio), Canada (Central), AWS GovCloud (US-East), and AWS GovCloud (US-West). The update brings the service into conformance with FIPS 140-3 cryptographic requirements. Customers in regulated or federal environments can use these endpoints to meet in-transit cryptography controls.

🔒 Beginning in April 2026 and completing in October 2026, Google will make the Always Use Secure Connections feature the default in Chrome, attempting HTTPS for all public site navigations and prompting users before loading non-HTTPS pages. The phased rollout starts with Enhanced Safe Browsing users in Chrome 147 and expands to all global users in Chrome 154. Internal addresses such as routers and intranets will be exempt, and Google reports early tests showed warnings on fewer than 3% of navigations, typically under one alert per week, while the browser will avoid repeatedly warning about frequently visited sites.

🔒 Signal has moved to integrate post-quantum cryptography into its messaging stack to mitigate future quantum threats. Phase 1 uses PQXDH, a hybrid handshake combining X25519 with the KEM CRYSTALS-Kyber, to block harvest now, decrypt later attacks. Phase 2 adds SPQR, which runs alongside the Double Ratchet to form a hybrid Triple Ratchet, preserving forward secrecy and post-compromise security while handling larger key sizes, asynchrony, and message loss.

🔒 AWS expanded 10 Gbps and 100 Gbps dedicated Direct Connect links with MACsec encryption at the Netrality KC1 facility near Kansas City, MO. Customers at this location can now establish private, direct network access to all public AWS Regions (except China), AWS GovCloud Regions, and AWS Local Zones. Direct Connect delivers a private, physical connection that can provide more consistent performance and lower latency than the public internet. AWS also notes there are over 146 Direct Connect locations worldwide.

🔒 Gmail enterprise users can now send end-to-end encrypted emails to recipients on any email platform by enabling the Additional encryption option when composing a message. Non-Gmail recipients receive a secure link to view and reply via a guest Google Workspace account, while Workspace-to-Workspace messages decrypt automatically for subscribers. The feature uses client-side encryption (CSE) so organizations can hold keys outside Google's servers to support data sovereignty and regulatory controls. Google began beta testing in April 2025 and will roll the feature out to Enterprise Plus customers with the Assured Controls add-on.

🔌 AWS expanded 10 Gbps and 100 Gbps Direct Connect dedicated connections with MACsec encryption at the Equinix BG1 data center near Bogota, Colombia. Customers can now provision private, direct network access from this location to all public AWS Regions (except China), AWS GovCloud Regions, and AWS Local Zones. The enhancement delivers more consistent, lower-latency and encrypted connectivity for enterprises and partners in the region.

🔐 Cloudflare's Automatic SSL/TLS now upgrades origin-facing encryption by default, having strengthened over 6 million domains without operator intervention. The system scans origins, verifies content and certificates, then gradually ramps stronger SSL/TLS modes from 1% to 100% of traffic, aborting safely on failures. This prepares sites for the post-quantum era by favoring hybrid key agreements (X25519 + ML-KEM) and will soon automate post-quantum handshakes and ad-hoc rescans.

🔐 Cloudflare's WARP client now supports post-quantum key agreement across both consumer (1.1.1.1) and enterprise (Cloudflare One Agent) offerings, tunneling traffic over MASQUE with hybrid post-quantum/classical ciphersuites. The upgrade provides immediate protection against harvest-now-decrypt-later attacks by wrapping user traffic in post-quantum MASQUE tunnels even when individual connections inside the tunnel are not yet PQ-protected. Cloudflare staged the rollout with temporary downgrades, phased population enablement, and an MDM override to balance robustness and downgrade-resistance while meeting FIPS/FedRAMP constraints.