< ciso
brief />
Tag Banner

All news with #encryption in transit tag

48 articles · page 2 of 3

Android 17 Beta Adds Secure-by-Default Architecture

🔐 Android 17 public beta introduces a secure-by-default architecture that tightens app protections and refines developer workflows. The release deprecates the android:usesCleartextTraffic attribute and will block cleartext by default for apps targeting API level 37 without a network security configuration. It also adds a public SPI for HPKE hybrid cryptography, enables certificate transparency by default and introduces install-time permissions for localhost interactions. Large-screen behavior changes, a lock-free MessageQueue and generational garbage collection in ART target performance, while Google replaces the traditional Developer Preview with a continuous Canary channel for earlier feature access and streamlined testing.
read more →

Apple beta adds RCS E2EE and expanded Memory Integrity

🔐 Apple has released an iOS and iPadOS 26.4 developer beta that introduces end-to-end encryption (E2EE) for RCS conversations between compatible Apple devices, with a wider rollout planned for iOS, iPadOS, macOS and watchOS in a future update. The feature is currently in beta and limited to Apple devices and supported carriers. The update also expands Memory Integrity Enforcement (MIE), allowing applications to opt in to full protections beyond Soft Mode. Additionally, iOS 26.4 is expected to enable Stolen Device Protection by default and the SDK is available via Xcode 26.4.
read more →

Apple Tests End-to-End Encrypted RCS in iOS 26.4 Beta

🔒 Apple has introduced end-to-end encryption for RCS messaging in the iOS and iPadOS 26.4 developer beta, enabling encrypted conversations between Apple devices during testing. The feature remains in beta and is not available for all devices or carriers, and it currently does not extend to non-Apple platforms such as Android. The release also introduces an opt-in for full Memory Integrity Enforcement and signals forthcoming Stolen Device Protection defaults.
read more →

Preparing for the Quantum Era: A Call to Secure PQC

🔐 Google issues a call to action to protect digital systems against quantum threats, outlining its post-quantum cryptography (PQC) work and policy recommendations. The company warns that large-scale quantum computers could break current public-key cryptography and cautions about 'store now, decrypt later' harvesting of encrypted data. Google commits to research transparency, completing PQC migrations within NIST guidelines, and strengthening crypto agility, critical shared infrastructure, and ecosystem readiness.
read more →

Amazon CloudFront Adds Mutual TLS Authentication for Origins

🔐 Amazon CloudFront now supports mutual TLS (mTLS) for origins, allowing origin servers to cryptographically verify that incoming requests originate from authorized CloudFront distributions. This certificate-based approach replaces custom solutions like shared-secret headers and IP allow-lists, reducing operational overhead and improving security for public and externally hosted origins. Customers may use client certificates issued by AWS Private Certificate Authority or third-party private CAs imported through AWS Certificate Manager, and can configure origin mTLS via the Console, CLI, SDK, CDK, or CloudFormation. Origin mTLS works with AWS-supported mutual TLS origins such as Application Load Balancer and API Gateway, as well as on-premises and custom origins, and is available at no additional charge.
read more →

Microsoft Fixes Outlook Bug Blocking Encrypted Emails

✅ Microsoft has issued a fix for a known issue that prevented Microsoft 365 customers from opening Encrypt Only messages in classic Outlook after a December update. Impacted users saw a message_v2.rpmsg attachment instead of readable content and a 'restricted permission' notice in the Reading Pane. Microsoft says the repair is available in the Beta Channel now and will roll to Current Channel and Current Channel Preview in February. Temporary workarounds are provided for users who cannot upgrade immediately.
read more →

Classic Outlook bug prevents opening encrypted emails

🔒 Microsoft is investigating a bug in the classic Outlook client introduced by Current Channel Version 2511 (Build 19426.20218) that prevents recipients from opening messages encrypted with Encrypt Only permissions. Impacted users may see a reading pane error asking them to verify credentials or encounter a message_v2.rpmsg attachment instead of readable content. The Outlook Team is working on a fix but has not provided an ETA. Microsoft recommends two temporary workarounds: have senders save encrypted messages before sending, or roll back to build 16.0.19426.20186.
read more →

AWS Direct Connect Opens First Hanoi Location in CMC Tower

🔌 AWS opened a new AWS Direct Connect location at the CMC Tower in Hanoi, Vietnam, enabling private, dedicated network access to all public AWS Regions (except China), AWS GovCloud Regions, and AWS Local Zones. The site offers dedicated 1 Gbps, 10 Gbps, and 100 Gbps connections, with MACsec encryption available for 10 Gbps and 100 Gbps links. This is the first Direct Connect location in Vietnam and is designed to deliver a more consistent network experience than internet-based connections. Organizations can use this location to establish private, physical connections between AWS and their data centers, offices, or colocation environments.
read more →

Implementing HSTS Across AWS Services for Cloud Apps

🔒 This AWS Security Blog post explains how to implement HTTP Strict Transport Security (HSTS) consistently across distributed AWS architectures using Amazon API Gateway, Application Load Balancers, and Amazon CloudFront. It presents concrete, service-specific configuration steps, example mappings and code snippets, and recommended curl commands to validate header delivery. The guidance highlights centralized header enforcement options to reduce fragmentation and align with the AWS Well-Architected Framework security principles. Practical advice covers testing, header override behaviors, and phased rollout using conservative max-age values before enabling preload in production.
read more →

Tor adopts Counter Galois Onion (CGO) for relay encryption

🔐 Tor has replaced its legacy tor1 relay encryption with a new design called Counter Galois Onion (CGO) to strengthen circuit traffic confidentiality and integrity. CGO is built on a Rugged Pseudorandom Permutation (RPRP) construction named UIV+ and provides wide-block encryption, tag chaining, per-cell key updates for immediate forward secrecy, and a 16-byte authenticator that removes SHA-1. The change is currently experimental in the C Tor implementation and the Rust client Arti, will be deployed transparently to Tor Browser users, and aims to block tagging and other malleability attacks with only modest bandwidth cost.
read more →

AWS Payments Cryptography Adds Hybrid Post-Quantum TLS

🔐 AWS Payments Cryptography now supports hybrid post-quantum TLS to protect API calls and long-lived data-in-transit using ML-KEM-based PQC. This helps enterprises mitigate “harvest now, decrypt later” risks by combining classical and post-quantum key establishment. Customers enable PQ-TLS by upgrading to a compatible AWS SDK or browser and can verify sessions via tlsDetails in CloudTrail. The capability is generally available across Regions at no added cost.
read more →

AWS VPC Encryption Controls: Audit and Enforce AES-256

🔒 AWS launched VPC Encryption Controls to simplify auditing and enforcement of encryption in transit within and across Amazon Virtual Private Clouds. You can enable it on existing VPCs to monitor encryption status of traffic flows, identify resources that permit plaintext, and generate audit logs for compliance. The feature can also transparently enable hardware-based AES-256 encryption on traffic between supported resources such as AWS Fargate, Network Load Balancers and Application Load Balancers.
read more →

EC2 Fleet Adds Encryption Attribute for ABIS Selection

🔐 Amazon EC2 Fleet now supports an encryption attribute for Attribute-Based Instance Type Selection (ABIS). You can set RequireEncryptionInTransit in InstanceRequirements to limit launches to instance types that support encryption-in-transit, addressing compliance with VPC Encryption Controls in enforced mode. The GetInstanceTypesFromInstanceRequirements (GITFIR) API previews eligible instance types. The feature is available in all AWS commercial and GovCloud (US) Regions. To start, set RequireEncryptionInTransit=true when calling CreateFleet or GITFIR.
read more →

Amazon CloudFront Adds TLS 1.3 Support for Origins

🔒 Amazon CloudFront now supports TLS 1.3 for connections to origins, automatically enabled across custom origins, Amazon S3, and Application Load Balancers with no configuration changes required. The upgrade provides stronger encryption and reduced handshake latency, delivering up to 30% faster connection establishment when an origin supports TLS 1.3. CloudFront will negotiate TLS 1.3 where supported while maintaining backward compatibility with older TLS versions. This support is available at no additional charge in all CloudFront edge locations and benefits sensitive workloads such as financial services, healthcare, and e-commerce.
read more →

Amazon API Gateway Adds Enhanced TLS Security Policies

🔐 Amazon API Gateway now supports enhanced TLS security policies for REST APIs and custom domain names, giving customers more granular control over encryption, cipher selection, and endpoint access. Policy options include TLS 1.3-only, Perfect Forward Secrecy, FIPS-compliant cipher suites, and Post Quantum Cryptography choices. The update, available in many AWS commercial Regions, aims to simplify compliance with stricter regulations and strengthen cryptographic posture.
read more →

Half of Satellite Traffic Unencrypted, Exposing Data

🔭 Researchers at UC San Diego and the University of Maryland showed that a <$750 motorized satellite‑TV kit can intercept large volumes of geostationary traffic. They captured 3.7TB from 411 transponders across 39 satellites and found roughly half of sensitive streams — including VoIP, SMS, in‑flight Wi‑Fi and military telemetry — were unencrypted. Some operators patched rapidly, but many did not respond. Users should adopt VPNs, end‑to‑end messaging and prefer encrypted cellular services.
read more →

Amazon OpenSearch Serverless Adds FIPS Endpoints in Regions

🔐 Amazon announced that Amazon OpenSearch Serverless now offers FIPS compliant endpoints for Data Plane APIs in US East (N. Virginia), US East (Ohio), Canada (Central), AWS GovCloud (US-East), and AWS GovCloud (US-West). The update brings the service into conformance with FIPS 140-3 cryptographic requirements. Customers in regulated or federal environments can use these endpoints to meet in-transit cryptography controls.
read more →

Chrome to Enable HTTPS-First Mode by Default in 2026

🔒 Beginning in April 2026 and completing in October 2026, Google will make the Always Use Secure Connections feature the default in Chrome, attempting HTTPS for all public site navigations and prompting users before loading non-HTTPS pages. The phased rollout starts with Enhanced Safe Browsing users in Chrome 147 and expands to all global users in Chrome 154. Internal addresses such as routers and intranets will be exempt, and Google reports early tests showed warnings on fewer than 3% of navigations, typically under one alert per week, while the browser will avoid repeatedly warning about frequently visited sites.
read more →

Signal Protocol's Path to Quantum-Resistant Messaging

🔒 Signal has moved to integrate post-quantum cryptography into its messaging stack to mitigate future quantum threats. Phase 1 uses PQXDH, a hybrid handshake combining X25519 with the KEM CRYSTALS-Kyber, to block harvest now, decrypt later attacks. Phase 2 adds SPQR, which runs alongside the Double Ratchet to form a hybrid Triple Ratchet, preserving forward secrecy and post-compromise security while handling larger key sizes, asynchrony, and message loss.
read more →

AWS Direct Connect Adds 10G/100G with MACsec in KC

🔒 AWS expanded 10 Gbps and 100 Gbps dedicated Direct Connect links with MACsec encryption at the Netrality KC1 facility near Kansas City, MO. Customers at this location can now establish private, direct network access to all public AWS Regions (except China), AWS GovCloud Regions, and AWS Local Zones. Direct Connect delivers a private, physical connection that can provide more consistent performance and lower latency than the public internet. AWS also notes there are over 146 Direct Connect locations worldwide.
read more →