29 August 2017 at 10:52am
Encryption is a powerful security tool, but one that is very easy to misuse and implement poorly. The past years have seen several vulnerabilities and events that we have had to respond to HEARTBLEED, BEAST, POODLE, the retirement of SHA1 certificates, and PCI DSS mandating TLS 1.1.  We have spent a lot of time and effort ensuring that our own systems are well managed, and it is important that our suppliers are able to keep pace with changes in how we want to use encryption. This has led us to start including requirements for encryption within procurements.
21 June 2016 at 3:18pm
Shortly after the recent attacks on TalkTalk the Culture, Media and Sport Committee decided to hold an inquiry into the circumstances surrounding the data breach, but also the wider implications for telecoms and internet service providers.
Jisc evidence to Culture, Media and Sport Committee enquiry into Cyber security: Protection of Personal Data Online
16 November 2015 at 4:27pm
HTTP Strict Transport Security (HSTS) allows a site to specify that not only should all future references and requests to the site use HTTPS rather than HTTP, but that if any failures to encrypt traffic to or from the site occur, access to the site should be completely blocked by the browser. Even with manual intervention, the user is unable to click past the errors and continue to the site.
8 May 2017 at 2:38pm
[I've updated this 2015 post to refer to the section numbers in the Investigatory Powers Act 2016. As far as I can see, the powers contained in the Act are the same as those proposed in the draft Bill]
30 October 2015 at 12:00pm
In the week since the TalkTalk breach there's been commentary on encryption of data, particularly with their CEO's comments that they were not legally required to encrypt data. Of course encrypting the storage of data at rest is a common sense control against a range of threats such as physical theft or loss of the storage device.
27 July 2015 at 4:18pm
Recent news has nicely coincided with my drafting of an encryption policy as part of our Information Security Management System. “Logjam” joins a growing number of vulnerabilities in cryptosystems such as Heartbleed, BEAST and POODLE.
11 February 2014 at 8:03pm
Most portable devices – laptops, smartphones and memory sticks – should be encrypted so that the information they contain is protected if the device is lost or stolen. Many countries (including the UK) give their immigration and other authorities legal powers to demand that you decrypt an encrypted device though given the number of laptops that cross borders every day only a tiny minority seem to be subject to such demands.
22 October 2013 at 11:48am
The amount of information stored in encrypted form is steadily increasing, supported by recommendations from the Information Commissioner and others. When deciding to adopt encryption, it’s worth planning for what might happen if the police or other authorities need to access it in the course of their duties.
H.320 (ISDN) videoconferencing users have been accustomed to assuming that videoconference sessions are private, thanks to the point-to-point circuit-switched nature of their ISDN calls. The ISDN network is not so readily accessible to the public, and thus not as liable to be snooped.
Subscribe to encryption