SSL.com’s Friday Security Roundup – April 3, 2015

 

From the part of Texas  where we count down the days til hurricane season – it’s the Good Friday Security Roundup!  SSL.com presents a short trot through the security issues that we’ve been following this week:

Quis custodiet ipsos custodes, mate?

Allowed to expire, by London’s Metropolitan Police Department: the SSL certificate for their online crime reporting service (at https://online.met.police.uk/) – meaning folks reporting sensitive, confidential and possibly life-threatening matters were sending it in the clear (if they actually continued after the “This Site Is Not Trusted!” warning.)

Status: Certificate renewed. Say, did you know that SSL.com customers can set up to five renewal reminders for expiring certificates via their account management dashboard. Ahem.

 

Caaaaaage Maaaaaaatch

Blacklisted, by Google and Mozilla: new SSL certs ultimately authorized by China’s official CA, CNNIC, due to “egregious” flaws in their trust management and cert issuance schemes.

Status: Ongoing, and fixing a big bowl of popcorn. See our own K. Paul Mallasch’s take on the initial issue, and watch for updates – it will be interesting to see how this plays out.

 

The Real Problem, Part 1: That Pesky Desire for PRIVACY.

As declared by someone who wants to read your mail: Europol Director Rob Wainright would prefer you not encrypt your information, please – apparently it’s used by “dangerous people” on the internet.

The Real Problem, Part 2: Not Enough People want PRIVACY.

As declared by the folks who invented HTTPS Everywhere: the Electronic Frontier Foundation notes that properly configured SSL protection would have mitigated the recent DDoS attacks on GitHub.

Status: A debate that has gone on since locks were invented – who gets access to the keys? SSL.com stands with the EFF on this one – not only is your data yours, to protect it as you see fit, but properly implemented SSL can help work against a range of untoward actions like the GitHub attack.

Opportunistic Encryption to Reduce Opportunistic Infections

Instructed by Mozilla: Newest releases of Firefox now tells the browser to encrypt all traffic wherever possible using the nascent technology known as opportunistic encryption, or OE.

Status: A good idea. OE will use unauthenticated encryption over TLS to protect data when possible, keeping prying eyes form your information and helping especially with legacy content currently served over HTTP – although Mozilla themselves recommends using SSL whenever you can.
UPDATE: As reported by Ars Technica and others, Mozilla has (via the Firefox 37.0.1 update) rolled back this still-basically-fine but not-ready-for-prime-time idea – seems that as implemented it “allowed malicious websites to bypass HTTPS protections,” which we can all agree is a Bad Thing. More as we know more.

Maybe the Mistake Was Using Outlook?

Released by accident: Personal information (such as passport numbers) for the leaders of the most powerful nations on Earth, due to either human error or Microsoft interface design – take your pick . (Autofill? More like auto-FAIL, amirite?)

Status: Hard to protect against human mistakes or Microsoft design choices.  (Also, maybe research STARTTLS, guys?)

Check back next week for more of what we’re keeping up with here at SSL.com, where we truly believe a safer internet is a better internet.