Welcome to this April edition of SSL.com’s Security Roundup! Many of us have been cooped up inside this past month, but life online is still going strong, which means we have plenty to round up when it comes to digital security. This month we’ll be taking a look at:
- Microsoft postpones TLS 1.0 and 1.0 deprecation
- HTTPS-only mode in Firefox 76
- Expanded Client Certificate Access for Firefox 75
- An open-source alternative to Zoom
Though Microsoft had planned to disable Transport Layer Security (TLS) versions 1.0 and 1.1 sometime this spring, the company announced that “in light of current events” that plan will now be postponed to the end of the year.
While that may sound like a convenient excuse for not taking action, ghacks.net reports that a widespread pledge among browsers to disable the security protocols did, indeed, become an issue during the pandemic. They write:
Some, like Mozilla, went ahead with the change but reverted it when it became clear that some government sites still relied on these protocols. Users of Firefox could not access these sites anymore because of the disabled protocols. Mozilla re-enabled the protocols to make sure that Firefox users worldwide are able to access important sites in a time of crisis.
Right now, Microsoft plans to release a new Chromium-based Microsoft Edge version 84r in July where TLS 1.0 and 1.1 will be disabled by default. Microsoft Internet Explorer 11 and Classic Microsoft Edge will disable the protocols on September 8.
Mozilla has announced that they will offer users an HTTPS-only mode in version 76 of the Firefox browser. According to Softpedia the feature will serve to push the few stragglers clinging to HTTP over to the secure HTTPS protocol. Once activated in the browser, HTTP sites would no longer load. Instead, the browser will attempt to upgrade the connection to HTTPS. If that’s not available, for now users will get a “Secure Connection Failed” warning that can either be heeded or ignored.
Firefox 76 will only be offering this more-secure browsing as an option right now – not as a default – so users will have to opt-in for the HTTPS-only experience.
In more good news about Firefox, Mozilla announced that they will be simplifying client certificate usage in version 75 of the browser by allowing it to access the operating system certificate store on Windows and macOS. Up until this point, users of Firefox have had to work with client certificates in the browser by loading a third-party library to communicate with hardware tokens or importing certificates and private keys into the browser’s own certificate store. That isn’t the most secure way to go about things, and can cause stability issues as well.
Now, like Chrome and other browsers, Firefox has developed its own library to interface with OS certificate storage. From the blog:
Rather than loading third-party libraries to communicate with hardware tokens, Firefox can delegate this task to the operating system. Also, instead of forcing the user to export client certificates and re-import them into their Firefox profile, Firefox can look for these certificates directly. In addition to protecting private keys, this new mechanism allows Firefox to make use of client certificates with unexportable keys… We expect this feature to be of great benefit to our enterprise users who have previously gone to great lengths to configure Firefox to work in their environment.
Zoom made a lot of headlines last month. First, everyone jumped on Zoom to connect to work, friends and family from home while under orders to stay at home to prevent the spread of coronavirus. Then, everyone ran away when security issues arose and were worked on. Meanwhile, alternatives emerged.
Jitsi Meet from 8×8 offers an open-source option for videoconferencing that has features like password protection. And, as Wired notes, there are distinct advantages to having open source software that allows for modifications by the developer community:
The fact that anyone can modify and share Jitsi’s code means that others can build the tool into their software. WeSchool did that. So did open-source chat software service Riot, which uses Jitsi for its video chat component. Ivov says 8×8 benefits from these sorts of projects because they test how Jitsi’s code performs on different devices and in different environments. That helps the core Jitsi development team improve the software for both open-source users and paid 8×8 customers.
Right now, Jitsi only offers end-to-end encryption for their one-on-one calls, not conferences of more than two people (which require the use of a centralized server that needs to decrypt the data)/ However, they are working on expanding end-to-end encryption to those larger calls.