Friday Security Roundup – December 18, 2015

Happy birthday, HTML 4.0!

There were earlier versions of Tim Berners-Lee’s HyperText Markup Language dating back to 1993, and a lot of folks upstream who contributed concepts to what became HTML (from Vannavar Bush to Jorge Luis Borges) – but today marks exactly eighteen years since the specs were released for HTML 4.0.

The first web server
The first web server – yes, it IS a NeXT box. Good eye.

That version (well, the tweaked 4.01) is what the world wide web was built on, and everything we can do with and on the Internet today is only possible because HTML 4 proved robust, scalable and almost ridiculously extensible – and of course, because it can be secured by SSL/TLS.

Berners-Lee’s baby is still evolving, and the latest implementation (HTML5)  introduces both new abilities and new security issues, sometimes in the same feature –  but you can trust SSL.com to be here to help you navigate the evolving security landscape…and of course to report on what security issues we’ve been following this week.

Image: Robert Scoble, Wikimedia Commons



BANKING VIA iPHONE: INSECURE, COULD BE WORSE

IMPROVED: Security in iOS banking apps, as tested by security consultancy IOActive Labs.
That computer in your pocket is used for very important things – selfies, checking Yelp reviews, occasionally voice communications – and increasingly for banking. As far back as 2013 Bank of America reported that more people accessed their account though their mobile app than their online login . IOActive’s Ariel Sanchez surveyed iOS banking apps in January 2014 and found a staggering number of security flaws. Returning to the subject this year, Sanchez notes a lot of improvement, but many apps still contain serious vulnerabilities. All of the surveyed apps require an HTTPS connection, but one in ten fail to properly validate the bank’s SSL certificate – this can allow man in the middle attacks.

Status: A ten percent SSL authentication failure rate is disturbing indeed – but (thanks partly to IOActive’s research and reporting) that’s actually down from forty percent only two years ago. Any improvement is to be applauded, we guess – and we’ll suggest some SSL tips for mobile users in the upcoming year.

OF CHAINS, BLOCKS, BANKS AND STOCKS

APPROVED, by the Securities and Exchange Commission: Overstock.com’s plan to issue stock online, using the same blockchain that powers Bitcoin.
A blockchain is “a shared, trusted, public ledger that everyone can inspect, but which no single user controls” – and state-of-the-art cryptography protects the integrity of a blockchain’s info. Though mostly known for enabling “cryptocurrencies”, newer uses for blockchain technology have been mooted. The first moves are now being made, and other players are moving into the field: some 40-odd banks have signed on with R3’s (proprietary) distributed blockchain system, while the Linux Foundation’s Open Ledger Project intends to use a similar design to create an open-source alternative.

Status: So we’re moving into a brave new world where cryptography underpins and authenticates pretty much everything? We’re comfortable with that – as long as the crypto itself is trustworthy…

MATH WINS EVERY TIME

CONFUSED, by multiple parties: The difference between wishing and math.
Even as enterprises like banks see new uses for strong cryptography, we note calls by several public figures for “backdoors” or “workarounds” in encryption to fight criminals and terrorists. In the wake of attacks in Paris and San Bernardino (neither of which apparently depended on cryptography) various proposals have been floated for so-called “golden key” solutions – secret backdoors in encryption for legitimate entities. Unfortunately, this scheme is held to be imaginary, unworkable or worse by folks who actually implement security for real-world uses. As Apple CEO Tim Cook recently said, “You can’t have a backdoor that’s only for the good guys”. Further, a “golden key” would be a very attractive target to hackers, and the US government’s record on securing confidential information is shaky at best.

As well as weakening internet security with intentionally broken software, these proposals would be dreadful to implement, costly to maintain, raise huge liability issues  – and drive global business away from American companies.

STATUS: Deja vu all over again. We’ve been here before. Intentionally weakening crypto back in the 1990s cost US companies unknown billions in lost business back then – and directly enabled the serious FREAK attack in 2015. It’s possible that the folks calling for magic backdoors have never, say, entered their credit card number on Amazon, or their social security number on a healthcare website. If they had, they might realize that what’s protecting their information, money and reputation are the same security methods they seek to intentionally cripple.

We will follow this story with interest.

As always, thanks for your reading these words, and remember what we truly believe here at SSL.com – a safer internet is a better internet.

Image: Wikimedia Commons
Submit your review
1
2
3
4
5
Submit
     
Cancel

Create your own review

Average rating:  
 0 reviews