Welcome to this March edition of SSL.com’s Security Roundup! Things have changed a lot over the past month, as we are all well aware, but with more time being spent online, there is plenty of news about SSL/TLS, digital certificates, and network security. This month, we’ll be covering:
As the COVID-19 pandemic continues across the country, everyone is working together to slow the spread of the virus through physical distancing and staying at home as much as possible. For many, that means working from home. Since that might be a new situation for many, we’ve written a few guides to make sure everyone is being as safe online as well, and steering clear of online scams that have popped up.
This month, Krebs on Security noticed that some government sites weren’t even giving the best advice when it comes to online fraud, which is alarming. Luckily, our guides are much more informative. This month, we’ve warned about opportunistic scams that prey on COVID-19 fears in the hopes that you give up your valuable information willingly:
Among many others, Dan Goodin at Ars Technica has reported on scammers posing as University personnel and the World Health Organization, and Kaspersky Lab provides details of two phishing campaigns impersonating the US Centers for Disease Control and Prevention…Emails of this type are intended to dupe recipients into revealing sensitive personal information (such as passwords and credit card numbers), and/or installing malware on their device. For example, a message may appear to come from an employer or school official, but contain a link to a bogus web page with a form that harvests login credentials.
In addition to that very timely article, we recommend that you check out our more general guide to identifying phishing scams and our article that explains how anyone can figure out if a website is run by a legitimate business.
The COVID-19 pandemic is wreaking havoc across all industries, and software is not even close to exempt. (Earlier this month, concerns about software tests delayed the launch of the Mars Rover until 2022, for Pete’s sake.) In fact, the pandemic has caused Google to ditch version 82 of Chrome altogether and skip straight to 83. The change impacts all Chromium-based browsers, meaning that new releases of Microsoft’s Edge browser are also paused. Opera, Brave, Vivaldi, and Samsung browsers will be impacted as well. As Stephen Shanklin at Cnet notes:
The novel coronavirus and the COVID-19 infection it causes have hammered businesses, especially those that rely on shipping, factories and other real-world resources affected by lockdowns to slow the virus’ spread. Google’s announcement shows that even people who deal solely with computers for a living are also being affected. That’s because closed schools, telecommuting and other factors are affecting people whose jobs are already mostly virtual.
Finally, we would like to introduce you to CRLite, if you haven’t already met. CRLite is a newly-proposed standard that would send information about ALL revoked SSL/TLS certificates directly to browsers. Until now revocation hasn’t really been reliable, as we have explained in our articles about how browsers have handled revoked certificates to date, and the Online Certificate Status Protocol (OCSP). CRLite has the potential to transform a problem that, up until now, had only unreliable and cumbersome “solutions,” by integrating information about revoked certificates right into browsers. For a concise overview of CRLite, we recommend checking out Mozilla’s Security Blog or the GitHub FAQs. From Mozilla’s intro:
CRLite is a technology proposed by a group of researchers at the IEEE Symposium on Security and Privacy 2017 that compresses revocation information so effectively that 300 megabytes of revocation data can become 1 megabyte. It accomplishes this by combining Certificate Transparency data and Internet scan results with cascading Bloom filters, building a data structure that is reliable, easy to verify, and easy to update.