A lot of newsworthy cybersecurity events have occurred from the start up until the end of May. But before we discuss those, we will open up this newsletter with two new important policy changes made by the Certificate Authority/Browser (CA/B) Forum for SSL and code signing certificates.
Organization Unit (OU) soon to be deprecated in public SSL/TLS certificates
As per the results of ballot SC47V2, the Certificate Authority/Browser (CA/B) Forum has voted to deprecate the Organizational Unit (OU) field for public SSL/TLS certificates, with the deadline set on September 1, 2022.
The CA/B Forum has determined that the Organizational Unit can be interpreted very differently in every company, and therefore poses problems for a Certificate Authority when it comes to authenticating it using external resources. Removing the OU field prevents uncertain information from being included in the SSL/TLS certificate and improves the validation process.
We at SSL.com want to ensure that the transition to this new rule will be smooth for our customers. In the following months, we will be sending out reminders and updates about the September 1st deadline.
New key storage requirements for OV and IV Code Signing Certificates
Starting June 1, 2023, in compliance with the CA/Browser Forum’s new key storage requirements to increase security for code signing certificates, SSL.com’s Organization Validation (OV) and Individual Validation (IV) Code Signing Certificates will only be issued either on Federal Information Processing Standard 140-2 (FIPS 140-2) USB tokens or through our eSigner cloud code signing service.
Huge podcast downtime caused by Spotify failing to renew their SSL certificate
And now, on to some news clips involving digital certificates. First off, Spotify made headlines when a podcast platform it owns experienced a significant down time. Due to an expired SSL certificate, Megaphone’s podcast listeners were not able to access a lot of their shows for eight hours.
In a statement, Spotify spokesperson Erin Styles confirmed the cause of the incident: “Megaphone experienced a platform outage due to an issue related to our SSL certificate. During the outage, clients were unable to access the Megaphone CMS and podcast listeners were unable to download podcast episodes from Megaphone-hosted publishers.”
Megaphone acquired a two-year SSL certificate in May 2020 and in December of that same year, the company was purchased by Spotify. This change of ownership could have contributed to an oversight on the security management of Megaphone’s website.
One podcaster remarked that the glitch might have caused podcast show publishers thousands of downloads because they could not upload their content for eight hours.
This is not the first time that a big company has forgotten to renew its SSL certificate. In April 2015, Instagram’s expired SSL cert resulted in its users getting security warnings. If we combine the costs of customers being affected and the severe security risks that come with an expired certificate, companies stand to lose a lot with this simple mistake. According to Maria Korolov of CSO, “the average global 5,000 company spends about $15 million to recover from the loss of business due to a certificate outage — and faces another $25 million in potential compliance impact.”
SSL.com’s Takeaway: The case of Megaphone demonstrates the challenge that large organizations face when it comes to being able to effectively manage their SSL certificate renewals on their own. Big companies deal with a lot of operations and IT management is simply not their forte. This is the reason why we have partnered with Venafi – a global leader when it comes to automated management of digital certificates. With the SSL.com Adaptable Driver for Venafi, it is now easier than ever for companies to automate certificate provisioning, keep up on expirations and revocations, protect client access and easily manage encryption services. Head over to our article to read the full integration features of our adaptable driver as well as how to download it. Additionally, because one of our primary objectives is to promote widespread website security, we also offer the popular Automated Certificate Management Environment (ACME) for SSL/TLS Certificate Automation. As a well-documented, open standard with many available client implementations, ACME is widely adopted as an enterprise certificate automation solution. We are happy to say that our customers take advantage of this protocol to easily automate SSL/TLS website certificate issuance and renewal and protect their websites in a timely manner. Take some time to read the full advantages of SSL.com ACME.
Tor-concealed website discovered to be offering cheap and customizable malware bundles
Eternity Project, a website concealed in Tor, has been revealed to be selling malware bundles, including stealers, worms, miners, and ransomware for an annual rate as low as $260. The convenient access to malware provided by Eternity is a matter of concern as it coincides with the increasing cases of phishing, DDoS, and ransomware attacks in recent years.
Just last April, Resecurity discovered a new Phishing-as-a-Service called Frappo which was being used to produce highly-devious phishing pages for large online banking websites, e-commerce sites, and well-known retail brands. The developers of Frappo have gone to such extents as to provide technical support and updates, with their most recent targets being Uber and 20 financial institutions.
Jeff Burt of The Register explains how the easily accessible malware being sold by Eternity multiplies the risks faced by businesses and organizations: “With malware-as-a-service, the programmer has various opportunities to make money from their work. They can use their malware themselves to bag ill-gotten gains; bring in cash by leasing or selling the code; and charge for support and related services. At the same time, crooks who don’t have the skills or time to develop their own malicious code can simply buy it from someone else.”
SSL.com’s Takeaway: Malware-based attacks cost companies worldwide billions of dollars every year, and paying cybercriminals is increasingly discouraged because evidence shows that there is no assurance that they will be true to their words once they are paid. Malicious actors are getting bolder and less afraid of targeting large organizations and businesses. More than ever, you should improve your cybersecurity defenses. If you are a developer/publisher or a company owner and you are seeking to protect your software assets from malware-based attacks, you can look at the features of our EV Code Signing Certificates which strongly prevent tampering of applications and programs. If you wish to defend your email accounts from phishing attacks and prevent unauthorized access to your critical systems, you can also take a look at our Personal Pro Email and ClientAuth Certificate.
Users can sign code with eSigner’s cloud-based Extended Validation Code Signing
capability. Click below for more info.
Singapore replaces paper-based birth and death certificates with digitally-coded electronic documents
Starting last May 29, Singapore stopped issuing physical birth and death certificates for its citizens in favor of digital copies for these documents. This also entailed an online shift when it comes to registration of births and deaths. Singaporeans previously had to register a birth certificate at the hospital or at the Immigration and Checkpoints Authority (ICA).
According to Singapore’s ICA, this change is part of their government’s mandate to digitize public services. Now that birth and death certificates can be registered, downloaded and stored in desktop computers or mobile phones, Singapore’s residents are finding it more convenient to deal with the process.
As of May 30, 6pm Singaporean Standard Time, ICA was able to release 219 digital birth certificates which was double than that of the daily average for physical birth certificates. If this trend continues, the digital certificates that can be processed each year are expected to go beyond the past five-year annual average for physical birth certificates which was 39,100.
This major change is seen as a strategy to provide better validation and authentication processes for these important documents. According to ICA, “Government agencies and private entities, such as industry associations and financial institutions, can use QR codes included on all digital certificates to verify their authenticity. The QR code will be linked to an ICA system where details on the digital certificate can be verified against ICA’s database.”
Digitizing birth and death certificates is an innovative policy on the part of Singapore. Aside from being more efficient than manual processes, digital registration and storage are safer and more cost-effective. Compared to paper-based documents, digital docs cannot be damaged by fire and other hazards and do not require a lot of physical space to be maintained. It also offers stronger validation and authentication features because QR codes placed on birth and death certificates are digital codes that more effectively protect these from tampering as opposed to handwritten signatures.
SSL.com’s Takeaway: The QR code system being used by Singapore for its new digital birth and death certificates offer similar benefits to our document signing digital certificates. Using industry-standard data encryption, SSL.com’s document signing certificates can digitally sign electronic documents to prove who the owner of the documents are and ensure that these have not been altered since they were signed. Our doc signing certificates satisfy the U.S. Federal ESIGN Act and laws of many other nations, making them legally acceptable worldwide. Additionally, our document signing certificates can be enrolled into our eSigner cloud signing service which allows our users to securely sign their documents from any internet-connected device. The digital revolution implemented by Singapore for its public records validate the long-term vision of SSL.com when it comes to advocating for digital-based transactions, data storage, and administration of critical assets. Head over to our PKI and Digital Certificates for Government article to learn more about how we help government institutions strengthen their cybersecurity.