October 2019 Security Roundup

 

Welcome to the October 2019 edition of SSL.com’s Security Roundup, an end-of-month digest where we highlight important developments in the field of SSL/TLS, digital certificates, and digital security.

On the browser front this month, Google has decided to start blocking mixed content in Chrome, and Mozilla Firefox has been named the most secure browser by Germany’s information security agency.

In other security-related news, Google’s Pixel 4’s Face Unlock system currently lacks an alertness check, Linux users should upgrade sudo, and Google researchers have published a paper in Nature detailing advances in quantum computing.

Google to Block All Mixed Content in Chrome

 

The Chromium blog announced on October 3, 2019 that Chrome will soon begin blocking all mixed content, a condition where subresources of an HTTPS website are loaded insecurely over HTTP. Up until this time, browsers have been blocking active mixed content such as scripts and iframes. Chrome will now begin to block passive mixed content (e.g. images, audio, and video), which also present security risks. For example,

an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between.

Google’s move to block mixed content will take place in a series of steps beginning with Chrome 79 (stable release in December 2019) and continuing through Chrome 81 (early release in February 2020).

To avoid breaking the web insofar as possible, Chrome will attempt to automatically upgrade HTTP resources to HTTPS (if available), and users will permitted to enable mixed content on a site-by-site basis.

SSL.com’s takeaway: Google’s action is just the latest of multiple good reasons to ditch mixed content on your websites, and we expect that other browsers will follow suit sooner rather than later. Read SSL.com’s article, HTTPS Everywhere: Remove Mixed Content To Improve SEO, and then make sure that your website is configured to serve all resources with HTTPS.

German Agency Names Firefox “Most Secure Browser”

 

An audit by Germany’s Federal Office of Information Security (in German, the Bundesamt für Sicherheit in der Informationstechnik, or BMI) has declared that Mozilla Firefox was the only browser tested that met the agency’s recently-updated minimum requirements to be considered sichere (pardon our Deutsche). According to ZDNet,

The BSI normally uses this guide to advise government agencies and companies from the private sector on what browsers are safe to use.

Tested browsers included Firefox 68, Chrome 76, IE 11, and Edge 44. ZDNet’s article also states that the tests “did not include other browsers like Safari, Brave, Opera, or Vivaldi.”

SSL.com’s takeaway: We like Firefox, but also note, in light of current browser UI trends, that BMI’s guidelines mandate that secure browsers “must support extended validation (EV) certificates.” It also seems worth pointing out that the guidelines indicate that browsers “must verify loaded certificates against a Certification Revocation List (CRL) or an Online Certificate Status Protocol (OCSP).” (Please see our recent article on browser revocation checking for more on this subject.)

Stay Awake Around Your Pixel 4

 

As discovered by Chris Fox at the BBC, Google’s Pixel 4 smartphone has a Face Unlock system that “can allow access to a person’s device even if they have their eyes closed.” In contrast, Apple’s iOS Face ID does include an alertness check that makes sure that the user is awake and looking at the phone. For its part, Google says that it will fix the problem “in the coming months.”

SSL.com’s takeaway: If you own a Pixel 4, we recommend disabling the Face Unlock feature by enabling lockdown mode until Google adds a check for alertness. Alternately, you could just avoid sleeping (or dying) near your Pixel 4 until a fix arrives.

Sudo Flaw Lets Users Run Commands as Root

 

An October 14 story in the Hacker News (thehackernews.com, not news.ycombinator.com) outlines a newly-discovered vulnerability in the commonly-used sudo command that “could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the ‘sudoers configuration’ explicitly disallows the root access.”

The security flaw, which depends on a specific configuration of the /etc/sudoers file, affects all versions of sudo prior to 1.8.28. It can be exploited by specifying the user ID -1 or 4294967295 on the command line.

SSL.com’s takeaway: Update sudo ASAP if you haven’t done so already.

Quantum Computing Breakthrough at Google

Bloch Sphere
Source: Wikimedia Commons

On October 23, researchers at Google published a paper in Nature, reporting that their new quantum processor, “Sycamore,”

takes about 200 seconds to sample one instance of a quantum circuit a million times—our benchmarks currently indicate that the equivalent task for a state-of-the-art classical supercomputer would take approximately 10,000 years.

However, a CBS news article indicates that some controversy surrounds the finding, with IBM researchers stating that Google had “underestimated the conventional supercomputer, called Summit, and said it could actually do the calculation in 2.5 days.” Possibly not coincidentally, Summit was developed by IBM.

SSL.com’s takeaway: The dangers posed to Internet security by quantum computing aren’t here quite yet, but it’s wise to keep an eye on developments in this field. Of particular note is the potential vulnerability of ECDSA keys to an implementation of Shor’s algorithm on a sufficiently-large quantum computer.
Thank you for visiting SSL.com, where we believe a safer Internet is a better Internet! You can contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.