October 2020 Security Roundup

New government call for encryption backdoors, Android 11 cert restrictions, Zoom e2e encryption, and an address bar spoofing vulnerability.

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

Welcome to the October edition of the SSL.com’s Security Roundup! For this very special Halloween edition, we’ve kept our content exactly the same. After all, what’s spookier than digital security worries and faulty encryption?

And did you know that SSL.com now has an email newsletter too? Fill out the form below to receive PKI and digital security news like this, plus information about products and services from SSL.com. (You can easily unsubscribe at any time by clicking the unsubscribe link in each email we send.):




US Joins Six Countries in New Call for Backdoor Encryption Access

Once again, those in power are calling for so-called “back doors” to encryption. This time, according to The Verge, the US is joining with the United Kingdom, Australia, New Zealand, Canada, India and Japan in an international statement that asks for access for law enforcement agencies. Russell Brandom writes:

The Justice Department has a long history of anti-encryption advocacy. In 2018, five of the seven participating countries expressed similar misgivings in an open memo to tech companies, although the memo resulted in little to no progress on the issue from the industry. At each turn, tech companies have insisted that any backdoor built for law enforcement would inevitably be targeted by criminals, and ultimately leave users less safe…Crucially, the seven countries would not only seek to access encrypted data in transit — such as the end-to-end encryption used by WhatsApp — but also locally stored data like the contents of a phone.

Unsurprisingly, tech companies and privacy advocates have spoken out against the statement, as well as other attempts to thwart encryption by the powers that be.

SSL.com’s takeaway: No matter how many letters are written, SSL.com does not agree with opening backdoors to encryption. Not only do they pose a greater threat to security than their absence, they also undermine privacy in a real and dangerous way.

Android 11 Tightens Restrictions on CA Certificates

Tim Perry reports in Android Toolkit that Android 11, which was released on September 11,  makes it “impossible for any app, debugging tool or user action to prompt to install a CA certificate, even to the untrusted-by-default user-managed certificate store. The only way to install any CA certificate now is by using a button hidden deep in the settings, on a page that apps cannot link to.”

Why is this important? Well, though CA management should be carefully controlled, there are potential reasons for apps to have access to choosing which ones are trusted. Developers use it for testing, for example, and this change makes that much harder. Still, it’s hard to argue that the change is a loss when viewed through the lens of security; apps prompting users to install root certificates can lead to all sorts of problems, such as giving bad guys access to impersonate websites and decrypt internet traffic.

SSL.com’s takeaway: While Android developers may bemoan their newfound inability to install CA certificates via apps, tightening controls over Android’s certificate stores can also be viewed as a victory for privacy. See this piece from the Electronic Frontier Foundation, which celebrates Android 11’s more detailed and explicit user interface for certificate installation.

Zoom Says End-to-End Encryption Is Ready

It’s been a big year for Zoom, a company that first made headlines as a way for all of us to be connected during the pandemic lockdown, and then made headlines for allowing unwanted folks to connect to everyone too, due to security issues. In a recent move to improve privacy and security, Zoom has announced that its implementation of end-to-end encryption is ready for a preview.

Of course, as an article by Simon Sharwood in The Register points out, Zoom claimed to have their own brand of “end to end encryption” in April, but at that time the company’s application of TLS and HTTPS meant that Zoom itself could intercept and decrypt chats—traffic was encrypted only “from Zoom end point to Zoom end point.” Now Zoom has announced it will be offering real end-to-end encryption, which does not allow them to access chats.

However, as The Register notes, there is one catch:

Don’t go thinking the preview means Zoom has squared away security, because the company says: ‘To use it, customers must enable E2EE meetings at the account level and opt-in to E2EE on a per-meeting basis’… With users having to be constantly reminded to use non-rubbish passwords, not to click on phish or leak business data on personal devices, they’ll almost certainly choose E2EE every time without ever having to be prompted, right?

[su-note class=”info”]SSL.com’s takeaway: As daily Zoom users ourselves, we applaud improvements on it’s spotty record on security. However, end-to-end encryption should be a default rather than requiring opting in each time.[/su_note]

Popular Mobile Browsers and Safari Found Vulnerable to Address Bar Spoofing Attacks

In bad news released by cybersecurity researchers, it appears that some browser address bars are vulnerable to spoofing. Ravie Lakshmanan with The Hacker News reports that Apple Safari and mobile browsers like Opera Touch and Bolt are open to the spoofing which leaves unsuspecting users susceptible to downloading malware and phishing attacks. Lakshmanan writes:

The issue stems from using malicious executable JavaScript code in an arbitrary website to force the browser to update the address bar while the page is still loading to another address of the attacker’s choice… (A)n attacker can set up a malicious website and lure the target into opening the link from a spoofed email or text message, thereby leading an unsuspecting recipient into downloading malware or risk getting their credentials stolen.

As of the end of October, UCWeb and Bolt had not received fixes, a fix for Opera was expected in November and Safari had addressed the issue through an update.

SSL.com’s takeaway: While not pleasant, this should be an effective reminder to update your browser! Though, of course, our users stay up-to-date on the many browser security issues discovered each year, regular updates will make sure you get every patch.

SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites.

COMPARE SSL/TLS CERTIFICATES

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.