Welcome to the October edition of the SSL.com’s Security Roundup! For this very special Halloween edition, we’ve kept our content exactly the same. After all, what’s spookier than digital security worries and faulty encryption?
And did you know that SSL.com now has an email newsletter too? Fill out the form below to receive PKI and digital security news like this, plus information about products and services from SSL.com. (You can easily unsubscribe at any time by clicking the unsubscribe link in each email we send.):
US Joins Six Countries in New Call for Backdoor Encryption Access
Once again, those in power are calling for so-called “back doors” to encryption. This time, according to The Verge, the US is joining with the United Kingdom, Australia, New Zealand, Canada, India and Japan in an international statement that asks for access for law enforcement agencies. Russell Brandom writes:
The Justice Department has a long history of anti-encryption advocacy. In 2018, five of the seven participating countries expressed similar misgivings in an open memo to tech companies, although the memo resulted in little to no progress on the issue from the industry. At each turn, tech companies have insisted that any backdoor built for law enforcement would inevitably be targeted by criminals, and ultimately leave users less safe…Crucially, the seven countries would not only seek to access encrypted data in transit — such as the end-to-end encryption used by WhatsApp — but also locally stored data like the contents of a phone.
Unsurprisingly, tech companies and privacy advocates have spoken out against the statement, as well as other attempts to thwart encryption by the powers that be.
Android 11 Tightens Restrictions on CA Certificates
Tim Perry reports in Android Toolkit that Android 11, which was released on September 11, makes it “impossible for any app, debugging tool or user action to prompt to install a CA certificate, even to the untrusted-by-default user-managed certificate store. The only way to install any CA certificate now is by using a button hidden deep in the settings, on a page that apps cannot link to.”
Why is this important? Well, though CA management should be carefully controlled, there are potential reasons for apps to have access to choosing which ones are trusted. Developers use it for testing, for example, and this change makes that much harder. Still, it’s hard to argue that the change is a loss when viewed through the lens of security; apps prompting users to install root certificates can lead to all sorts of problems, such as giving bad guys access to impersonate websites and decrypt internet traffic.
Zoom Says End-to-End Encryption Is Ready
It’s been a big year for Zoom, a company that first made headlines as a way for all of us to be connected during the pandemic lockdown, and then made headlines for allowing unwanted folks to connect to everyone too, due to security issues. In a recent move to improve privacy and security, Zoom has announced that its implementation of end-to-end encryption is ready for a preview.
Of course, as an article by Simon Sharwood in The Register points out, Zoom claimed to have their own brand of “end to end encryption” in April, but at that time the company’s application of TLS and HTTPS meant that Zoom itself could intercept and decrypt chats—traffic was encrypted only “from Zoom end point to Zoom end point.” Now Zoom has announced it will be offering real end-to-end encryption, which does not allow them to access chats.
However, as The Register notes, there is one catch:
[su-note class=”info”]SSL.com’s takeaway: As daily Zoom users ourselves, we applaud improvements on it’s spotty record on security. However, end-to-end encryption should be a default rather than requiring opting in each time.[/su_note]Don’t go thinking the preview means Zoom has squared away security, because the company says: ‘To use it, customers must enable E2EE meetings at the account level and opt-in to E2EE on a per-meeting basis’… With users having to be constantly reminded to use non-rubbish passwords, not to click on phish or leak business data on personal devices, they’ll almost certainly choose E2EE every time without ever having to be prompted, right?
Popular Mobile Browsers and Safari Found Vulnerable to Address Bar Spoofing Attacks
In bad news released by cybersecurity researchers, it appears that some browser address bars are vulnerable to spoofing. Ravie Lakshmanan with The Hacker News reports that Apple Safari and mobile browsers like Opera Touch and Bolt are open to the spoofing which leaves unsuspecting users susceptible to downloading malware and phishing attacks. Lakshmanan writes:
The issue stems from using malicious executable JavaScript code in an arbitrary website to force the browser to update the address bar while the page is still loading to another address of the attacker’s choice… (A)n attacker can set up a malicious website and lure the target into opening the link from a spoofed email or text message, thereby leading an unsuspecting recipient into downloading malware or risk getting their credentials stolen.
As of the end of October, UCWeb and Bolt had not received fixes, a fix for Opera was expected in November and Safari had addressed the issue through an update.
SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites.
