When SSL made political capital
Not only have two widespread SSL/TLS issues been fixed, but the standard has even made it into politics...
While Google and other web companies actively push a general move towards HTTPS, the standard isn’t always trouble free, as several recent events demonstrate...
GoDaddy led the charge, admitting that a bug had caused the domain validation process to fail for some customers, which forced the company to revoke 9,000 SSL certificates as a result. GoDaddy General manager of security products, Wayne Thayer, said that if affected customers don’t change their certificates, visitors to their sites may see error messages and warnings presented by their browser.
“Due to a software bug that GoDaddy inadvertently introduced during a routine code change intended to improve our certificate issuance process, the domain validation process for a small percentage of our recently issued certificates failed. In accordance with industry standards as a Certificate Authority, the potentially impacted certificates were revoked as a precautionary measure (effective 9 p.m. (PST) January 10). The software bug that created the issue has been remedied. We continue to closely monitor the system,” Thayer said in a blogpost.
It’s thought the issue impacted two per cent of GoDaddy customers, and the company pointed out that it has successfully issued 10 million certs over the last 13 years. The company is fixing the issue for free, so if you’re not sure if you’ve been affected try the free SSL checker here.
Meanwhile, Kaspersky has patched a critical vulnerability involving an SSL certificate validation bug in the company's AV offering.
The bug was discovered by Google Project Zero researcher Tavis Ormandy, and could allow an attacker to execute man-in-the-middle attacks by brute-forcing a collision between a valid certificate and a malicious certificate. The issue was caused by Kaspersky tracking active SSL and TLS certificates locally by generating a key from the first 32 bits of an MD5 hash of each certificate. This means an attacker can defeat SSL certificate validation by replacing a valid certificate with a malicious one, in which the first 32 bits of the certificate hash match the valid certificate.
Back across the pond, the announcement that long-time Trump supporter and former New York mayor Rudy Giuliani was to be given a key position came as little surprise, but the fact that he has been handed the task of ‘overseeing cybersecurity’ was less obvious. However, what rapidly did become obvious was that his corporate site, www.giulianisecurity.com (which has now been taken down), wasn’t quite up to the job.
Outdated Joomla and expired SSL certificates do not add up to a very secure site, as much of the media was quick to point out. The slip comes after a report found that the White House-imposed deadline (31 December 2016) for federal agencies to transition their websites to HTTPS has been missed by 31 per cent of the approximately 1,200 .gov domains owned by US agencies.
Ilia Kolochenko, CEO High-Tech Bridge said: “Despite that SSL encryption does not prevent common attacks against web applications, such as SQL injections, it can reliably protect against data interception attacks, such as MITM (man in the middle). If sensitive information is not properly encrypted via HTTPS protocols, it's a paradise for attackers who can easily intercept all data, including passwords to accounts on governmental websites.
Three out of 10 agencies seems to be a sad, but predictable number, as especially in the government sector - changes require time to be accepted, approved and implemented. In the past, we could rely on the arguments of SSL incompatibility with older mobile devices and browsers to postpone HTTPS implementation.
However, today almost every device supports modern encryption protocols and cipher suites. Encryption also used to be a resource-consuming process, but with modern hardware, this problem does not exist anymore. I'd not call missing HTTPS negligence, but rather carelessness.”