Bulletproof TLS Newsletter #24
Firefox and Chrome start warning about insecure login forms
31 January 2017
Author: Hanno Böck

This issue was distributed to 33,759 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Firefox and Chrome start warning about insecure login forms
  2. Illegit certificates from GoDaddy, Symantec and more
  3. Short news

Firefox and Chrome start warning about insecure login forms

Two major browser vendors have started to warn about forms which are transmitted over insecure connections and intended to transmit sensitive data. If a web page that is transmitted via unprotected HTTP contains a form with a password field, then the latest Firefox version 51 will show a lock with a red stroke and Chrome 56 will display “Not secure” in front of the URL.

This tackles a situation that is relatively common which happens because of misunderstanding of HTTPS. If a form is transmitted via HTTP and the data from the form is sent through HTTPS, then usually the data is transmitted securely. However, an attacker can manipulate the form and force the data to be sent to a location he or she controls. Such attacks are known as SSL Stripping.

Quite a few notable sites have been caught by this issue, for example the German ISP Vodafone, the free software code hosting site Savannah (which the author of this Newsletter pointed out a while ago), the airline Quantas and many more.

Illegit certificates from GoDaddy, Symantec and more

Two major incidents where certificate authorities issued illegit certificates were made public this month.

GoDaddy announced that 8850 certificates were issued without proper validation of the domain owner. This was due to a bug that got introduced in June 2016 and was discovered in early January 2017.

Andrew Ayer discovered via the Certificate Transparency logs that Symantec had apparently issued several test certificates for domains whose owners hadn’t requested them. The certificates were issued for domains like example.com, test.com and similar domains. Symantec explained that these certificates were issued by a partner - the Korean Electronic Certification Authority. Symantec had already had an incident in 2015, where they issued unauthorized test certificates for several domains, including google.com.

Following this incident, further similar test certificates issued by GlobalSign and Verizon were discovered.

Short news