31 January 2017
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.
Two major browser vendors have started to warn about forms which are transmitted over insecure connections and intended to transmit sensitive data. If a web page that is transmitted via unprotected HTTP contains a form with a password field, then the latest Firefox version 51 will show a lock with a red stroke and Chrome 56 will display “Not secure” in front of the URL.
This tackles a situation that is relatively common which happens because of misunderstanding of HTTPS. If a form is transmitted via HTTP and the data from the form is sent through HTTPS, then usually the data is transmitted securely. However, an attacker can manipulate the form and force the data to be sent to a location he or she controls. Such attacks are known as SSL Stripping.
Quite a few notable sites have been caught by this issue, for example the German ISP Vodafone, the free software code hosting site Savannah (which the author of this Newsletter pointed out a while ago), the airline Quantas and many more.
Two major incidents where certificate authorities issued illegit certificates were made public this month.
GoDaddy announced that 8850 certificates were issued without proper validation of the domain owner. This was due to a bug that got introduced in June 2016 and was discovered in early January 2017.
Andrew Ayer discovered via the Certificate Transparency logs that Symantec had apparently issued several test certificates for domains whose owners hadn’t requested them. The certificates were issued for domains like example.com, test.com and similar domains. Symantec explained that these certificates were issued by a partner - the Korean Electronic Certification Authority. Symantec had already had an incident in 2015, where they issued unauthorized test certificates for several domains, including google.com.
Following this incident, further similar test certificates issued by GlobalSign and Verizon were discovered.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.