July 2020 Security Roundup

July's Roundup covers MS Edge security, mixed content in Chrome 85, 398-day certs in Chrome and Firefox, and TLS 1.0 and 1.1 deprecation in MS Office.

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

Reporting live from the middle of summer, we are happy to bring you a July Roundup from the world of digital security! This month we’ll be taking a look at:

Need a Certificate? SSL.com provides a wide variety of digital certificates, including:

COMPARE SSL/TLS CERTIFICATES

NSS Labs Gives Microsoft Edge Top Rating for Phishing and Malware Prevention

So far, Microsoft Edge has proven to be a serious competitor to more-established browsers and new updates are only strengthening its position. A report by Kate O’Flaherty in Forbes notes that it may still be the number two browser overall, but recent updates have made it second to none when it comes to security. From the Forbes article:

But a new report by NSS Labs actually saw Microsoft’s Edge beat Chrome in the security stakes. Because it uses Microsoft Defender SmartScreen, Edge was found to offer the best phishing protection compared with the other browsers tested, blocking 95.5% of phishing URLs. Google, which uses the Safe Browsing API, came second at 86.9%.

As Microsoft focused site OnMsft reports, another separate NSS Labs report shows how Edge also has better malware protection than rivals Chrome, Firefox and Opera. Microsoft Edge blocks 98.5% of malware, while second place Firefox blocks an average of 86.1%, followed by Google Chrome at 86.0%.

It is, of course, a great time to be focused on browser security as more work and operations move from the office to a decentralized work-at-home model. We will be keeping an eye on the updates that Edge continues to churn out, and watch as the browser fights to dominate the market.

SSL.com’s takeaway: We at SSL.com are big fans of competition, especially when it comes to a battle over security for users. It’s nice to see that Microsoft Edge is taking security seriously with its new, Chromium-based Edge browser.

Images To Be Auto-Upgraded to HTTPS in Chrome 85 by Summer’s End

In another step towards an across-the-board implementation of HTTPS, the next major version of Chrome will auto-upgrade images served via HTTP from HTTPS websites to the more secure protocol. In Chrome 85, which will have its stable release out on August 25, HTTPS will be the only option for images served from HTTPS websites – if that is not available, the images simply will not be displayed in Chrome.

As usual, the Chromium Blog has more details:

Chrome is now auto-upgrading images served over HTTP from HTTPS sites by rewriting URLs to HTTPS without falling back to HTTP when secure content is not available. Chrome has been auto-upgrading audio and video content since version 80.

It’s a good step forward, and a good reminder to eliminate mixed content on websites!

SSL.com’s takeaway:  If you haven’t yet eliminated mixed content from your website, now is the time! And, if it wasn’t clear from this new information, make sure that all images on your HTTPS websites are available via HTTPS before August 25, if you want them to be seen by Chrome users.

Chrome and Firefox follow Apple on 398-day certificates

Well, it’s official. As of September 1, all Apple software will (essentially) reject SSL/TLS certificates that are valid for more than 398 days. The industry has known this was going to happen since February, so while it’s still noteworthy, the real news is that Chrome and Firefox are officially following suit, with Mozilla prepping to switch to 398-certificates in its browser, and confirmation in the Chromium source code that Chrome would be enforcing the same standard beginning on September 1 as well.

The Register reported on the “snubbing” of 2-year certificates in an article by Shaun Nichols about the change:

Apple reckons this policy ensures websites and apps refresh their certs once a year, thus encouraging them to use the latest cryptographic standards, and ensures stolen certs cannot be used for long-running phishing campaigns and other shenanigans as they’ll expire soon enough.

…Suffice to say, certificate sellers were irritated by the change. ‘The unilateral decision of Apple, against the results of the ballot, makes the CA/B Forum a little bit useless, from our point of view,’ sniffed Spanish cert biz Firmaprofesional.

All signs point to everyone following Apple’s lead to shorten certificate lifespans. At the moment, Microsoft has yet to make an announcement on what they will do, but it’s easy to draw conclusions that they will, given the fact that the company’s Edge browser uses Chrome as its engine.

SSL.com’s takeaway: We predicted that this would likely happen back in February, as Apple’s unilateral move to shorten certificate lifespans has forced a new industry consensus. In fact, SSL.com has already made plans to comply with Apple’s policy before the change goes into effect, so SSL.com’s customers will not be affected on any browsers that adopt the new, shorter certificate lifespan limits.

Microsoft Enforces Deprecation of TLS 1.0 and 1.1 for Office 365

After a pandemic-related delay, Microsoft will officially begin enforcing depreciation of the TLS 1.0 and 1.1 protocols – which are well-known to be insecure – in Office 365. The protocols were actually deprecated as of October 31, 2018. And, according to Microsoft, the enforcement has been reset and should be up and running on October 15, 2020.

Honestly, this won’t impact too many users as the Office client is able to use TLS 1.2 if supported by the local computer. However, it might be worth noting that TLS 1.2 is not available on Windows 7 without the KB 3140245 update. Those looking for a technical overview of the change can head over to the Microsoft Blog, which explains it all.

SSL.com’s takeaway: As noted above, most users will not be affected by this change as all modern operating systems support TLS 1.2. Windows 7 users can make sure that the required update has been applied on their systems, but they should strongly consider upgrading to Windows 10, as support for Windows 7 (including security patches) ended back on January 14, 2020.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.