April 2020 Security Roundup

April's roundup covers TLS 1.0 and 1.1 in Microsoft's browsers, HTTPS-only mode and client certificates in Firefox, and Zoom alternative Jitsi.

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

Welcome to this April edition of SSL.com’s Security Roundup! Many of us have been cooped up inside this past month, but life online is still going strong, which means we have plenty to round up when it comes to digital security. This month we’ll be taking a look at:

Microsoft Postpones TLS 1.0 and 1.1 Deprecation

Though Microsoft had planned to disable Transport Layer Security (TLS) versions 1.0 and 1.1 sometime this spring, the company announced that “in light of current events” that plan will now be postponed to the end of the year.

While that may sound like a convenient excuse for not taking action, ghacks.net reports that a widespread pledge among browsers to disable the security protocols did, indeed, become an issue during the pandemic. They write:

Some, like Mozilla, went ahead with the change but reverted it when it became clear that some government sites still relied on these protocols. Users of Firefox could not access these sites anymore because of the disabled protocols. Mozilla re-enabled the protocols to make sure that Firefox users worldwide are able to access important sites in a time of crisis.

Right now, Microsoft plans to release a new Chromium-based Microsoft Edge version 84r in July where TLS 1.0 and 1.1 will be disabled by default. Microsoft Internet Explorer 11 and Classic Microsoft Edge will disable the protocols on September 8.

SSL.com’s takeaway: We have been warning you for some time that these protocols are outdated and insecure, and this latest wrinkle does not change that. Because there are only plans to disable them by default in browsers, not to remove them entirely, they can always be be enabled if absolutely necessary. But please only do that if it’s truly needed.

Firefox 76 Gets Optional HTTPS-Only Mode

Mozilla has announced that they will offer users an HTTPS-only mode in version 76 of the Firefox browser. According to Softpedia the feature will serve to push the few stragglers clinging to HTTP over to the secure HTTPS protocol. Once activated in the browser, HTTP sites would no longer load. Instead, the browser will attempt to upgrade the connection to HTTPS. If that’s not available, for now users will get a “Secure Connection Failed” warning that can either be heeded or ignored.

Firefox 76 will only be offering this more-secure browsing as an option right now – not as a default – so users will have to opt-in for the HTTPS-only experience.

SSL.com’s takeaway:  If you’d like to configure Firefox to use HTTPS only, we’ll be providing detailed instructions after the scheduled release date, which is currently May 5, 2020.

Client Certificates Simplified in Firefox 75

In more good news about Firefox, Mozilla announced that they will be simplifying client certificate usage in version 75 of the browser by allowing it to access the operating system certificate store on Windows and macOS. Up until this point, users of Firefox have had to work with client certificates in the browser by loading a third-party library to communicate with hardware tokens or importing certificates and private keys into the browser’s own certificate store. That isn’t the most secure way to go about things, and can cause stability issues as well.

 Now, like Chrome and other browsers, Firefox has developed its own library to interface with OS certificate storage. From the blog:

Rather than loading third-party libraries to communicate with hardware tokens, Firefox can delegate this task to the operating system. Also, instead of forcing the user to export client certificates and re-import them into their Firefox profile, Firefox can look for these certificates directly. In addition to protecting private keys, this new mechanism allows Firefox to make use of client certificates with unexportable keys… We expect this feature to be of great benefit to our enterprise users who have previously gone to great lengths to configure Firefox to work in their environment.

SSL.com’s takeaway: Client authentication certificates add an additional secure authentication factor when logging into web applications. We’re glad Mozilla is working to make the process simpler for Firefox users, and hope that Mozilla plans a similar upgrade for it’s Thunderbird email client.

Jitsi Offers an Open-Source Alternative to Zoom

Zoom made a lot of headlines last month. First, everyone jumped on Zoom to connect to work, friends and family from home while under orders to stay at home to prevent the spread of coronavirus. Then, everyone ran away when security issues arose and were worked on. Meanwhile, alternatives emerged.

Jitsi Meet from 8×8 offers an open-source option for videoconferencing that has features like password protection. And, as Wired notes, there are distinct advantages to having open source software that allows for modifications by the developer community:

The fact that anyone can modify and share Jitsi’s code means that others can build the tool into their software. WeSchool did that. So did open-source chat software service Riot, which uses Jitsi for its video chat component. Ivov says 8×8 benefits from these sorts of projects because they test how Jitsi’s code performs on different devices and in different environments. That helps the core Jitsi development team improve the software for both open-source users and paid 8×8 customers.

Right now, Jitsi only offers end-to-end encryption for their one-on-one calls, not conferences of more than two people (which require the use of a centralized server that needs to decrypt the data)/ However, they are working on expanding end-to-end encryption to those larger calls.

SSL.com’s takeaway:  SSL.com supports end-to-end encryption for video calls, and the development of secure and private open-source tools for what has become an essential service. As video conferencing has become a crucial communication tool in all of our lives, we will be watching Jitsi’s development closely.
Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.


We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.