May 2021 Security Roundup

Longer code signing keys, "Zero Trust" executive order, security by Russian keyboard, the end of CAPTCHAS, and Chrome extension (in)security.

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

Welcome to the May edition of the SSL.com Security Roundup, in which we look back on the past month in digital security. Read on for our collection of what we found most important over the last 30 days, and stay safe online!

New Minimum RSA Key Size for Code Signing Certificates

In a bit of our own news, as of May 31, 2021, code signing and EV code signing certificates from SSL.com require a minimum RSA key size of 3072 bits. Certificates issued prior to this date are not affected by the change and will work as usual until expiration. We’ve laid it all out for you in a blog post on the topic.

Biden Executive Order Calls for ‘Zero Trust Architecture’

In an executive order signed on May 12, U.S. President Joe Biden has officially called for the federal government to adopt a “zero trust architecture.” What does this mean? Essentially, the directive attempts to get at misplaced trust in people, software and hardware that is the basis for many of the security breaches that have made everyone vulnerable to attack. As Scott Shackelford reports for Slate, the growing global threat of ransomware has hit at least 2,354 times, targeting everyone from local governments and schools to health care providers. Biden’s order asks these institutions to take a more paranoid stance and assume that danger lies around every corner—and even in the house one is aiming to protect. From the Slate report:

Trust in the context of computer networks refers to systems that allow people or other computers access with little or no verification of who they are and whether they are authorized to have access. Zero Trust is a security model that takes for granted that threats are omnipresent inside and outside networks. Zero trust instead relies on continuous verification via information from multiple sources. In doing so, this approach assumes the inevitability of a data breach. Instead of focusing exclusively on preventing breaches, zero-trust security ensures instead that damage is limited, and that the system is resilient and can quickly recover.

It’s all very sensible, and yet there are barriers to widely implementing a zero-trust model. It can be hard to implement the new model into legacy systems and, even when possible, it’s often costly. The model also runs counter to some systems that are widely used. However, the executive order—which applies only to government systems—is a step in the direction of security, and promises to make those systems safer overall. 

SSL.com’s Takeaway: Passwords alone are not secure enough anymore. In addition to techniques like time-based OTP codes, client certificates are a great way to add an authentication factor that is resistant to phishing and brute force attacks. For more information, please read Authenticating Users and IoT Devices with Mutual TLS.

‘One Weird Trick’ to Foil Russian Hackers

In a quirk of technology, Krebs on Security notes that much malware will not install on computers that have certain virtual keyboards installed, including Russian and Ukrainian ones. In a Twitter discussion, and later a blog post, the security expert explained that the vast majority of ransomware strains have a failsafe to ensure that malware does not infect its own. From the blog:

DarkSide and other Russian-language affiliate moneymaking programs have long barred their criminal associates from installing malicious software on computers in a host of Eastern European countries, including Ukraine and Russia. This prohibition dates back to the earliest days of organized cybercrime, and it is intended to minimize scrutiny and interference from local authorities.

Apparently, in Russia authorities are reluctant to initiate cybercrime investigation against Russian nationals unless a fellow countryman initiates the complaint. Such failsafes, then, are a practical way keep the heat off.

SSL.com’s takeaway: Is installing a Russian virtual keyboard on your system a security panacea? Not at all, but it won’t hurt either.

Cloudflare Wants To Do Away with Captchas

Last month saw good news for those who are tired of computers asking them to prove that they, too, are not machines. In a compellingly titled Cloudflare blog post, Thibault Meunier declares, “Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness.” The post goes on to explain that Cloudflare wants to replace ubiquitous, annoying CAPTCHAs with a new method involving hardware security keys, such as the Yubikey FIPS keys that SSL.com distributes EV code signing and document signing certificates on.

From a user perspective, a Cryptographic Attestation of Personhood works as follows:

  1. The user accesses a website protected by Cryptographic Attestation of Personhood, such as cloudflarechallenge.com.
  2. Cloudflare serves a challenge.
  3. The user clicks I am human (beta) and gets prompted for a security device.
  4. User decides to use a Hardware Security Key.
  5. The user plugs the device into their computer or taps it to their phone for wireless signature (using NFC).
  6. A cryptographic attestation is sent to Cloudflare, which allows the user in upon verification of the user presence test.

Instead of “500 years,” completing this flow takes five seconds. More importantly, this challenge protects users’ privacy since the attestation is not uniquely linked to the user’s device.

SSL.com’s takeaway: We hate CAPTCHAs too, even if “Cryptographic Attestation of Personhood” has a creepy ring to it.

Thousands of Chrome extensions are tampering with security headers

A new study has found that lots of Chrome extensions tamper with website security headers, putting users at risk. As Catalin Cimpanu reports for The Record, the extensions, which are all found in the Chrome Web Store, are not all doing it with evil intentions: 

The most commonly disabled security header was CSP, a security header that was developed to allow site owners to control what web resources a page is allowed to load inside a browser and a typical defense that can protect websites and browsers against XSS and data injection attacks.

According to the research team, in most of the cases they analyzed, the Chrome extensions disabled CSP and other security headers “to introduce additional seemingly benign functionalities on the visited webpage,” and didn’t look to be malicious in nature.

However, even if the extensions wanted to enrich a user’s experience online, the German academics argued that by tampering with security headers, all the extensions did was to expose users to attacks from other scripts and sites running inside the browser and on the web.

SSL.com’s takeaway: We understand developers’ desire to provide additional functionality to users, but think tampering with websites’ security features like this is ill advised, to say the least.

 

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.