Security

RIP HPKP: Google abandons public key pinning

No home in Chrome


Google is abandoning a next-generation web crypto technology it initially championed.

HTTP Public Key Pinning (HPKP) is a standard that allows a host to instruct browsers to only accept certain public keys when communicating with it for a given period of time. While HPKP can offer a lot of protection, the technology was open to potential abuse by hackers or accidental lockout if sysadmins misapplied it, as previously reported on The Register.

In a blog post last week, Google's Chris Palmer announced plans to deprecate HPKP support by Chrome from May next year – when Chrome 67 is slated to be released to Stable – before removing it entirely at some as yet unspecified date.

Google introduced HPKP support for Chrome around two years ago back in September 2015. Edge and Safari have never supported HPKP and the removal of support by other browser software makers is not anticipated to cause any major upheavals.

"There is no compatibility risk; no website will stop working as a result of the removal of static or dynamic PKP," according to Palmer who goes on to suggest possible alternatives to HPKP. "To defend against certificate misissuance, web developers should use the Expect-CT header, including its reporting function. Expect-CT is safer than HPKP due to the flexibility it gives site operators to recover from any configuration errors, and due to the built-in support offered by a number of CAs.”

Security researchers including Scott Helme previously criticised the technology as too cumbersome for mainstream use even among security-conscious organisations. Ivan Ristic of SSL Labs argued that HPKP was problematic because it failed to include a recovery mechanism rather than being an inherently bad idea.

“Two HPKP disappointments. First, that a half-baked standard got deployed to production. Second, [the] decision to kill it, rather than fix it,” Ristic said in reaction to Google’s decision. ®

Send us news
9 Comments

North Korea pulled in $400m in cryptocurrency heists last year – report

Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

Continue reading

Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

Plus: AI systems can identify different chess players by their moves and more

In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

“Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

Continue reading

Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

Continue reading

And relax: no repeat car crash financials for SAP in 2021 as cloud services come good

Let's not mention on-premise licences....

ERP specialist SAP saw Q4 cloud revenue jump 28 per cent compared with the same period a year earlier to hit €2.61bn

In preliminary results, total revenue for calendar 2021 was up 6 per cent year-on-year to €7.98bn - a marked contrast to the car crash financials served up by SAP for 2020.

Customer migration to the vendor's latest in-memory ERP platform was sluggish prior to initiatives SAP put in place to convince customers to migrate. The prelims show those plans are working.

Continue reading

Google and Facebook's top execs allegedly approved dividing ad market among themselves

Latest iteration of Texas-led antitrust complaint against Google expands claims of bad behavior

The alleged 2017 deal between Google and Facebook to kill header bidding, a way for multiple ad exchanges to compete fairly in automated ad auctions, was negotiated by Facebook COO Sheryl Sandberg, and endorsed by both Facebook CEO Mark Zuckerberg (now with Meta) and Google CEO Sundar Pichai, according to an updated complaint filed in the Texas-led antitrust lawsuit against Google.

Texas, 14 other US states, and the Commonwealths of Kentucky and Puerto Rico accused Google of unlawfully monopolizing the online ad market and rigging ad auctions in a December, 2020, lawsuit. The plaintiffs subsequently filed an amendment complaint in October, 2021, that includes details previously redacted.

On Friday, Texas et al. filed a third amended complaint [PDF] that fills in more blanks and expands the allegations by 69 more pages.

Continue reading

US-China chip cold war? It's only helping the Middle Kingdom, silicon makers warn

It's blowback time again

China's cold war with the US on chips isn't slowing down the country's rapid growth in semiconductors, the Semiconductor Industry Association said this week.

The US sanctions on Chinese companies didn't have the intended effect of restricting China's semiconductor industry. In fact, the saber-rattling is only serving for China to get its act together on semiconductors, the industry body warned.

China's semiconductor industry sales totaled $39.8bn in 2020, a growth rate of 30.6 per cent from 2019, the SIA said. In 2015, China chip sales were just $13bn, or a 3.8 per cent market share.

Continue reading

Alibaba ponders its crystal ball to spy coming advances in AI and silicon photonics

Machine learning to propel us into glorious era of scientific discovery

Alibaba has published a report detailing a number of technology trends the China-based megacorp believes will make an impact across the economy and society at large over the next several years. This includes the use of AI in scientific research, adoption of silicon photonics, the integration of terrestrial, and satellite data networks among others.

The Top Ten Technology Trends report was produced by Alibaba's DAMO Academy, set up by the firm in 2017 as a blue-sky scientific and technological research outfit. DAMO hit the headlines recently with hints of a novel chip architecture that merges processing and memory.

Among the trends listed in the DAMO report, AI features more than once. In science, DAMO believes that AI-based approaches will make new scientific paradigms possible, thanks to the ability of machine learning to process massive amounts of multi-dimensional and multi-modal data, and solve complex scientific problems. The report states that AI will not only accelerate the speed of scientific research, but also help discover new laws of science, and is set to be used as a production tool in some basic sciences.

Continue reading

Lawmakers propose TLDR Act because no one reads Terms of Service agreements

The bill calls for concise, machine readable summaries of how websites and apps use client data

Almost no one bothers to read the Terms of Service agreements on websites so a group of US lawmakers on Thursday proposed a bill to require that commercial websites and mobile apps translate their legalese into summaries that can be more easily read by people and by machines.

The bill, titled the Terms-of-service Labeling, Design and Readability (TLDR) Act [PDF], was introduced by Lori Trahan (D-MA-03), Senator Bill Cassidy, (R-LA), and Senator Ben Ray Luján (D-NM), making it technically a bipartisan effort – something of a rarity at a time when the two major US political parties can't agree on basic facts like who was lawfully elected President in 2020.

"For far too long, blanket terms of service agreements have forced consumers to either ‘agree’ to all of a company’s conditions or lose access to a website or app entirely," said Congresswoman Trahan, a member of the House Subcommittee on Consumer Protection and Commerce, in a statement. "No negotiation, no alternative, and no real choice."

Continue reading

Russia starts playing by the rules: FSB busts 14 REvil ransomware suspects

Cybercrook gang has 'ceased to exist' says Putin's military service

Russia's internal security agency said today it had dismantled the REvil ransomware gang's networks and raided its operators' homes following arrests yesterday in Ukraine.

In a statement the FSB (Federal Security Service) said "based on the appeal of the US competent authorities" it had raided 25 addresses apparently belonging to "14 members of an organised criminal community."

That "community" is called REvil, said the Russian law enforcement agency. A translation of the FSB statement reveals that the 14 were charged under Article 187 of the Russian criminal code, which deals with "illegal turnover of means of payments."

Continue reading

Support specialist Rimini Street found in contempt of court for continued Oracle copyright infringements

It took two years for Big Red to find five breaches

A US court has found Oracle support specialist Rimini Street in contempt of court and ordered it to pay $630,000 in sanctions – peanuts for the $40bn-revenue Big Red software company.

In a dispute dragging on for more than a decade, the District Court of Nevada also imposed reasonable attorneys' fees and costs against Rimini, to be decided at a later date.

District Judge Larry Hicks found Rimini in contempt of court on only five of the 10 issues presented at the hearing. "The Court's finding of willfulness on the majority of these issues clearly supports the award," the ruling said.

Continue reading

Virgin Orbit's LauncherOne rocket deploys seven satellites with third successful mission

Paperwork needs sorting for a launch from the UK

Virgin Orbit has managed a third successful mission as the company deployed seven satellites into orbit from its LauncherOne rocket.

Describing itself as "the responsive launch and space solutions company," Virgin Orbit achieved two missions last year. Yesterday's launch was just a few days shy of the company's first successful mission on 17 January 2021. Its first effort, in 2020, ended in failure.

This week's launch included repeat business from the US Department of Defense and Polish company SatRevolution. The payload included experiments in space-based communications, debris detection, navigation, and propulsion. All in all, Virgin Orbit has managed to launch 26 satellites. Still, it's a far cry from the 109 of fellow small-sat upstart Rocket Lab and just a quarter of the payloads launched by SpaceX on its Transporter-3 mission, also on 13 January.

Continue reading