Security

Beware the looming Google Chrome HTTPS certificate apocalypse!

Well, melee. Dust-up? Minor inconvenience? But it's coming!!


Tens of thousands of websites are going to find themselves labeled as unsafe unless they switch out their HTTPS certificate in the next two months.

Thanks to a decision in September by Google to stop trusting Symantec-issued SSL/TLS certs, from mid-April Chrome browser users visiting websites using a certificate from the security biz issued before June 1, 2016 or after December 1, 2017 will be warned that their connection is not private and someone may be trying to steal their information. They will have to click past the warning to get to the website.

This will also affect certs that use Symantec as their root of trust even if they were issued by an intermediate organization. For example, certificates handed out by Thawte, GeoTrust, and RapidSSL that rely on Symantec will be hit by Google's crackdown. If in doubt, check your cert's root certificate authority to see if it's Symantec or not.

The change will come in build 66 of Chrome – due for public release on April 17 – and the problem will get even bigger on October 23 when build 70 is released and all Symantec certificates will be listed as not being trustworthy.

Of course, not everyone uses Chrome and not everyone will instantly upgrade to the latest version, but it's safe to say that it will become a very big headache very quickly for those sites that haven't obtained new HTTPS certs from other authorities.

The question is: how big a headache? Early beta testers of the Chrome build have been warning that they keep coming across websites with untrusted certificates and seeing the danger message. Fortunately, one person has gone to the trouble of running a script to figure quite how ugly it's going to get.

Security engineer Arkadiy Tetelman, who works at Airbnb according to his blog, decided to run a test in which he grabbed the certificate information from the one million biggest websites on the internet, in terms of traffic as rated by Alexa, and tested to see if they would break.

The script took 11 hours to run and turned up some very interesting results: of the one million websites, just 11,510 are going to go TITSUP in April, with 91,627 on the chopping block in October.

When businesses collide

It's still a large number and there are some big names there – car company Tesla.com, water filter company Brita.com, Australia's energy regulator at aer.gov.au, and, well, 11,507 others. It's not Y2K – these outfits can buy certs from other authorities or get free ones – but it's safe to say that there are going to be a lot of unhappy people come April if action isn't taken. And then even more unhappy people a few months later.

Fortunately, Mr Tetelman has uploaded a plain text list, so if you are a sysadmin or webmaster, we would strongly recommend doing a search to make sure you're not on it. Or, of course, be even smarter and move all your sites away from Symantec certificates.

The issue doesn't raise the slightly troubling fact that Google has basically put an entire company's certificate-issuing operation out of business by declaring that it would no longer accept Symantec certificates. That's a scary amount of power to have.

But on the other hand, it wouldn't be doing it if Symantec hadn't repeatedly screwed up and undermined trust in its own product by wrongly issuing SSL/TLS certs, including, unfortunately, the one for google.com. Not a smart move.

If you are an organization that exists purely to ensure that people can trust you, then you should expect some fallout if it turns out you can't be trusted. Symantec wasn't very happy, of course, and used a whole range of angry words in a blog post about it: words like irresponsible, exaggerated, and misleading.

It claims only 127 certificates were wrongly issued, not the 30,000 previously claimed. But here we are. A few months after its blog post and with Google refusing to budge, Symantec threw in the towel and sold off its certificate business to DigiCert.

Don't say you haven't been warned.

By the way, if it's the morning of Tuesday, April 17, and you are frantically skimming this article in between furious email alerts about your site being down, and phone keeps ringing, focus here: IT'S YOUR HTTPS CERTIFICATE! YOU NEED TO CHANGE IT. RIGHT NOW. ®

PS: Mozilla's Firefox will also distrust Symantec-issued certs from version 60 onwards, due out in May this year.

Send us news
89 Comments

Cisco warns of security holes in its security appliances

Bugs potentially useful for rogue insiders, admin account hijackers

Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

Continue reading

Makers of ad blockers and browser privacy extensions fear the end is near

Overhaul of Chrome add-ons set for January, Google says it's for all our own good

Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

The anticipated result will be fewer extensions and less innovation, according to several extension developers.

Continue reading

Contractor loses entire Japanese city's personal data in USB fail

Also, Chrome add-ons are great for fingerprinting, and hacked hot tubs splurge details

In brief A Japanese contractor working in the city of Amagasaki, near Osaka, reportedly mislaid a USB drive containing personal data on the metropolis's 460,000 residents.

Continue reading

Google battles bots, puts Workspace admins on alert

No security alert fatigue here

Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

Continue reading

What to do about inherent security flaws in critical infrastructure?

Industrial systems' security got 99 problems and CVEs are one. Or more

The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

"Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

Continue reading

Zero Trust: What does it actually mean – and why would you want it?

'Narrow and specific access rights after authentication' wasn't catchy enough

Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

Continue reading

OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw

Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution

The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).

OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).

But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

Continue reading

TikTok: Yes, some staff in China can access US data

We thought you guys were into this whole information hoarding thing

TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.

"100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."

That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.

Continue reading

Jenkins warns of security holes in these 25 plugins

Relax, most of the vulnerabilities so far have, er, no fix

Jenkins, an open-source automation server for continuous integration and delivery (CI/CD), has published 34 security advisories covering 25 plugins used to extend the software.

Eleven of the advisories are rated high severity, 14 are medium, and 9 are said to be low.

The vulnerabilities described include: cross-site scripting (XSS); passwords, API keys, secrets, and tokens stored in plaintext; cross-site request forgery (CSRF); and missing and incorrect permission checks.

Continue reading

Ex-Uber security chief accused of hushing database breach must face fraud charges

Company execs and their lawyers are paying close attention to this one

A US judge yesterday threw out an attempt to dismiss wire fraud charges against a former Uber employee accused of trying to cover up a computer crime.

Former Uber security chief Joseph Sullivan is set to face criminal charges after US District Judge William Orrick yesterday [PDF] rejected his claim that prosecutors did not "adequately" allege that the goal of the claimed misrepresentation of the security breach was to get Uber's drivers to stay with the platform and continue paying service fees.

In December last year, a federal grand jury handed down a superseding indictment adding wire fraud to the list of charges pending against Sullivan for his role in the alleged attempted cover-up of the 2016 security breach at Uber. The incident led to around 57 million user and driver records being stolen.

Continue reading

More than $100m in cryptocurrency stolen from blockchain biz

'A humbling and unfortunate reminder' that monsters lurk under bridges

Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.

The Horizon Ethereum Bridge, one of the firm's ostensibly secure bridges, was compromised on Thursday, resulting in the loss of 85,867 ETH tokens optimistically worth more than $100 million, the organization said via Twitter.

"Our secure bridges offer cross-chain transfers with Ethereum, Binance and three other chains," the cryptocurrency entity explained on its website. Not so, it seems.

Continue reading

CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure

Nearly 60 holes found affecting 'more than 30,000' machines worldwide

Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

Continue reading