Attention webmasters: Google Chrome will soon distrust Symantec-issued SSL certificates

As of March 15, 2018 Google Chrome will start distrusting Symantec SSL certificates.

What is happening and why?

On January 19, 2017, a public posting to the mozilla.dev.security.policy newsgroup drew attention to a series of questionable website authentication certificates issued by Symantec Corporation’s PKI. Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements.

During the subsequent investigation, it was revealed that Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight, and had been aware of security deficiencies at these organizations for some time.

This incident, while distinct from a previous incident in 2015, was part of a continuing pattern of issues over the past several years that has caused the Chrome team to lose confidence in the trustworthiness of Symantec’s infrastructure, and concomitantly, the certificates that have been or will be issued from it. As a result, the Google Chrome team has announced that they will be distrusting SSL certificates issued by Symantec, and Mozilla has announced that they will be following suit.

In order to restore trust in future Symantec issued SSL certificates, DigiCert has acquired Symantec SSL. Certificates issued after December 1, 2017 will be signed by DigiCert’s managed partner scheme and be trusted by Google Chrome.

Google is currently planning to distrust Symantec SSL Certificates in two main phases – upon the release of Chrome 66, and upon the release of Chrome 70. 

How could this affect me?

If your website is using an invalid SSL certificate, your users will receive a security warning when they load your site in their web browsers.  Since Google Chrome comprises about half of the browser market, it’s likely that a large proportion of your site’s visitors will receive errors.  

How to check if your site is using an impacted certificate?

The easiest way to determine if your site is impacted is to use Google Chrome developer tools:

  • Press F12 to open the developer tools.
  • In the “Console” tab you will see a warning if your certificate will be distrusted by a future Chrome release.

What should I do if I am using an impacted certificate?

  • Impacted certificates purchased before June 1, 2016 will need to be reissued before Chrome 66 beta (March 15, 2018), or Chrome 66 stable (April 17, 2018).
  • Impacted certificates purchased before December 1, 2017 will need to be reissued before Chrome 70 beta (September 13, 2018), or Chrome 70 stable release (October 23, 2018).

Your certificate may expire before it is distrusted in Chrome, in which case you don’t have anything to worry about because any new certificates issued after December 1, 2017 will be trusted.

If your current certificate will be distrusted by Chrome before you would normally renew it, then you will need to have that certificate reissued. Fortunately, there is usually no cost to reissue a certificate.

To check when your SSL certificate was purchased and when it expires, you can use the Google Chrome developer tools:

  • Press F12 to open the developer tools.
  • Navigate to the “Security” tab.
  • Click “View certificate.” From there, you should be able to see the “Issued On” and “Expires On” dates.
Facebooktwittergoogle_pluspinterestlinkedintumblrmail  rss

Nepal earthquake email scam

US-CERT recently warned users of potential email scams citing the earthquake in Nepal. The scam emails may contain links or attachments that may direct users to phishing or malware infected websites. Phishing emails and websites requesting donations for fraudulent charitable organizations commonly appear after these types of natural disasters.

Users are encouraged to take the following measures to protect themselves:

  • Do not follow unsolicited web links or attachments in email messages.
  • Maintain up-to-date antivirus software.
  • Review the Federal Trade Commission’s Charity Checklist.
  • Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau National Charity Report Index.
  • Refer to the Security Tip (ST04-014) on Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
Facebooktwittergoogle_pluspinterestlinkedintumblrmail  rss

How to recover from a CryptoLocker attack

CryptoLocker is a trojan which targets computers running Microsoft Windows. It may come in several forms, often disguised as a legitimate email attachment. Or, it may be uploaded to a computer already recruited to a botnet during a previous trojan infection.

When activated, CryptoLocker encrypts files (e.g., photos and those with Microsoft Office, OpenDocument, and AutoCAD file extensions) using RSA public key cryptography and with the private key stored only CryptoLocker’s control servers. This renders the files inaccessible to the user.

Continue reading

Facebooktwittergoogle_pluspinterestlinkedintumblrmail  rss

The eBay data breach: How to protect your account

In the aftermath of a recent breach that infiltrated a database containing user IDs, passwords, and other personal information, eBay has sent an email to customers urging them to change their passwords.

So far, there is no evidence of any fraudulent activity, and credit card numbers are encrypted and stored in a separate database. Notwithstanding, you should immediately take action to safeguard your account if you are an eBay user.

Continue reading

Facebooktwittergoogle_pluspinterestlinkedintumblrmail  rss

The Heartbleed bug explained

I have received a lot of requests from people outside of the IT field to explain the Heartbleed bug in easy-to-understand terms. Rather than attempt to reinvent the wheel, I have published below (with some editing for clarity) what is probably the best attempt at this that I have read so far. It was written by Stack Exchange user SPRBRN.

###

The Bank Employee and the Customer

The main characters in this story

  • The bank: A Web server
  • The bank employee: The OpenSSL service for the Web server
  • The bank customer: A bot fetching all information it can get from that server

You, the bank customer, call the bank to request a new bank account. Somehow you and the bank make sure that you are who you say you are, and that the bank is actually the bank. This is the TLS process that secures the connection between you and the bank.

Continue reading

Facebooktwittergoogle_pluspinterestlinkedintumblrmail  rss

Staying safe online, Part II: Malware

As we learned in the first installment of this series, there are several attack vectors that spammers can use to compromise your system via email. Similarly, there are many types of computer programs that can infect your system via Web sites, social networks, software downloads, USB and optical drives, and peer-to-peer networks.

These programs include viruses, Trojans, worms, spyware, adware, and keyloggers. Collectively, these nefarious programs are called malware. Malware is software that compromises the operation of a system by performing an unauthorized function or process.

With so many different malware threats, how can you protect your system? Here is a list of seven things you can do right now to harden your defenses against the most common threats:

Continue reading

Facebooktwittergoogle_pluspinterestlinkedintumblrmail  rss

Staying safe online, Part I: Spam

The Internet, computers, and mobile devices have become omnipresent fixtures in our everyday lives. This makes it easy to check email, connect with an old friend or colleague, confirm your checking account balance, or look up a recipe for tonight’s dinner from almost anywhere.

Unfortunately, all of this wonderful connectivity and functionality have come at a price. Because we’re connected to the Internet almost all of the time, it’s appallingly easy for anonymous strangers with malicious intent to wreak havoc on our lives using little more than a laptop and the free Wi-Fi connection at a corner cafe.

Over the course of the next few articles I will discuss some of the most pervasive threats endemic to the Internet and what you can do to protect yourself from them.

Continue reading

Facebooktwittergoogle_pluspinterestlinkedintumblrmail  rss

Happy birthday, I’ve stolen your identity!

On the way home last night, our family stopped at a local ice cream parlor for dessert. While paying for our order, I noticed a clipboard and pen next to the cash register. On the clipboard was a form that invited customers to join the parlor’s Birthday Club to get a free dessert each year on their birthday. In order to join, all you had to do was fill-in a line on the form with your first and last name, mailing address, email address, and date of birth.

Almost two dozen people had already completed one of the lines on the form, and all of their information was plainly visible to anyone near the cash register.

Continue reading

Facebooktwittergoogle_pluspinterestlinkedintumblrmail  rss