This Week in SSL – Apple Cloud, Common Ecommerce Mistakes, and Google’s Aggressive SHA-2 Stance

Here is a compilation of some of the more interesting news articles this week on the topic of SSL Certificates and Internet security.

CERT/CC Enumerates Android App SSL Validation Failures

At threatpost.com, Michael Mimoso takes a look at work being done by researcher Will Dormann at the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University. Dormann is cataloging the Android applications that fail to perform SSL certificate validation over HTTPS in this spreadsheet and has already found over 350. As mentioned in a news article last week, these vulnerable applications are found in both the Google Play and Amazon Stores. “No one can determine intent as to whether the apps are intentionally malicious,” Dormann said. “It would be my assumption that it’s a mistake the author made while developing the app.” Dormann expects the list to continue to grow as more apps are tested.

Blame Apple

David Auerbach of Slate writes a passionate article about the recent celebrity nude photo hack presenting “five reasons why celebrities and civilians should never trust Apple with nude photos, or any data at all.” The reasons he lists are:

  1. The vulnerability is Security 101 stuff
  2. The vulnerability was publicly known since May
  3. Apple defaults users into the cloud
  4. Apple does not encourage two-factor authentication
  5. Two-factor authentication wouldn’t have worked anyway

Auerach goes on to say that, “These are all problems Apple has known about for months, if not years, and did nothing to stop. Apple’s two-factor is still fundamentally broken, so even today Apple is still misrepresenting the security it can offer to its users.”

11 Common Ecommerce Mistakes — and How to Fix Them

In CIO magazine, Jennifer Lonoff Schiff investigates 11 of the most common ecommerce mistakes — and how to avoid or fix them. Schiff interviewed numerous ecommerce experts to compile the list. It goes as follows:

  • Mistake No. 1: Choosing the wrong ecommerce shopping cart.
  • Mistake No. 2: Not making sure your site is secure.
  • Mistake No. 3: Unintuitive or cumbersome site navigation.
  • Mistake No. 4: Bad or no search capability.
  • Mistake No. 5: Poor images/photography.
  • Mistake No. 6: Using stock product descriptions.
  • Mistake No. 7: Having a confusing or lengthy checkout process.
  • Mistake No. 8: Having only one shipping option and/or carrier.
  • Mistake No. 9: Not having a mobile or mobile optimized version of your ecommerce site.
  • Mistake No. 10: Not making content easily shareable on social media, especially on Pinterest.
  • Mistake No. 11: Making it hard to contact you, the seller.

Mistake No. 2 was provided by DigiCert’s VP of Operations, Flavio Martins. Flavio is quoted as saying, “Studies show that up to 25 percent of users have actually stopped an online purchase because of website security concerns. Yet, too many ecommerce sites, especially smaller ones, fall short of having clear trust indicators that users can trust and know that their information is secure and protected by HTTPS. A digital certificate provides authenticity of your website and an encrypted connection to protect sensitive data — and you can get one quickly and within budget.” It also “communicates to customers that your site is trusted and information is secure.”

Google’s Plan for Chrome Worries Certificate Authority Vendors

This article, by Ellen Messmer of Network World, talks about Google’s recent decision to deprecate SHA-1 certificates later this year. Messmer reports that “Certificate authority vendors are calling Google’s plan overly aggressive in its timeframe, and say it’s likely to cause mass confusion right as the holiday shopping season commences.” Depending on the expiration date for the certificate in question, this fall Chrome will begin displaying special visual indicators that show the website to be insecure by Google’s standards. Members of the CA/Browser Forum and the CA Security Council are concerned about the potentially dramatic impact this will have on ecommerce, based on the fact that a large percentage of Internet users are on Chrome. “The certificate-authority industry has generally backed the timeline to migrate to SHA-2 announced by Microsoft last year, which calls for deprecation of SHA-1 in code signing certificates by Jan. 1, 2016 and in SSL certificates by Jan. 1, 2017. The certificate authorities would prefer that Google stick with the timeframe set by Microsoft to avoid confusion to website operators and web users.”