Here’s a quick rundown of the most interesting articles across the Internet this week on the topic of SSL and network security.
This week Firefox put out a “point release” to address some security issues, according to Paul Ducklin of nakedsecurity.com. Of the three fixes, one relates to SSL security: namely, a fix to when the mixed content icon is displayed in place of the lock icon. As Ducklin explains, “A web page that mixes insecure and secure content is not necessarily putting your personally identifiable information (PII) at risk, as long as your PII only travels in the secure parts of the web traffic. The thing is, in mixed-content web pages, how can you be sure which data travels with encryption, and which without? By default, Firefox simply omits any unencrypted sub-components (e.g. images) embedded in an HTTPS page, but it’s still better to avoid mixed content altogether.” Ducklin goes on to say that this fix leave users better informed regarding whether a particular webpage is safe for them to trust and interact with.
This article appearing on firstlook.org details recently discovered information about an NSA project known as “Treasure Map”. Written by Andy Müller-Maguhn, Laura Poitras, Marcel Rosenbach, Michael Sontheimer, and Christian Grothoff, the article discusses how Treasure Map seeks to map the entirety of the global Internet, identifying every single device and access point connected to the web. One of the Snowden documents purports to explain the goal of the project: to create an “interactive map of the global internet…(in)…almost real time.” The article compares Treasure Map to a “Google Map” of the Internet. Of special concern to international telecom firms is the role that their networks may unwittingly play in the collection of this data, with the Snowden document claiming that several of them have already been infiltrated by U.S. intelligence agencies.
Global Voices Advocacy’s Netizen Report details trends and news regarding Internet rights in countries around the world. It discusses a recent decision by the Turkish government to bestow the Telecommunications Directorate with absolute power over Internet content. The report explains that Turkey has recently been embroiled in controversy over leaked voice recordings revealing alleged corruption among government officials including President Erdogan. The government blocked Twitter and YouTube in response. The blockage of the sites was lifted by the Turkish Constitutional Court, but may now be reevaluated in light of the new amendment.
Jon Gold of Network World reviews the various Android vulnerabilities that have been revealed over the course of this year. He states, “It has been a summer of discontent for the Android security community, as a host of vulnerabilities large and small has arisen to plague the world’s most popular mobile OS. The revelation this week of a cross-site scripting flaw in the default browser installed on large numbers of pre-version 4.4 Android devices is merely the latest entry in a list that makes for unsettling reading.” The list of issues he goes on to mention includes: Blackphone credential hijack, Major Android apps fail at basic security, Koler ransomware snags porn seekers, Heartbleed, FakeID, The worms, and TowelRoot.
Josephine Wolff of Slate’s Future Tense section explores in this piece the legal implications of the recent iCloud hacks. She points out that while companies typically seem legally liable for financial fraud that results from hacker activities, the question is whether they are also responsible for lax security measures that result in the theft or dissemination of personal photos. And if so, what are the real damages? A new class-action lawsuit filed by American model Joy Corrigan against Apple is going to explore this very issue. Wolff says, “…identifying the specific harm suffered by the victims of the iCloud breach is only part of what makes Corrigan’s suit interesting and important. The other part comes back to the issue of blame and who is (legally) responsible for doing what in the context of online security.”