This Week in SSL – Heartbleed Aftermath, Cert Revocation, HTTPS and Hosting Providers

Here is a roundup of interesting news articles published this week on the topic of SSL and network security.

A Tale of Heartbleed

Danny Bradbury of Infosecurity Magazine looks at the aftermath of the Heartbleed Bug in this informative story. He raises a number of concerns, including the fact that over 200,000 popular websites remain vulnerable to the bug. Another point raised is the fact that since the exploit targets organizations there is only so much end users can do to protect themselves. The NSA reportedly always operates under the assumption that their network has been compromised and conducts themselves with that mindset, a useful technique for corporations as well.

U.S. Banks Breached In Cyberattack: What Bankers Should Do To Stay Protected

Kevin Haley writes in ForbesBrandVoice about the recent cyberattacks on at least five U.S. banks, resulting in the loss of gigabytes of stolen data. He presents a list of recommendations on how organizations can better secure their online businesses.

  1. Protect your customer’s entire website visit by deploying SSL on all your web pages.
  2. Implement security precautions on all mobile devices including strong authentication.
  3. Use encryption for data in transit and at rest (SSL does not encrypt stored data).
  4. Protect physical and virtual data centers with host-based intrusion detection and prevention solutions.
  5. Be sure to get your digital certificates from an established, trustworthy Certification Authority who demonstrates excellent security practices.
  6. Deploy endpoint protection software and gateway antivirus and regularly scan for vulnerabilities.
  7. Monitor the threat landscape and your infrastructure for network intrusions, propagation attempts and other suspicious traffic patterns.
  8. Educate users about security policies and information use.

Revoke Certificates When You Need To — the Right Way

InfoWorld’s Roger A. Grimes discusses the importance of timely SSL Certificate revocation. He examines the process and some of the common mistakes that can be made. A key point he addresses is what to do with personal digital certificates once a user is terminated. His advice is to revoke any certificates that are no longer needed. Even without valid user accounts the former employee could still conduct denial-of-service attacks, network problems, broadcast storms, and eavesdrop. He also mentions the merits of using OCSP.

Android Security Is Under Fire–Again

Sean Michael Kerner of eWeek reports on the continued concerns over security weaknesses in the Android platform. Reportedly, “FireEye researchers found that approximately 68 percent of the 1,000 most downloaded free applications available in the Google Play store have some form of SSL-related security risk.” The recent issues focus not Android mobile operating system, but rather the third-party apps that do a poor job authenticating SSL Certificates. Failure to properly implement SSL security places users in danger of a Man-In-the-Middle (MITM) attack from a user that intercepts or corrupts the data passing to or from a mobile device. He concludes by stating, “Reduce such risk by not downloading apps from outside of the Google Play store. While it is possible that apps in Google Play could be at risk, Google has its own scanning effort to help identify malicious apps that should reduce the potential exposure.”

What Google’s HTTPS Algorithm Means for Hosting Providers

TheWhir explores Google’s recent announcement about “HTTP everywhere” and how it will potentially impact Internet hosting providers. How important is it that Google is now giving search preference to sites that implement HTTPS across their sites? Representatives from four different providers are asked for their take on this change. Daniel Foster, Technical Director for 34SP.com states, “”The hundreds of signals that Google uses to determine the relevance of a site to a search query are a mystery to all but a few inside the Googleplex. Any webmaster would give their eye teeth to know just a few of those signals, so for the big G to reveal one is almost unprecedented. Google must really care about widespread adoption of HTTPS across the internet. It makes sense to encrypt information where that encryption is easily available, and adding one little ‘s’ to a URL is about as easy as it comes. This could well be one of those examples of Google doing something simply for the improvement of the Internet as a whole.”

Posted in News, Security, SSL, SSL In the NewsTagged , , , ,