Here is our latest news roundup of articles about network and SSL security.
The New York Times Is Embracing HTTPS
In a blog post this week, Rajiv Pant (CTO of the NY Times) co-authored a blog post about the benefits and challenges of HTTPS.
Pant’s HTTPS benefits include better security, privacy, and improved SEO rankings. Pant also cites The Freedom of the Press Foundation’s recent article that showed only three news sites have HTTPS on by default and urged more news sites to move to HTTPS. Pant’s HTTPS challenges revolve around supporting 3rd party content, specifically advertisements, and the potential hurdles while implementing HTTPS.
Pant ends with what he says is a “call to action,” urging news sites and other sites online to enable HTTPS by default.
PayPal to Shut Down SSL 3 Support Before Holidays
PayPal has announced that they will disable support for SSL 3.0 before the holiday shopping season. In his blog post, PayPal CTO James Barrese wrote:
“PayPal will be disabling support for SSL v3 on December 3, 2014. Any merchant customer whose integration with PayPal uses SSL v3 will need to update their integration before this date to avoid an interruption in their ability to accept payments with PayPal.”
This move is in reaction to the POODLE vulnerability in the SSL 3.0 protocol that was announced last month. Barrese also stated in the blog post that PayPal recognizes this move will be challenging for some of their merchant customers, but that they have extended support as long as possible without comprimising their customer’s information.
Microsoft Considering Public-Key Pinning for Internet Explorer
In October of this year, Google security engineers submitted an Internet-Draft to the IETF that outlined public-key pinning as an extension to HTTP. This extension would protect users against Man-in-the-Middle (MITM) attacks that rely on forged certificates.
Public-key pinning helps prevent MITM attacks by binding a set of public keys issued by a Certificate Authority to a specific domain. When users visit a site that is pinned, the lock icon will appear as it normally would. However, if a user visits a site that has a root certificate that has been pinned and the certificate for that site does not match the pinned CA’s root certificate, the browser will not allow the connection.