Are we Secure?
Over the course of the year, I will be running a mini blog series on perceived securities and insecurities.
Happy new year by the way. Its still early days.
First off, I will like to start off on the myth of HTTP(S) being secure.
HTTPS (SSL/TLS) or Secure HTTP is a means of sending encrypted information over a network (internet) and like anything to so with encryption, the idea is to make it more difficult to decrypt than it is worthwhile to do so, and here lies the inherent weakness. For anybody that has time and the tools to do so, it sure might be worthwhile.
Now, sending sensitive information over a network in an encrypted format saves your information from prying eyes, that attempt to decrypt your information as it travels. Usually termed; Man-In-The-Middle attacks. Nothing is said of your information as it sits on your terminal or a it sits on the server to which you are connected to, thats beside the point.
The issue here is that , for HTTPS to work, a Certificate Authority (CA), authenticates the server to which you are connected to, to prove that , the server is truly “who” it says it is, your browser understands this, and thus allows sensitive data to pass encrypted to and fro between you and the authenticated server. Decrypting at both ends and encrypting as it travels.
So, if for instance, a person gains access to any of the 600+ CA’s and compromises any of the certificates they sign/authorise, all websites that use those are in turn compromised. Surprisingly this happens on a regular basis. A government could also order a CA to generate a malicious certificate, especially if said government wants to spy on a particular organisation and voila.
Furthermore, even if implemented properly, there are a lot of ways to break https (SSL/TLS) today. As currently implemented, these protocols may be good enough to withstand attacks from a person with limited time and financial motivation.
I will like to leave this image here, in addition to the above information, leave your thoughts in the comments section below.
Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program
Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
Recommendation: Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information.
And just for laughs, look what an organisation that speaks on app security has on their site. :