Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label TLS Certificates. Show all posts

Companies May Now Prepare for a Shorter TLS Certificate Lifespans


Google put forth a proposal on March 3 to substantially reduce the Transport Layer Security (TLS) digital certificate's validity period from 398 days to 90 days. Apparently, this will lead to a lot of changes in how businesses manage their certificates, especially when it comes to automated processes.

The proposal made by the open-source organization that created the Google Chrome browser and Chrome OS, which is outlined in a road map titled "Moving Forward, Together," is a step forward toward assuring more dependable, resilient Web operations. However, it will require organizations to transform their certification processes.

Current State of Digital Certificate 

Over the past years, digital certificates' lifespan has decreased drastically, from five years in 2012 to just over two years in 2018 to 13 months, or 398 days, in July 2020. Particularly in a cloud-based computing environment where websites and services are continuously spun up and down to accommodate shifting needs and priorities, shorter lifespans assist in assuring the legitimacy of digital identities.

According to Google, the changes proposed will speed up the adoption of new features, such as best practices and additional security capabilities, and encourage businesses to abandon manual methods, that are filled with errors. Automation as a result would better prepare businesses for the onset of post-quantum cryptography.

A Wake-up Call for Certificate Monitoring

The Chromium Projects' proposal to the CA/Browser Forum, a grouping of certification authorities (CA), browser manufacturers, and others, would most likely go into force by the end of 2024 if it were to be accepted. The likelihood of a significantly shorter lifespan should act as a wake-up call for organizations, even though the changes are not final. The suggestion is unmistakable evidence that the rules of the game have changed, thus they need to have more control and visibility over their public keys and certificates.

Years ago, teams could obtain a certificate for something like a Web server and then essentially forget about it because certificates had a five-year lifespan. They never established a system for determining when certificates needed to be renewed or checked to see if they were about to expire, which might result in disruptions connected to certificates. Teams were eventually able to establish a routine and check for certificate expirations regularly thanks to the eventual reduction of certificate life to 398 days.

The visibility of TLS (also known as Secure Sockets Layer or SSL) certificates is crucial as businesses grow in the cloud. Additionally, teams need help managing the layered, increasingly complicated environments on the cloud. With the new validity period under consideration, the focus is now on automating the procedure.

The complete impact of Chromium Projects’ proposal is yet to be defined. It appears that there are a few unresolved issues, such as whether it may apply to the Internet of Things devices, such as, for instance, security cameras that also require certificates, or if it is restricted to simply Web servers.

Regardless of the outcome of the plan, it captures the realities of the current environment. While a shorter certificate lifespan is beneficial, businesses will need to reconsider how they will manage them effectively.  

To Mimic Microsoft, Phishing Employs Azure Static Web Pages

 

Microsoft Azure's Static Web Apps service is being exploited by phishing attacks to acquire Microsoft, Office 365, Outlook, and OneDrive passwords. Azure Static Web Apps is a Microsoft tool that allows to build and deploy full-stack web apps to Azure using code via GitHub or Azure DevOps.

MalwareHunterTeam, a security expert, uncovered the campaign. Attackers might imitate custom branding and website hosting services to install static landing phishing sites, according to the study. Users using Microsoft, Office 365, Outlook, and OneDrive services are being targeted by attackers who are actively mimicking Microsoft services. 

Several of the web pages and login pages in these phishing attempts are nearly identical to official Microsoft pages. Azure Static Web Apps is a program that uses a code repository to build and publish full-stack apps to Azure. 

Azure Static Apps has a process that is customized to a developer's everyday routine. Code changes are used to build and distribute apps. Azure works exclusively with GitHub or Azure DevOps to watch a branch of their choice when users establish an Azure Static Web Apps resource. A build is automatically done, and your app and API are published to Azure every time they post patches or allow codes into the watched branch. 

Targeting Microsoft users with the Azure Static Web App service is a great strategy. Because of the *.1.azurestaticapps.net wildcard TLS certificate, each landing page gets its own secure page padlock in the address bar. After seeing the certificate granted by Microsoft Azure TLS Issuing CA 05 to *.1.azurestaticapps.net, even the most skeptical targets will be fooled, certifying a fraud site as an official Microsoft login screen in the eyes of potential victims.

Due to the artificial veil of security supplied by the legitimate Microsoft TLS certs, such landing sites are also useful when targeting users of other platforms, such as Rackspace, AOL, Yahoo, or other email providers. 

When trying to figure out if one is being targeted by a phishing assault, the typical advice is to double-check the URL whenever we're asked to enter one's account credentials in a login. Unfortunately, phishing efforts that target Azure Static Web Apps render this advice nearly useless, since many users will be fooled by azurestaticapps.net subdomain and genuine TLS certificate.

Half of Sites Still Using Legacy Crypto Keys

 

While the internet is growing more secure gene but slightly more than half of the websites' cryptographic keys are still generated using legacy encryption algorithms, as per the new research.

Security firm Venafi enlisted the assistance of renowned researcher Scott Helme to examine the world's top one million websites over the last 18 months. The TLS Crawler Report demonstrated some progress in a few areas. 

Nearly three-quarters of websites (72 per cent) now actively redirect traffic to HTTPS, a 15 per cent increase since March 2020. Even better, more than half of the HTTPS sites evaluated are using TLSv1.3, the most recent version of TLS. It has now surpassed TLSv1.2 as the most widely used protocol version. 

Furthermore, nearly one in five of the top one million websites now use the more secure HSTS (HTTP Strict Transport Security), which increased 44 per cent since March 2020. Even better, in the last six years of monitoring, the number of top one million sites using EV certificates has dropped to its lowest level ever. These are known for their slow, manual approval processes, which cause end users too much discomfort. 

Let's Encrypt, on the other hand, is now the most popular Certificate Authority for TLS certificates, with 28 per cent of sites using it. There is, however, still more to be done. 

According to the report, approximately 51% of sites still produce authentication keys using legacy RSA encryption techniques. These, along with TLS, help to verify and secure connections between physical, virtual, and IoT devices, APIs, applications, and clusters. 

ECDSA, a public key cryptography encryption technique with increased computational complexity and smaller authorization keys, is a far more secure alternative to RSA. As per Venafi, this implies they require less bandwidth to establish an SSL/TLS connection, making them perfect for mobile apps and IoT and embedded device support. 

Helme explained, "I would have expected that the rise in adoption of TLSv1.3 usage would have driving the ECDSA numbers up much more. One of the main reasons to keep RSA around for authentication is legacy clients that don't support ECDSA yet, but that seems at odds with the huge rise in TLSv1.3 which isn't supported by legacy clients. We also continue to see the use of RSA 3072 and RSA 4096 in numbers that are concerning.” 

“If you're using larger RSA keys for security reasons then you should absolutely be on ECDSA already which is a stronger key algorithm and offers better performance. My gut feeling here is that there's a lot of legacy stuff out there or site operators just haven't realized the advantages of switching over to ECDSA.”

NSA: Risks Linked with Wildcard TLS Certificates and ALPACA Techniques

 

The National Security Agency issued a technical alert cautioning businesses against using wildcard TLS certificates and the new ALPACA TLS attack. 

The NSA advised companies to follow the technical recommendations in its alert and safeguard servers against situations in which attackers may obtain access and decrypt encrypted online traffic. 

While several instances and techniques might aid attackers in decrypting TLS-encrypted data, the NSA clearly specified the usage of wildcard TLS certificates, which many researchers have also warned against in the past.

A wildcard certificate is a digital TLS certificate obtained by a company from a certificate authority that allows the owner to apply it to a domain and all of its subdomains simultaneously (*.example.com). Companies have used wildcard certificates for years because they are less expensive and easier to administer, so administrators apply the same certificate to all servers instead of having to manage several certificates. 

The NSA stated, “A malicious cyber actor who gains control of the private key associated with a wildcard certificate will provide them the ability to impersonate any of the sites represented, and gain access to valid user credentials and protected information.” 

The agency is now advising administrators of both public and private networks to evaluate the necessity for a wildcard certificate inside their networks and prepare to install individual certificates to isolate and restrict potential breaches. 

About ALPACA attack 

Furthermore, the NSA's alert cautions of the new Application Layer Protocol Content Confusion Attack (ALPACA), which was revealed earlier this summer and is similarly vulnerable due to the usage of wildcard certificates. 

The problem was not taken seriously when it was revealed in June because carrying out an ALPACA attack needed threat actors to be able to intercept web traffic, which is challenging in some circumstances. 

However, the research team that identified the assault stated that over 119,000 web servers were exposed to ALPACA attacks, which is a significant amount. Four months later, the NSA is encouraging companies to take the matter seriously, determine whether their servers are susceptible, and reduce the risk, particularly if the organizations deal with sensitive information or are connected to the US government network. 

On October 7, the NSA stated, “NSA recommends NSS, DoD, and DIB administrators ensure their organization’s wildcard certificate usage does not create unmitigated risks, making their web servers vulnerable to ALPACA techniques.”