The Checklist 175: Certified Good for a Limited Time
On this week’s Checklist, we’ll talk about Apple’s moves to improve web security. We’ll look at what Google is doing to make downloads safer. And last but not least, we’ll give you a quick intro to data breach prevention.
- Putting a shorter time-frame on website certificates
- Chrome fights dangerous downloads
- A data breach primer
Keeping security fresh
Later this year, Apple’s Safari web browser will stop accepting long-life HTTPS certificates, which are defined as certificates that expire more than 13 months from their date of creation.
HTTPS certificates are used to create an encrypted connection between a user’s web browser and the website’s server. This is done in such a way that the certificate is tied cryptographically to the website owner. In the past, HTTPS was used mainly by secure payment services and other highly sensitive sites, but it has now become the standard for all websites.
Certificates are issued by trusted companies like Verisign or Let’s Encrypt, and extra security is added by requiring verified names and email addresses as part of the issuing process. While it used to be the case that you could purchase an HTTPS certificate that would last for years, that all comes to an end this year thanks to Apple.
But why is Apple forcing everyone to use “fresh” HTTPS certs? The main reason is risk reduction: If all HTTPS certificates have been created within the past year, it means that developers will necessarily be using the most up-to-date encryption standards. If hackers find a way to break current encryption techniques, then the damage will be limited, because all websites would be required to migrate to a new certificate within the year anyway. The move also prevents bad actors from finding older, unused HTTPS certificates and stealing them for malicious use.
So what’s this mean for people who aren’t web developers or website owners? Starting soon, if you try to visit a site that uses an HTTPS certificate with an unacceptably long expiration date, Safari will display alerts and privacy errors warning you that the site is not safe. Of course, no one wants their site visitors to see such warnings, so it’s almost certain that everyone is going to move to certificates with shorter lifespans in order to avoid this.
From the point of view of the general public, this is a definite win for security and privacy. Website owners and developers might be a little less enthusiastic, though, since this new standard means that they’ll have to update their HTTPS certificates more frequently: yet another thing to remember! However, it should be noted that the companies which issue these certificates have automatic renewal options to make life easier for developers and, in addition, Apple won’t enforce the policy for certificates issued before the September 1 compliance deadline.
Safer downloads from Google
Like Apple, Google is doing its part to use HTTPS to make the web a little more secure. Starting in April, newer versions of the Google Chrome browser will warn users when they’re trying to download files from non-HTTPS sources.
Initially, Chrome will just warn users about the kinds of files that carry the highest risk of being used in a malware attack — for example, those executable files that end with a .exe extension. But over time, the warnings will expand to encompass more file types: text, image, archive, and so forth. And by the end of 2020, the world’s most popular web browser will simply block insecure downloads altogether: If it’s served over HTTP, Chrome won’t download it.
All in all, this is another big win for end users. Website owners and developers may face some minor inconveniences, but in all honesty, not nearly enough to justify the continued use of an insecure standard. Building an HTTPS site as opposed to an HTTP site is as simple as getting a certificate. Other than that, the actual work of web development is identical — so at this point, there’s really no excuse for anyone to be stuck on HTTP.
As the web moves toward a universal HTTPS standard, does that mean that it’s going to be safe to visit and download from every website? Not quite…
These changes definitely make the web a safer place — for example, bad actors looking to set up a malicious site will now need to obtain an HTTPS certificate, which means using personal information that could be used to tie them to their crimes. But while this may make things more complicated for hackers, it’s unlikely to deter them altogether. Just look at the case of the malicious apps that have made their way into the App Store: Many of these are code signed with valid Apple Developer IDs, which were either obtained fraudulently or stolen from other developers! So in short, celebrate the changes that Apple and Google are bringing to the web — but keep your wits about you.
Finding security in an insecure world
Another week, another data breach — at least that’s how it seems to be going in 2020.
Victims run the gamut from everyday folks to celebrities like Justin Bieber, from community organization platforms to the US Department of Defense. One thing is clear: It can happen to anyone!
With that in mind, we’d like to share some tips to help you keep yourself safe from the effects of data breaches. While we hope you won’t get caught up in one, everyone who goes online is potentially at risk — so take these steps to mitigate the damage before a breach happens.
Practice good password security
Yes, we say it every week. But that’s because this is such a foundation of personal security that it deserves pride of place in any list of best practices. So say it with us: Create strong, unique passwords for every single site. Never reuse passwords across sites. Never share your passwords with anyone else. And make your life easier by getting a password manager to do all of this for you!
Watch your credit
Data breaches often result in identity theft. Unfortunately, most people only find out that their identity has been stolen after the damage is done — and it can take a lot of time and effort to report fraudulent charges and restore your credit score. That’s why it’s a good idea to keep an eye on what’s happening with your credit. See if your bank or card company offers a free credit monitoring service that you can use, and make sure you’re set up to receive alerts. Otherwise, consider using the services of a third-party company like Credit Karma to help you stay on top of things. And if you see strange new accounts opening up, shut them down immediately!
Use Sign in with Apple
If you’re using a new app or service, it can be hard to know whether or not the developers are doing what they need to be doing behind the scenes to keep your data safe. Sign in with Apple offers a way for people to sign up for a new account without giving away large amounts of potentially sensitive (and leakable) personal information. There’s even an option to create an anonymous email address for interacting with the developers if you don’t want to provide your main email address.
Change passwords for breached sites
If you hear about a data breach for a site that you use, make sure you go and change your password right away. Again, make sure this is a strong password that you don’t use on any other sites. Good password managers have features that will automatically generate very strong passwords with the click of a button, which makes it easy to change passwords after a data breach — yet another good reason to use one of these wonderful tools!
Use Have I Been Pwned
There’s a free data breach aggregation service called Have I Been Pwned that can help you see if you have an account that has been involved in a data breach. Just enter one of your email addresses, and the service will tell you if that email address is associated with a known data breach. If so, then it’s time to change your password for the site or sites involved (if you haven’t already done this). Make a habit of visiting Have I Been Pwned from time to time in order to see if you’ve been caught up in a breach that hasn’t made the headlines yet.
Following these steps will help keep you safe from the effects of data breaches, and in addition, are good general practices for better security and privacy.
Do you have a security question? How about a suggestion for a topic you’d like to hear discussed on a future Checklist? Let us know! You can always reach us at Checklist@SecureMac.com. And remember, all past podcasts are available at SecureMac.com/Checklist, along with full written notes for each episode, so please explore the archives to continue learning about digital security and privacy while you’re waiting for the next Checklist to air.