Security news 11/7/2018
- In two weeks, Chrome 68 will be released, which will mark regular HTTP pages as unsafe even if they don’t have a login or any other form. The goal is to eliminate HTTP altogether.
- Google can afford to make the above move thanks to the fact that anyone can get a free domain certificate from Let’s encrypt https://letsencrypt.org/ and its security and convenience is better than most commercial authorities. Its qualities are evidenced by the fact that it is already being used by the newly launched Citizen Portal https://obcan.portal.gov.cz/, where security and inclusiveness are a top priority.
- Since I have already reached the Citizen’s Portal, I would like to remind you that this is (for the time being) the main way to use the e-citizen’s card issued since 1 July 2018 https://www.eidentita.cz/. How it lives up to the hopes placed in it will be possible to judge when we actually hold it in our hands. We have already applied for it, so the next news will hopefully be all about it.
- If anyone still doubts the necessity of HTTPS everywhere, the CTU recently gave the most compelling argument with its decision in the closely watched case of the hijacking of connections by the operator O2 for marketing purposes. The authority will not punish the operator because, in its judgment, HTTP does not guarantee “secrecy of the messages delivered” and therefore communications using it are not covered by the relevant criminal laws https://twitter.com/zajdee/status/1011869815399690240. This is, as far as I know, a precedent for similar “institutionalized hacking”, which sooner or later will have a simple consequence: what is not in HTTPS will be dinged one way or another.
- The National Cyber and Information Security Bureau (NCIS) has released its annual report with a very nice summary of cybersecurity events over the past year. https://www.govcert.cz/download/Zpravy-KB-vCR/Zprava-stavu-KB-2017-fin.pdf
Author: František Řezáč