Security relies on understanding the present and past vulnerabilities within your hardware and software stack. Responsible software and hardware companies publish detailed information about known vulnerabilities. However, remember that the number of reported vulnerabilities for a product does never ever reflect its quality.
In fact, a lack of openly published vulnerabilities should raise suspicion, as transparency is a hallmark of trustworthy and secure products. The amount of vulnerabilities you can find for a product is not related to the quality. Distrust products that have no open published vulnerabilities.
1 The end of OCSP
Everyone who have tried to do PKI good should have struggled with the choice between OCSP and CRLs. Operating OCSP services is not simple! In theory, it’s simple, but in reality things get messy really fast. Good news: OCSP will die. The largest PKI authority on the planet will go for CRLs in future. So stop trying to get OCSP working. It never worked well enough. This future direction is driven by a ballot of the CA/Browser Forum.
(Link)
2 E2EE on the web: is the web really that bad?
Many security experts argue that the web isn’t suited for E2EE (end-to-end encryption) applications because of the vast attack surface for code injection. This article tries to give an answer on E2EE security aspects on desktop and mobile applications.
(Link)
3 The Push to Ban Ransom Payments
Ransomware is a nightmare that will hit every company. Sooner or later. It is just a matter of time. Ransomware costs victims an estimated $30 billion per year. But the trend is now that more and more countries and US states prohibit public entities from paying ransoms. Prosecuting ransomware victims for trying to pay their way out of these incidents is a tough pill to swallow. But it is needed since simple prevention measurements are often lacking by the majority of these public companies.
(Link)
4 Homemade mobile antenna used to send thousands of smishing text
Sending thousands of smishing messages, posing as banks and other official organisations, is a common way to steal information. The good news is that the risks of being caught is never zero.
(Link)
5 Encryption At Rest: Whose Threat Model Is It Anyway?
Keeping learning about threat models never ends. This is a nice read to think about. Written by an expert that created some well known crypt libraries in PHP. However one important aspect is missing imho: Besides encryption at rest and encryption at transit you should consider encryption at processing!
(Link)
6 Passkey Implementation
Every vendor wants you to use Passkey. You can read how it works everywhere. But this story details some implementation misery. It is not simple below the surface.
(Link)
7 No One Should Have That Much Power
Encryption back doors should never ever be created and allowed. Yet almost all governments demand a special key or backdoor to spy on you. We all know: Special keys will be misused. Laws to prevent misuse do not protect society. Strong encryption without backdoor will.
(Link)
8 2024 CWE Top 25 Most Dangerous Software Weaknesses
The CWE Top 25 Most Dangerous Software Weaknesses List highlights the most severe and prevalent weaknesses behind the 31,770 Common Vulnerabilities and Exposures (CVE) Records in this year’s dataset.
(Link)
9 Office 365 and workplace surveillance creep
When you must use your company managed MS Office suite you are under constant surveillance. Microsoft does mention that Office 365 can be used by an organization to “access and process your data […] including [..] the content of your communications and files”, this information is buried within its privacy policy. This article is from 2022, but seeing the new AI features is has moved to worse. So consider LibreOffice (again) is you care about security and privacy for your company.
(Link)
Our partners:
The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.