Let’s Encrypt was founded in 2012, going public in 2014, with the aim to improve security on the web. The goal was to be achieved by providing free, automated access to SSL and TLS certificates that would allow websites to make the switch over to HTTPS without having to spend any money.
When Let’s Encrypt first went public in early 2016, they issued their own root certificate, by the name ISRG Root X1. However, it takes time for companies to include updated root certificates in their software, so until recently, all Let’s Encrypt certificates were cross-signed by an IdenTrust certificate, DST Root X3. This certificate had been around much longer, and was already supported by the vast majority of OSes and browsers in regular use. This allowed Let’s Encrypt to hit the ground running while they waited for the majority of software to support their own root certificate. Continue reading “Let’s Encrypt Will Stop Working For Older Android Devices”→
Last Friday, thousands of owners of Samsung Blu Ray players found that their home entertainment devices would no longer boot up. While devices getting stuck in a power-cycling loop is not uncommon, this case stands out as it affected a huge range of devices all at the same time. Samsung’s support forum paints a bleak picture, with one thread on the issue stretching to 177 pages in just a week.
So what is going on, and what can be done to fix the problem? There’s a lot of conflicting information on that. Some people’s gear has started working again, others have not and there are reports of customers being told to seek in-person repair service. Let’s dive in with some wild speculation on the problem and circle back by commiserating about the woes of web-connected appliances.
It’s funny, how obsessed we are with qualifications these days. Kids go to school and are immediately thrust into a relentless machine of tests, league tables, and exams. They are ruthlessly judged on grades, yet both the knowledge and qualifications those grades represent so often boil down to relatively useless pieces of paper. It doesn’t even end for the poor youngsters when they leave school, for we are now in an age in which when on moving on from school a greater number of them than ever before are expected to go to university. They emerge three years later carrying a student debt and a freshly-printed degree certificate, only to find that all this education hasn’t really taught them the stuff they really need to do whatever job they land.
A gold standard of education is revealed as an expensive piece of paper with a networking opportunity if you are lucky. You need it to get the job, but in most cases the job overestimates the requirement for it. When a prospective employer ignores twenty years of industry experience to ask you what class of degree you got twenty years ago you begin to see the farcical nature of the situation.
In our hackspaces, we see plenty of people engaged in this educational treadmill. From high schoolers desperately seeking to learn something other than simply how to regurgitate the textbook, through university students seeking an environment closer to an industrial lab or workshop, to perhaps most interestingly those young people who have eschewed university and gone straight from school into their own startups.
You want to put your credit card number into a web site. You know to look for a secure web site. But what does that really prove? And now that so many electronic projects have Web servers (ok, I’ll say it… the Internet of Things), do you need to secure your web server?
There was a time when getting a secure certificate (at least one that was meaningful) cost a pretty penny. However, a new initiative backed by some major players (like Cisco, Google, Mozilla, and many others) wants to give you a free SSL certificate. One reason they can afford to do this is they have automated the verification process so the cost to provide a certificate is very low.
If you’ve ever purchased a new computer then you are probably familiar with the barrage of bloatware that comes pre-installed. Usually there are system tools, antivirus software trials, and a whole bunch of other things that most of us never wanted in the first place. Well now we can add Superfish spyware to the list.
You may wonder what makes this case so special. A lot of PC’s come with software pre-installed that collect usage statistics for the manufacturer. Superfish is a somewhat extreme case of this. The software actually installs a self-signed root HTTPS certificate. Then, the software uses its own certificates for every single HTTPS session the user opens. If you visit your online banking portal for example, you won’t actually get the certificate from your bank. Instead, you’ll receive a certificate signed by Superfish. Your PC will trust it, because it already has the root certificate installed. This is essentially a man in the middle attack performed by software installed by Lenovo. Superfish uses this ability to do things to your encrypted connection including collecting data, and injecting ads.
As if that wasn’t bad enough, their certificate is actually using a deprecated SHA-1 certificate that uses 1024-bit RSA encryption. This level of encryption is weak and susceptible to attack. In fact, it was reported that [Rob Graham], CEO of Errata Security has already cracked the certificate and revealed the private key. With the private key known to the public, an attacker can easily spoof any HTTPS certificate and systems that are infected with Superfish will just trust it. The user will have no idea that they are visiting a fake phishing website.
Since this discovery was made, Lenovo has released a statement saying that Superfish was installed on some systems that shipped between September and December of 2014. They claim that server-side interactions have been disabled since January, which disables Superfish. They have no plans to pre-load Superfish on any new systems.