WordPress Enables Free HTTPS Connections to Custom Domains

WordPress is a free, open source content management system, typically used for blogs and quick makeshift websites. While it’s nice to have your own content, you want to make sure that its safe and secure, something which the “Lets Encrypt” project hopes to improve upon, a project that WordPress have now joined.

The Lets Encrypt Project announced on March 9th that it would soon take on a new name as it transitioned to its new home at the Electronic Frontier Foundation (EFF) a group specialising in the law, security and technology.

WordPress has now announced that it has joined the program, offering the green lock symbol everyone loves to see when travelling through the internet, with any custom domains (those that don’t have .wordpress.com in their address) now gaining the benefits of the free SSL certificate issues by the program automatically with little to no effort on their owners behalf. You can find the steps to give your website access to HTTPS certificates here, giving everyone the benefit of free and reinforced security for their websites.

Not only is it free but you get a more secure connection for minimal effort, something that has been hard to do for website up until now. What is not to like about this program? Especially those with WordPress blogs.

Malware Could Be Using Legitimate Signature Certificates

When it comes to installing software on your computer, we often have to take it on faith that the software is safe to use. As an extra precaution, the latest step is to allow companies to use “certificates”, digital signatures that show that a trusted company created the software. A group known for creating malware may have found a way around this system though as some of their nasty programs are using legitimate signature certificates.

By using legitimate signature certificates your computer trusts the software and installs it without further hassle, the problem being that the software is less than safe and, in fact, is just malware (or malicious software). According to Symantec, the group known as Suckfly has used no less than nine different singing certificates from nine different companies since 2014.

Categorising the found malware into groups, Symantec found that 11 of the identified tools could be used for backdooring into your system. While others could be used to log and find out your information, some even checked your network traffic to find out what could be used to access your system through port scanning software.

With so many certificates being stolen and used for signing malware, and it becoming a common practise amongst malware creators, could we see the need for another way of finding and checking software is legitimate if these techniques are so easily bypassed?

 

SD Association Introduces New Video Speed Class Rating

It has been a while since we got the last official speed rating for SD cards from the SD Association and the current ratings are quite low compared to the speeds we see from other hardware parts these days. Granted, the SDA ratings are minimum speeds and we’ve long had cards that got past this, it will be nice to have a new official rating that will make sure our modern video recorders won’t skip frames.

The new Video Speed Class will be identifiable by the letter V in it and they are part of the new SD 5.0 specifications. The rating is made to make sure that you can record 4K, 8K, 3D and 360-degree video without hick-ups. The two fastest options, V90 and V60 are made to support up to 8K resolution while V6, V10, and V30 are designed for HD and 4K captures.

“With Video Speed Class, SD device and memory card manufacturers can offer the highest-quality video recording to consumers and professionals that keep pace with the awesome video resolutions not only offered today, but anticipated tomorrow,” said Brian Kumagai, president of the SDA. “New products leveraging the capabilities of Video Speed Class will be based on the high storage capacities offered by SDHC and SDXC memory cards.”

One of the nice things about the SD standard is the easy-to-understand speed ratings as compared to the CFast standard for example. The original SD Class 2, 4, 6, and 10 referred to the minimum speed in MB/s and the same goes for the U1 and U3 specifications except that you had to multiply them by 10. The new video speed class is prefixed with a V followed by the minimum speed rating as a number, much like the original Speed Class scheme.

Now, clever users will quickly have noticed that we already have SD cards on the market capable of these speeds, but they weren’t officially rated for it. That was more down to the natural advances in NAND technology, but now we also have official ratings and official certifications for it.

A new white paper, “Video Speed Class: The new capture protocol of SD 5.0,” outlines how the latest SD specification enables Video Speed Class. You can download the white paper at this page.

Dell Sorry and Rushes To Fix Security Issue

Yesterday we reported on a security issue that came pre-installed on Dell machines, resulting in a potential security risk to both your details and opening up your system into being tricked about if a website is ‘secure’ or not. It would seem that they have been quick and keen to fix this issue, releasing information on how to fix the problem on machines.

First up, if you are using a Dell machine we recommend you use the test site that’s been set up. If this website appears fine, with a padlock in your browser, without displaying a warning then it means that your computer is currently running the eDellRoot certificate.

In order to remove it, you can either use the following process listed below or you can use the uninstaller app provided here. If you want to remove it manually then follow the steps below:

  1. Go to the start menu, type “mmc” and press enter
  2. Go to File -> Add/Remove Snap
  3. Pick certificates and press add
  4. Choose computer account and press next
  5. Choose local computer and press finish
  6. Press Ok
  7. Expand Certificates and Trusted Root Certification Authorities
  8. Pick the certificates folder and check to see if eDellRoot is present
  9. If eDellRoot is present, right click and press delete.

If you want to see the full steps listed provided by Dell you can find the file here. With these steps, you can ensure one less threat to your machine and as such your digital life. It will be interesting to see how Dell reacts to this issue and moves forward in the coming weeks.

Dells Security Affects More Than Just Your PC!

Recently Dell has received a lot of attention regarding their security, to be more precise it was due to a digital certificate. These are small pieces of code that are used to encrypt the traffic between your system and any website or online system you use, remember that little padlock in your URL bar on the browser? That means that it’s used a certificate to verify that this is a legitimate website and not a fake website.

The problems started when Dell shipped their systems with a certificate, private encryption key included, on their systems. This is like giving somebody the mold to create their own keys, or even conduct man-in-the-middle attacks, where you are able to act as a midway point for communication, and with the encryption details you could easily read the information being sent.

When Duo Security, a digital security company, continued to search they found at least 24 IP addresses which had certificates with the a different digital fingerprint but the same name, eDellRoot. Different lock, same name.

The problem with this is that some of the systems appear to be SCADA (Supervisory Control and Data Acquisition), a system seen as pretty important given it is often used in energy and manufacturing industries. While these systems are normally closed off from the internet, no access = minimal risk, the systems could have been misconfigured but still have a potential risk.

Dell has posted stating that they would post instructions on how to fix the eDellRoot problem, which can be found here.

With problems like this, public knowledge and learning from the mistake are the best ways to prevent this affecting both companies and the public in the future.

Comodo Fixes Issue Which Resulted In Banned Certificates

Have you ever noticed that padlock symbol in your address bar when you go on a website, such as eBay or your emails? These symbols actually mean something, they mean that the website has been verified by an SSL certificate, these are provided by an external company and are designed to let you know that your websites are safe and secure. So can you imagine what that means when bad certificates are issued?

Comodo is one of the companies that provide online certificates and has had to fix just that problem when they released a fix for a bug which issued several certificates after the rules for providing those certificates changed. In a post on their forum, Rob Stradling, Comodo’s senior research and development scientist, posted that eight certificates were issued but didn’t end the post there.

Stradling then went on to state that Comodo may not be the only company to have this problem,

We found non-compliant certificates issused by quite a number of other CAs, but I’ll document these in another post.

With the fix released only two hours after they discovered the bug, the hope is that the padlock can stay a symbol of security and safety online.

Plex to Allow Free SSL Encryption

Plex gave its users an important security upgrade last week. The home media streaming platform announced that all its users are getting free SSL certificates, enabling them to connect to their media over an encrypted HTTPS connection. The new feature is a partnership with certificate authority DigiCert, Plex says the project is “one of the largest implementations of publicly trusted certificates, ever.”

The new Plex feature isn’t just for Plex Plus subscribers who pay $5 per month to get a host of different features. Even free users will get the added security. The certificates work whether you are accessing a Plex media server remotely or over your local network.Certificates encrypt any data being sent between you and your plex server, preventing anyone spying on your data traffic, it works (in layman’s terms) by your PC / device having the “Key” and your plex server, the “lock”. Neither can see any data on the other without the key or lock. Quite simple, but highly effective.
Anyone using Plex at home just needs  to update their Plex server to the latest version. Then make sure you’re signed into your Plex account. Afterward go to Settings > Server > Network  and ensure that ‘Secure connections’ is enabled.  Once that is  done the SSL feature should start working when you visit app.plex.tv. If it still doesn’t work try rebooting your media server.

Even though your server has an SSL certificate, it currently works to create an encrypted connection with specific Plex apps. You can get a trusted HTTPS connection on Android, Plex Home Theater, Plex Web App, Roku (preview app), Windows 8.1, and Windows Phone.Anyone using Plex apps on a gaming console, smart TV, or iOS will have to wait for updates in the coming weeks.

Thank you to PCworld for providing us with this information

Image courtesy of LifeHacker

The Pope’s iPad Sold for $30,500 at an Uruguay Charity Auction

It looks like technology brought some support for the poor over in Uruguay earlier this week. The Castells auction house reportedly hosted a charitable auction, having Pope Francis’ old iPad up for the taking. There are a lot of antique fanatics out there, and such an item was bound to attract some attention.

Reports state that a buyer, whose identity is not known, bid a large sum for the old iPad, having the device scoop up a sum of $30,500. The iPad is said to have inscribed “His Holiness Francisco. Servizio Internet Vatican, March 2013” on the back and comes with the Vatican’s signed certificate and a black Logitech keyboard.

Auctions such as this are perceived by a lot of people to be gatherings where rich people go and bid large sums of money, while sipping expensive champagne and eat caviar, in order to fill up their ego and other people’s pockets. This time around, all the money raised went to a local school for the poor.

This act proves yet again that Pope Francis’ is extremely open to technology and believes it is a “way to foster dialogue across different faiths”. Whether or not you believe the same thing, just think of this: what do you use to check in at your favourite coffee shop or friends on the other side of the world?

Thank you The Verge for providing us with this information
Images courtesy of The Verge

Urgent Certificate Patch Issued by Microsoft to Address ‘Out-of-Band’ Foreign Certificates

It is said that Microsoft normally releases their patches and updates on the second Tuesday of every month, also known by most as being Patch Tuesday. This time however, they have apparently been forced to release another update having discovered that foreign encryption certificates for big websites, such as Google, had been coming from the National Informatics Center of India’s certificate server.

The problem here is that attackers have allegedly gained access to the certificate generation system and have issued at least 45 certificates, allowing them to pose as companies ranging from email providers to search engines and even banks, as well as credit card processors. Having NIC generating the certificates, the possibility of becoming a victim is extremely high due to browsers showing the given web sites as being trustworthy, having Microsoft flagging the issue as top priority and issuing the urgent ‘out-of-band’ patch.

“The subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties,” Microsoft warned in its emergency bulletin. “The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks.”

Microsoft has stated that the update in question is being rolled out automatically to all Windows 8 and Windows 8.1 users, as well as users of older Windows operating systems who have installed a recommended Windows Update patch, adding the certificate revocation support to the operating system.

Thank you Bit-Tech for providing us with this information

Apple’s Software Update Breaks Due To Expired SSL Certificate

Apple had been experiencing problems with their certificates this weekend. More specifically, the Software Update certificate required in order to communicate with Apple’s Software Update servers had apparently expired.

The expiry issue led to countless users being greeted with a message emphasising that “An Error has occurred. The certificate for this server is invalid. You might be connecting to a server that is pretending to be ‘swscan.apple.com’ which could put you confidential information at risk.” A graphical representation of the error can be viewed below:

The error has been spotted by a group of readers over at MacRumor, stating that they were greeted with the above mentioned error message when attempting to perform a software update on their macintosh computers. Also, the ‘swscan.apple.com’ address appears to be one of the several servers used by Apple to relay software updates.

The problem consisted of the certificate being valid from May 23rd 2012 up until May 24th 2014 and most probably Apple forgot to issue a renewal request for the certificate in question at a reasonable time, thus leading to the error described.

Furthermore, reports show that the same issue could have been the top culprit for the NSURLErrorDomain error -1012, which apparently had a similar connection problem with Apple’s Software Update servers.

Nonetheless, users who experience one of the two issues should contact Apple Support in order to clarify the situation and resolve it as quickly as possible, since constant updates are required to maintain and keep a computer safe from unwanted software.

Thank you MacRumor for providing us with this information
Images courtesy of MacRumor