Organization Unit (OU) soon to be deprecated in pubic SSL/TLS certificatesAs per the results of ballot SC47V2, the Certificate Authority/Browser (CA/B) Forum has voted to deprecate the Organizational Unit (OU) field for public SSL/TLS certificates, with the deadline set on September 1, 2022. The CA/B Forum has determined that the Organizational Unit can be interpreted very differently in every company, and therefore poses problems for a Certificate Authority when it comes to authenticating it using external resources. Removing the OU field prevents uncertain information from being included in the SSL/TLS certificate and improves the validation process. We at SSL.com want to ensure that the transition to this new rule will be smooth for our customers. In the following months, we will be sending out reminders and updates about the September 1st deadline.
New key storage requirements for OV and IV Code Signing CertificatesIn compliance with CA/Browser Forum’s new key storage requirements for code signing certificates, starting on November 15 2022, SSL.com’s Organization Validation (OV) and Individual Validation (IV) Code Signing Certificates will only be issued either on Federal Information Processing Standard 140-2 (FIPS 140-2) USB tokens or through our eSigner cloud signing service. In connection to this, we have updated our eSigner pricing subscription for OV and IV code signing certs.
eSigner provides secure cloud code signing with no additional hardware needed.
Huge podcast downtime caused by Spotify failing to renew their SSL certificateAnd now, on to some news clips involving digital certificates. First off, Spotify made headlines when a podcast platform it owns experienced a significant down time. Due to an expired SSL certificate, Megaphone’s podcast listeners were not able to access a lot of their shows for eight hours. In a statement, Spotify spokesperson Erin Styles confirmed the cause of the incident: “Megaphone experienced a platform outage due to an issue related to our SSL certificate. During the outage, clients were unable to access the Megaphone CMS and podcast listeners were unable to download podcast episodes from Megaphone-hosted publishers.” Megaphone acquired a two-year SSL certificate in May 2020 and in December of that same year, the company was purchased by Spotify. This change of ownership could have contributed to an oversight on the security management of Megaphone’s website. One podcaster remarked that the glitch might have caused podcast show publishers thousands of downloads because they could not upload their content for eight hours. This is not the first time that a big company has forgotten to renew its SSL certificate. In April 2015, Instagram’s expired SSL cert resulted in its users getting security warnings. If we combine the costs of customers being affected and the severe security risks that come with an expired certificate, companies stand to lose a lot with this simple mistake. According to Maria Korolov of CSO, “the average global 5,000 company spends about $15 million to recover from the loss of business due to a certificate outage — and faces another $25 million in potential compliance impact.”
SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites.
Tor-concealed website discovered to be offering cheap and customizable malware bundlesEternity Project, a website concealed in Tor, has been revealed to be selling malware bundles, including stealers, worms, miners, and ransomware for an annual rate as low as $260. The convenient access to malware provided by Eternity is a matter of concern as it coincides with the increasing cases of phishing, DDoS, and ransomware attacks in recent years. Just last April, Resecurity discovered a new Phishing-as-a-Service called Frappo which was being used to produce highly-devious phishing pages for large online banking websites, e-commerce sites, and well-known retail brands. The developers of Frappo have gone to such extents as to provide technical support and updates, with their most recent targets being Uber and 20 financial institutions. Jeff Burt of The Register explains how the easily accessible malware being sold by Eternity multiplies the risks faced by businesses and organizations: “With malware-as-a-service, the programmer has various opportunities to make money from their work. They can use their malware themselves to bag ill-gotten gains; bring in cash by leasing or selling the code; and charge for support and related services. At the same time, crooks who don’t have the skills or time to develop their own malicious code can simply buy it from someone else.”
Singapore replaces paper-based birth and death certificates with digitally-coded electronic documentsStarting last May 29, Singapore stopped issuing physical birth and death certificates for its citizens in favor of digital copies for these documents. This also entailed an online shift when it comes to registration of births and deaths. Singaporeans previously had to register a birth certificate at the hospital or at the Immigration and Checkpoints Authority (ICA). According to Singapore’s ICA, this change is part of their government’s mandate to digitize public services. Now that birth and death certificates can be registered, downloaded and stored in desktop computers or mobile phones, Singapore’s residents are finding it more convenient to deal with the process. As of May 30, 6pm Singaporean Standard Time, ICA was able to release 219 digital birth certificates which was double than that of the daily average for physical birth certificates. If this trend continues, the digital certificates that can be processed each year are expected to go beyond the past five-year annual average for physical birth certificates which was 39,100. This major change is seen as a strategy to provide better validation and authentication processes for these important documents. According to ICA, “Government agencies and private entities, such as industry associations and financial institutions, can use QR codes included on all digital certificates to verify their authenticity. The QR code will be linked to an ICA system where details on the digital certificate can be verified against ICA’s database.” Digitizing birth and death certificates is an innovative policy on the part of Singapore. Aside from being more efficient than manual processes, digital registration and storage are safer and more cost-effective. Compared to paper-based documents, digital docs cannot be damaged by fire and other hazards and do not require a lot of physical space to be maintained. It also offers stronger validation and authentication features because QR codes placed on birth and death certificates are digital codes that more effectively protect these from tampering as opposed to handwritten signatures.
Check out SSL.com’s Business Identity Certificates which offer Document Signing, Email Security, and Client Authentication.
LEARN MORE ABOUT DOCUMENT SIGNING