Reporting live from the middle of summer, we are happy to bring you a July Roundup from the world of digital security! This month we’ll be taking a look at:
- Microsoft Gains an Edge in the Security Game
- Images To Be Auto-Upgraded to HTTPS in Chrome 85
- Apple, Chrome and Firefox Switch to 398-day certificates
- Microsoft Enforces Deprecation of TLS 1.0 and 1.1 for Office 365
So far, Microsoft Edge has proven to be a serious competitor to more-established browsers and new updates are only strengthening its position. A report by Kate O’Flaherty in Forbes notes that it may still be the number two browser overall, but recent updates have made it second to none when it comes to security. From the Forbes article:
But a new report by NSS Labs actually saw Microsoft’s Edge beat Chrome in the security stakes. Because it uses Microsoft Defender SmartScreen, Edge was found to offer the best phishing protection compared with the other browsers tested, blocking 95.5% of phishing URLs. Google, which uses the Safe Browsing API, came second at 86.9%.
As Microsoft focused site OnMsft reports, another separate NSS Labs report shows how Edge also has better malware protection than rivals Chrome, Firefox and Opera. Microsoft Edge blocks 98.5% of malware, while second place Firefox blocks an average of 86.1%, followed by Google Chrome at 86.0%.
It is, of course, a great time to be focused on browser security as more work and operations move from the office to a decentralized work-at-home model. We will be keeping an eye on the updates that Edge continues to churn out, and watch as the browser fights to dominate the market.
In another step towards an across-the-board implementation of HTTPS, the next major version of Chrome will auto-upgrade images served via HTTP from HTTPS websites to the more secure protocol. In Chrome 85, which will have its stable release out on August 25, HTTPS will be the only option for images served from HTTPS websites – if that is not available, the images simply will not be displayed in Chrome.
As usual, the Chromium Blog has more details:
Chrome is now auto-upgrading images served over HTTP from HTTPS sites by rewriting URLs to HTTPS without falling back to HTTP when secure content is not available. Chrome has been auto-upgrading audio and video content since version 80.
It’s a good step forward, and a good reminder to eliminate mixed content on websites!
Well, it’s official. As of September 1, all Apple software will (essentially) reject SSL/TLS certificates that are valid for more than 398 days. The industry has known this was going to happen since February, so while it’s still noteworthy, the real news is that Chrome and Firefox are officially following suit, with Mozilla prepping to switch to 398-certificates in its browser, and confirmation in the Chromium source code that Chrome would be enforcing the same standard beginning on September 1 as well.
The Register reported on the “snubbing” of 2-year certificates in an article by Shaun Nichols about the change:
Apple reckons this policy ensures websites and apps refresh their certs once a year, thus encouraging them to use the latest cryptographic standards, and ensures stolen certs cannot be used for long-running phishing campaigns and other shenanigans as they’ll expire soon enough.
…Suffice to say, certificate sellers were irritated by the change. ‘The unilateral decision of Apple, against the results of the ballot, makes the CA/B Forum a little bit useless, from our point of view,’ sniffed Spanish cert biz Firmaprofesional.
All signs point to everyone following Apple’s lead to shorten certificate lifespans. At the moment, Microsoft has yet to make an announcement on what they will do, but it’s easy to draw conclusions that they will, given the fact that the company’s Edge browser uses Chrome as its engine.
After a pandemic-related delay, Microsoft will officially begin enforcing depreciation of the TLS 1.0 and 1.1 protocols – which are well-known to be insecure – in Office 365. The protocols were actually deprecated as of October 31, 2018. And, according to Microsoft, the enforcement has been reset and should be up and running on October 15, 2020.
Honestly, this won’t impact too many users as the Office client is able to use TLS 1.2 if supported by the local computer. However, it might be worth noting that TLS 1.2 is not available on Windows 7 without the KB 3140245 update. Those looking for a technical overview of the change can head over to the Microsoft Blog, which explains it all.