Tag Archives: news

Buggy Domain Validation Forces GoDaddy to Revoke Certs

GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar’s domain validation process.

The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer.

“GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process,” Thayer said in a statement. “The bug caused the domain validation process to fail in certain circumstances.”

Part of the validation process involves registrar’s sending customers via email a validation code that the customer drops onto their site. Thayer explained that the system searches a particular spot for the code in order to complete validation.

“When the bug was introduced, certain web server configurations caused the system to provide a positive result to the search, even if the code was not found,” Thayer explained, adding that GoDaddy was not aware of any compromises related to the bug.

The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials.

GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said.

“This process will be identical to the process they followed when their previous certificates were issued. (If a customer has more than one revoked certificate associated with their customer account, they will be able to initiate the certificate process for each domain within the SSL Panel.),” Thayer said. “The SSL Panel provides helpful information and instructions that should allow customers to easily process the certificate online.”

Affected websites will still resolve, GoDaddy said, but customers may see untrusted-site error warnings.

Experts, meanwhile, caution that as more Certificate Authorities come online such as Let’s Encrypt, which provides free certs in an automated fashion, that more errors like this one could crop up.

“I only see more of them happening,” said Kevin Bocek, vice president of security strategy at Venafi. “We’re seeing faster and faster certification validation with organizations like Let’s Encrypt turning up the competition [among CAs]. And things like DevOps driving faster certificate issuance. And with organizations moving to the cloud, you’re going to have more machines doing these types of requests for new certificates.

“It’s all software,” Bocek said. “It could all have bugs. In the past year, we’ve seen more and more of these reports and the trend is going to continue.”

Let’s Encrypt has taken great strides toward fulfilling its promise of bringing free encryption and SSL to the web by simplifying and automating the process. Let’s Encrypt isn’t alone; Amazon, Cloudflare and others also offer free SSL certs in one form or another. Let’s Encrypt uses ACME (Automated Certificate Management Environment), an open API, to automate certificate requests and issuance. And it’s working; in October, Mozilla telemetry that was made public showed that for the first time, more than half of all traffic in transit is encrypted.

“There are going to be more demands on CAs and more and more machines doing requests,” Bocek said, adding that while ACME is great for efficiency, it is taking people out of the process. He recommends that organizations familiarize themselves with NIST guidance on preparing for and responding to CA compromises.

“Everyone,” Bocek said, “needs to have a plan and an automated way to get around this.”

Synaptics’ Clearforce technology to bring 3D Touch-style screens to Android

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!

synaptics touch

A pressure-sensitive display will open up another layer of interaction beyond the usual staple of touches and swipes.

 

Your next Android phone’s screen might be more like a giant pressure-sensitive button.

That’s because Synaptics is pushing a new capability for smartphones called ClearForce. Much like Apple’s 3D Touch, you’ll be able to “press” on the screen and get a popup menu or another type of contextual action.

This would allow for different types of interaction with your screen beyond the standard touch, press-and-hold, or pinch-to-zoom. Synaptics is a big player with touch sensors. By backing new tech like this, there’s a good chance you’ll start to see it in a bunch of new phones over the coming year.

However, Synaptics is at work on more than just menus. Synaptics says the new sensor technology will allow for variable speed scrolling, new ways to pan and zoom over pictures, and additional contextual menus depending on how much pressure is applied to the screen.

This isn’t the first time a pressure-sensitive screen has popped up in the world of Android. The Huawei Mate S screen can be hard pressed to zoom in to particular parts of an image or even act as a scale.