Anyone who has ever spent any time on the Internet knows that you can identify a secure website by the little padlock icon on the browser’s address bar. But, in a recent report released by Google’s SSL certificate transparency website, that padlock might actually be a sign that the site is suffering from weakened encryption and compromised TLS/SSL processes.
According to Google, the padlock, which is used to show a site is protected by a SSL certificate, can signify that the site can suffer a compromise in everything from domain validation and end-to-end encryption to the chains of trust certificates that certificate authorities (CAs) have put in place. As a result, these websites often find themselves at higher risk of suffering an array of cyber-attacks, including server impersonation, man-in-the-middle attacks, and website spoofing, just to name a few.
The biggest problem facing web surfers is that it is currently impossible to tell which SSL certificates a website has been issued by a certificate authority. And, web browsers automatically accept all certificates, even those with reduced security and fraud controls.
Google learned of this lack of SSL transparency when the company discovered fraudulent SSL certificates being issued under its name. The certificates were found being used by criminals and nation-states for fraudulent and illegal purposes. As a result, Google wants to increase SSL transparency among issuing bodies. The search engine giant also wants certificate authorities to post notices of their SSL issuances in public places, which include the log servers where the certificates are to be posted prior to being approved. By taking this measure, anyone interested can review the certificates before they go live.
One of the most important reasons why certificate transparency needs to be implemented is that once bad SSL certificates are able to be detected, it will be easier to identify those CAs who are deliberately abusing their authority or accidentally issuing defective certificates. Currently, Google requires all CAs wanting to publish an extended validation certificate to pre-publish that certificate on a Certificate Transparency log server. By requiring CAs to pre-publish certificates with the highest levels of trust, Google is making it harder for hackers and unscrupulous CAs to issue fraudulent certificates.
While Google’s dedication to SSL certificate transparency is certainly a positive step to making the Internet a more secure place, it is in no way a complete answer, but at least it’s a start. Protecting your data needs to be a prime concern, especially in today’s age of savvy hackers, constant SSL attacks, and compromised certificates. When it comes to protecting your company’s data, you do have options. The most effective way to protect your data is to ensure it can’t fall into the wrong hands, and this involves implementing a data destruction strategy that utilizes state-of-the-art data wiping software.
At Liquid Technology, we provide DOD-certified data wiping services that can render your data completely unrecoverable by any modern means. If you have old IT that is no longer in use or you’re thinking about donating, selling, or reusing the equipment in another capacity, then scheduling data wiping service will protect the integrity of the drives while completely eliminating any old data that was recorded on the drives.
For more information, call Liquid Technology today at 800-797-5478.