Tag Archive for Mozilla

| October 16, 2018
Comments Off on Protect Yourself from Facebook

Protect Yourself from Facebook

Protect Yourself from FacebookJust in case you have been sleeping under a rock the past couple of weeks, social media giant Facebook (FB) was hacked again. In a presser on 10/12/2018, the social networker admitted that nearly 30 million Facebook users were hacked. This is on top of the 50 million user accounts that Mark Zuckerberg’s company allowed Cambridge Analytics to steal.

Facebook did not apologize for exposing its users’ informationDuring the presser, Facebook did not apologize for exposing its users’ information but noted that it was cooperating with the FBI, the US Federal Trade Commission, the Irish Data Protection Commission, and other authorities on the data breach.

The attack involved the capture of Facebook “access tokens,” or digital keys that allow websites to recognize who someone is and keep them logged in. Using accounts they already controlled, the attackers used an “automated technique” to exploit Facebook’s “View As” functionality and steal access tokens for some 400,000 people. Hackers then used friend lists from those 400,000 accounts to obtain access tokens for another 30 million people (Here’s how to find out if you were hacked). Facebook tracked this hack to a change it made to its video uploading feature over a year ago in July 2017, and how that change affected View As.

Facebook confirmed on Friday that the hack compromised the personal and contact information of 30 million users. The compromised personal data includes:

  • Information sharingName
  • Phone number
  • Email address
  • Username,
  • Gender,
  • Locale/language,
  • Relationship status,
  • Religion,
  • Hometown,
  • Self-reported current city,
  • Birthdate,
  • Device types used to access Facebook,
  • Education,
  • Work,
  • The last 10 places they checked into or were tagged in,
  • Website,
  • People or Pages they follow and,
  • The 15 most recent searches.

rb-

Mozilla Firefox web browserI have been warning about the dangers of Facebook since 2011. I use the Facebook Container extension for Firefox to helps prevent Facebook from tracking me around the web. The Facebook Container is an extension to the Desktop Firefox 57 and higher (it does not work on Firefox for mobile).

The Facebook Container is a tool to limit what data others can obtain from you. It works by isolating your Facebook identity into a separate container that makes it harder for Facebook to track your visits to other websites with third-party cookies.

When you install the extension it deletes the Facebook cookies on the computer and logs you out of Facebook. The next time you navigate to Facebook it will load in a new blue-colored browser tab (the “Container”).

Facebook containerYou can log in and use Facebook normally when in the Facebook Container. If you click on a non-Facebook link or navigate to a non-Facebook website in the URL bar, these pages will load outside of the container.

Clicking Facebook Share buttons on other browser tabs will load them within the Facebook Container. You should know that using these buttons passes information to Facebook about the website that you shared from.

Because you will be logged into Facebook only in the Container, embedded Facebook comments and Like buttons in tabs outside the Facebook Container will not work. This prevents Facebook from associating information about your activity on websites outside of Facebook to your Facebook identity.

Facebook Share buttons passes information to Facebook about the website that you shared fromIn addition, websites that allow you to create an account or log in using your Facebook credentials will generally not work properly. Because this extension is designed to separate Facebook use from use of other websites, this behavior is expected.

It is important to know that this extension doesn’t prevent Facebook from mishandling the data that it already has, or permitted others to obtain, about you. Facebook still will have access to everything that you do while you are on facebook.com, including your Facebook comments, photo uploads, likes, any data you share with Facebook connected apps, etc.

It is important to remember that other ad networks will try to correlate your Facebook activities with your regular browsing.

In addition to using the Facebook Container extension, you can further protect yourself from Facebook by changing your Facebook settings, using Private Browsing, enabling Tracking Protection, and blocking third-party cookies.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| January 20, 2018
Comments Off on Browser Security Updates

Browser Security Updates

Browser Security UpdatesIf you bank, shop, or work on the Intertubes your security is changing. Your browser Security is changing because Symantec is selling its Website Security and related PKI business to PKI encryption solutions to DigiCert for nearly $1 Billion.

SSL and TLS logoExperts estimate that Symantec (SYMC) owns 40% of the SSL certificate market. SSL/TLS certificates are used to encrypt the connections between browsers and HTTPS-enabled websites. The certificates are used to verify that users are actually visiting the websites they intended to and not spoofed versions. Certificates are issued by organizations known as certificate authorities that are trusted by default in browsers and operating systems.

As a result of the sale, many firms are going to have to reissue SSL/TLS server certificates. The reissued certs will ensure browser security and make sure there is no impact on your online experiences. These certificates are essential to ensure secure, encrypted communication for user interaction on the Intertubes.

Google Chrome browser security

Google (GOOG) has led the effort to decrease the disruption that could come along with this change. Google posted a plan back in July of 2017 regarding Symantec-issued SSL/TLS server certificates.

• In March 2018 Google Chrome (Chrome 66 Beta) will show a warning for sites secured with SSL/TLS certificates issued before June 1, 2016. Your security is at risk and data encryption will function normally, but your transactions will be disrupted by a warning in Chrome.
• Google has also stated that all SSL/TLS certificates that had been issued by Symantec before December 1, 2017, will not be trusted starting in September 2018 (Chrome 70 Beta). Doing transactions at sites that have not been updated will put your security at risk, and you will get a warning in Chrome.

Mozilla Firefox

Mozilla, publisher of the Firefox web browser says that it intends to follow the same timeline proposed by Google.

rb-
This change is a normal procedure for typical certificate renewal. There should be no service disruption when the new certificates are issued as long as your web browser is up to date. There is no reason to have an out-of-date browser anymore. All three major browsers will auto-update. Other keys to staying safe online include:

  • Always check for HTTPS when you plan on providing personal data to a website. Always check for HTTPS
  • Pay attention to any security warnings you receive when you visit a website. Although you can almost always trust the HTTPS you see in your browser URL, any additional warnings from your browser should show that there may be a problem with the connection, so you should proceed with caution.

Nearly 54% of all U.S. web browsers will be affected by these changes. Statista says that Chrome held almost 50% of the browser market share and Firefox held over 5% of the share in December 2017. 41% of Internet users are not covered by this change (Safari 32.7% and IE/Edge 9%).

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| December 7, 2015
Comments Off on Let’s Encrypt Lives

Let’s Encrypt Lives

Let's Encrypt LivesLet’s Encrypt, an initiative to set up a free certificate authority (CA) on the Intertubes has entered its public beta phase. All major browser makers including Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer trust Let’s Encrypt certificates. In their announcement Josh Aas, the executive director of California based Internet Security Research Group (ISRG), which runs the Let’s Encrypt service, wrote:

We’re happy to announce that Let’s Encrypt has entered Public Beta. Invitations are no longer needed in order to get free certificates from Let’s Encrypt … We want to see HTTPS become the default. Let’s Encrypt was built to enable that by making it as easy as possible to get and manage certificates.

Encryption to protect communications

Lets Encrypt logoLet’s Encrypt is overseen by folks from Mozilla, Akamai (AKAM), Cisco (CSCO), Stanford Law School, CoreOS, the EFF, and others. Let’s Encrypt was first announced in 2014, (rb- Which I covered here). motivated by a desire to steer organizations towards the use of encryption to protect their communications. A key part of the strategy is offering free digital certificates, which is a radical departure from the very hefty premiums that certificate authorities typically charge.

The Register reports that the free cert is no freebie weakling. Lets Encrypt uses a 2048-bit RSA TLS 1.2 certificate with a SHA-256 signature installed and the server configured to use it. The cert gets an A from Qualys SSL Labs.

Let’s Encrypt to offer free SSL/TLS certs

Secure Socket Layer/Transport Layer Security certificatesLet’s Encrypt plans to distribute free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates, which encrypt data passed between a website and users. The use of SSL/TLS is signified in most browsers by “HTTPS” and a padlock appearing in the URL bar. Unencrypted web traffic poses a security risk. For example, an attacker could collect the web traffic of someone using a public Wi-Fi hotspot, potentially revealing sensitive data.

Besides securing your information going across the Internet from spies and thieves, FierceSecurityIT says another key aspect of Let’s Encrypt is to make it easy to generate and install new digital certificates. The Let’s Encrypt CA uses an open source “automated issuance and renewal protocol” that allows for certificates to be renewed without manual intervention.

automated issuance and renewalThe automated issuance and renewal protocol prevents oversights resulting in certificates for live websites expiring, a situation that does happen from time to time. FierceSecurityIT says that short-term certificates also offer better security by reducing exposure in the event that the private keys are stolen.

rb-

Major technology companies including Google, Yahoo and Facebook have made a strong push for broader use of encryption in light of government surveillance programs and burgeoning cyber-crime.

The point of Let’s Encrypt is that anyone who owns a domain name can use Let’s Encrypt to get a trusted certificate at no cost. This will help HTTPS become the default. This is a big step forward in terms of security and privacy.

Instructions for getting a certificate with the Let’s Encrypt client can be found here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| January 6, 2015
Comments Off on UMich Helps Secure the Web with Let’s Encrypt

UMich Helps Secure the Web with Let’s Encrypt

UMich Helps Secure the Web with Let’s EncryptThe University of Michigan is teaming up with leading Internet firms to help secure the web. UMichCisco (CSCO), Akamai (AKAM), Mozilla, the Electronic Frontier Foundation, and public key certificate authority IdenTrust, have launched a new free certificate authority (CA) called Let’s Encrypt.

The Let’s Encrypt CA, which will be available in the Summer of 2015. It aims to get people to encrypt their connections to their websites according to a recent GigaOM article. Let’s Encrypt goal is to make it easier to get a proper Secure Sockets Layer/Transfer Layer Security (SSL/TLS) certificate. That way the certs can be deployed to secure a Web server and its users.

Let’s Encrypt will help secure the Internet

Let’s EncryptAccording to the article Let’s Encrypt, comes as the tech industry scrambles to encrypt the web. This is more important after the mass surveillance revelations of NSA leaker Edward Snowden. The CA will aid other efforts to secure the Internet.

Let’s Encrypt is developing the Automated Certificate Management Environment or ACME protocol. The ACME protocol. will sit between Web servers and the CA. It includes support for new, stronger forms of domain validation.

University of MichiganLet’s Encrypt will serve as its own root CA. The nonprofit CA public benefit corporation, Internet Security Research Group (ISRG) will run the root CA. Josh Aas, the executive director of ISRG, explained securing the web is just not a simple thing to use Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL). He explains that getting, paying for, and installing a certificate is too hard for many network administrators.

The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you’re actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.

Electronic Frontier FoundationAccording to the statement, Let’s Encrypt’s certificates will be free. It will have an automated issuance and renewal protocol – an open standard. A step to reduce the need for input from the domain holder’s side. According to an EFF blog post, “switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.”

Records of certificate issuance and revocation will be publicly available. The organizations behind Let’s Encrypt are stressing that the system won’t be under any one organization’s control.

The EFF has been working on helping users take advantage of HTTPS for a while. The EFF worked with the Tor Project, to create the HTTPS Everywhere extension for Firefox, Firefox for Android, Chrome, and Opera browsers.

The Let’s Encrypt project will use Internet-wide datasets of certificates to make higher-security decisions about when a certificate is safe to issue. The data will include the EFF’s Decentralized SSL Observatory, the University of Michigan’s scans.io, and Google‘s (GOOG) Certificate Transparency logs.

In addition to the Let’s Encrypt project, some of the paths to secure the web include:

  • The next version of the HTTP protocol will likely be encrypted by default.
  • Mozilla and Firefox are collaborating with the EFF to bring Microsoft, Google, Opera, and others to add Let’s Encrypt to their list of valid CAs.
  • Google will rank up sites that use SSL/TLS encryption.
  • The content delivery and security outfit Cloudflare is offering free SSL encryption for millions of its customers.
  • And now Let’s Encrypt aims to equip websites with free certificates – the proof they need to tell users’ browsers that their public encryption keys are genuine and the connection is properly secured.

rb-

Many websites currently use the HTTP protocol, a standard that exposes site owners to a number of threats including cyber espionage, keyword-based censorship, account hijacking, and a host of web application attacks such as SQLi and XSS. Let’s Encrypt helps reduce these risks which I think it is a good step in the right direction.

argues on Wired that Let’s Encrypt does not go far enough. We want the project to not only encrypt data but also authenticate users. IMHO that is a pipe dream. Authentication will step on the toes of Symantec, Oracle, and other hugely funded firms that will squash anybody doing the right thing that threatens their profits.

Related Posts

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,