Soon a maximum duration of one year for SSL certificates?

Soon a maximum duration of one year for SSL/TLS certificates?

What is happening?

The industry actors plan to reduce the lifetime of SSL/TLS certificates, allowing the HTTPS display in browsers, to 13 months, i.e. almost half of the present lifetime of 27 months, in order to improve security.

Google through the CA/Browser Forum has indeed proposed this modification, approved by Apple and a Certification Authority, making it eligible to vote. During the next CA/B Forum meetings, if the vote is accepted, the modification of the requirements will come into effect in March 2020. Any certificate issued after the entry into force date will have to respect the requirements of the shortened validity period.

The aim for this reduction is to complicate things for cyber attackers by reducing the duration of the use of the potentially stolen certificates. It could also force companies to use the most recent and the most secured available encrypting algorithms.

If the vote fails, it’s not to be excluded that browsers supporting this requirement, unilaterally implement it in their root program, thus forcing the change to the Certification Authorities. It’s likely that this could be the case, this change follows Google’s precedent initiative that aimed to reduce the lifespan from three years to two years in 2018, period during which Google already wished to reduce it to 13 months or even less.

Who is impacted?

The changes proposed by Google would have an impact on all the users of TLS certificates of public trust, regardless of the Certification Authority that issued the certificate. If the vote passes, all certificates issued or reissued after March 2020 will have a maximum validity of 13 months. The companies using certificates with a validity period superior to 13 months will be encouraged to reconsider their systems and evaluate the impact of the proposed modifications on their implementation and their use.

The TLS certificates issued before March 2020 with a validity period superior to 13 months will stay operational. The public non-TLS certificate, for the code signing, the TLS private code and clients’ certificates, etc. are not concerned.  It will not be necessary to revoke an existing certificate following the implementation of the new standard. The reduction will have to be applied during the renewal.

What do the market players think about this?

It would be a global change for the industry with impacts on all the Certification Authorities. They view this proposition in a negative light. We can see an economic interest above all, but not solely…

The main argument is that the market is not ready in terms of automation system of orders and certificates implementations. Indeed, there would be more human interventions with the risks associated with poor handling, or simply a higher risk of forgetting a certificate renewal.

For Certification Authorities, reducing the certificates’ lifespan to such a short term mainly presents an increase of the human costs related to the certificate portfolio management. If they are not fundamentally against this decision, they would particularly like more time to study what users and companies think.

The position of browsers makers

Be it Google or Mozilla, the spearheads of the native HTTPS massive adoption for all websites and the supporters of the Let’sEncrypt initiative, what is important is the encrypting of all web traffic. A reduction of the certificates lifespan reduces the risk of certificates theft on a long period and encourages the massive adoption of automated management systems. For these two actors, an ideal world would have certificate of maximum 3 months. If they are attentive to the market as to not impose their views too quickly, it is more than likely that in the long term the certificates’ lifespan will continue to decrease.

Nameshield’s opinion 

The market continues its evolution towards shorter and shorter certificates’ validity, as a continual decrease of the authentication levels and consequently a need for management automated solutions that will increase. We will align on these requirements and advise our customers to prepare themselves for this reduction which will, without a doubt, arrive. Our Certification Authorities partners will also follow this evolution and will allow to provide all systems of required permanent inventory and automation.

To be heard

The CA/Browser Forum accepts comments of external participants and all discussions are public. You can directly enter your comments to the Forum distribution list:  https://cabforum.org/working-groups/ (at the bottom of the page). Nameshield is in contact with CA/Browser Forum participants and will inform you of the future decisions.

How to account and value a domain name?

The domain name is an integral intangible asset©

The domain name has this unique particularity to be an intangible asset with four dimensions.

It is simultaneously:

  1. An IT object allowing to access services on the Internet by doing the link between the IP address (a suite of numbers) of a physical object [computer, server, smartphone…] and a literal name (role of the Domain Name Server or DNS);
  2. A communication tool allowing to establish its identity on the Internet and gain a digital territory;
  3. A legal element through a temporary contract with an Internet Registry;
  4. A financial asset, accountable as an intangible asset under certain conditions.

Today an essential key element to any dematerialized data flow exchange, the domain name became overtime a strategic intangible asset of great value regarding associated services (email, websites access).

Accounting principles applicable to domain names

The domain name is not to be considered as a simple technical tool, but as an intangible asset to write in the balance sheet of the companies and collectivities, if it allows to generate a lasting source of profit. In a decision of the French Council of State of December 7th, 2016 (ebay.fr case), the wise persons of the Palais-Royal thus remind that if the use of a domain name:

  • Represents a constant source of profits;
  • Has a sufficient sustainability (particularly if it can be regularly renewed);
  • Is likely to be transferred;

Then it is an intangible asset of the company and must follow the associated accounting and tax rules. As such, the domain names have to be accounted either at their creation cost, or at their acquisition value, or at their current value (market value) for the ones acquired free of charge.

Which financial valuation methods to use?

Inspired by the ISO 10668 standard regarding the monetary valuation of the brands, Nameshield has developed a reliable scientific corpus by financing the CIFRE thesis of Mr. Clement GENTY (2016-2019), covering the subject: Internet governance and global economy: proposal of a valuation model of a domain name’s value as intangible asset. It is in this context that three approaches regarding the monetary valuation of domain names have been studied:

  • A historical costs approach;
  • A market approach (on semantics);
  • A loss approach (replacement cost).

The market approach aims to measure the semantic value of a domain name by reference to the monetary transactions passed. To that end, Nameshield has developed a database of more than 1.4 million transactions passed (domain name, price, year). This approach allows to give a price value by comparable.

The strength of a domain names’ valuation method, scientific and practical

Supported by its regular work in the acquisition and/or sale of domain names for its clients’ companies and collectivities, Nameshield is able to propose an approach of monetary valuation of a domain name or a domain names’ portfolio, as part of the best current scientific practice.

.AU domain names soon available for registration

.AU domain names soon available for registration
Image source: kitkatty007 via Pixabay

Until now, Australian domain names were only available for registrations in second level extensions, in particular .COM.AU.

If the decision to open the .AU registration goes back to 2015, it took four years to set the rules!

It seems that starting October 1st, 2019, the holder of the existing .com.au domain name, for example forexample.com.au, will be able to apply for priority status to register the exact match of their existing name in .AU, forexample.au.

The detail of the priority allocation system are below:

  • 2 priority status (from 2019/10/01 to 2020/04/01)

Category 1 : Third level domain names (com.au, net.au, org.au, asn.au, id.au, edu.au, qld.edu.au, nsw.edu.au, eq.edu.au, act.edu.au, vic.edu.au, sa.edu.au, wa.edu.au, nt.edu.au, catholic.edu.au, schools.nsw.edu.au, education.tas.edu.au, sa.au, wa.au, nt.au, qld.au, nsw.au, vic.au, tas.au and act.au) registered on February 4th 2018 at the latest will be assigned to priority category 1 for the registration of the same name in .AU.

Category 2: Third level domain names registered after February 4th 2018 will be assigned to priority category 2 for the registration of the same name in .AU.

  • The date of the general availability is not announced yet.

The registry indicates that more information will be published in the next weeks, we will keep you informed.

The new .AU licensing rules might also come into effect at the fourth quarter of 2019 (for all the extensions: .au, .com.au, .net.au, .org.au, .asn.au, .id.au).

Lastly, we can note that the general availability will allow the registration to individuals/companies which respect the Australian registry’s conditions (local presence in Australia).

For any questions, Nameshield’s teams are at your disposal.

Does the GDPR negatively affect enforcement efforts?

Does the GDPR negatively affect enforcement efforts?
Image source: mohamed_hassan via Pixabay

The General Data Protection Regulation (GDPR) has without a doubt a negative impact on the enforcement efforts, according to the participants at the INTA 2019 annual meeting (International Trademark Association) in Boston.

Margaret Lia Milam, domain name strategy and management lead at Facebook warned that the platform’s scale makes it a “huge target for bad actors”.

Milam stated that because the site is working at such a scale, it cannot turn to lawyers for the “thousands” of requests it receives.

Statton Hammock of MarkMonitor said that MarkMonitor had suffered a loss of efficiency of 12% due to the GDPR. His team has “historically used WHOIS to protect IP rights” but because of the GDPR, all the data they have cached “become less and less useful with each passing day”.

Alex Deacon, founder of Cole Valley Consulting, echoed Milam and Hammock’s comments warning that the Spamhaus Project, an international organization aiming to track emails spammers, is struggling to manage its blacklist because of the GDPR.

Voice.com domain name sold for $30 million

Voice.com domain name sold for $30 million
Voice.com website

Block.one (EOS), the startup behind the EOS cryptocurrency acquires the voice.com domain name for the amount of $30 million.

This is how the Chief Marketing Officer of MicroStrategy explains this acquiring at a high price: “Block.one has made a smart strategic decision in choosing Voice.com to be the internet domain name for its new social media platform. The word “voice” is simple and universally understood. It’s also ubiquitous ― as a search term […]. An ultra-premium domain name like Voice.com can help a company achieve instant brand recognition, ignite a business, and massively accelerate value creation”.

It places this sale in the top 5 of the biggest domain names’ sales:

Lasvegas.com $90 million in 2005.

CarInsurance.com $49.7 million in 2010.

Insurance.com $35.6 million in 2010.

PrivateJet.com $30.18 million in 2012.

Voice.com $30 million in 2019.

After having raised more than $4 billion through a fundraising in cryptocurrencies (ICO), the startup Block.one plans to use the domain name with the aim to compete with the social media platform Facebook.

The social media platform VOICE is opened since June, 1st 2019.

At a keynote, EOS’ CEO Brendan Blumer and Dan Larimer Block.one’s CTO, presented VOICE as an absolute alternative to everything that represents Facebook.

“Our content. Our data. Our attention. These are all incredibly valuable things. But right now, it’s the platform, not the user that reaps the reward. By design, they run by auctioning our information to advertisers, pocketing the profit, and flooding our feeds with hidden agendas dictated by the highest bidder. Voice changes that.”

In order to differentiate from Facebook, VOICE will function on the following basis:

  • VOICE will operate on EOS blockchain, which is upgrading to a faster version 2 for the occasion;
  • An anti-bot policy and other trolls will be implemented, without more details disclosed on the technology approach;
  • The blockchain will be public;
  • The arbiter of what must be seen or not, will not be the algorithm but the consensus;
  • Regarding security, a partnership with Yubico, makers of the Yubikey was announced. EOS seems to aim for an integration with WebAuthn, a standard for authentication without password recently approved by the W3C.

In other words, EOS wants to propose a model opposite to Facebook: the control by everyone of their personal data and their possible monetization.

NBA: Phishing doesn’t spare sports institutions

NBA: Phishing doesn’t spare sports institutions
Image source: mohamed_hassan via Pixabay

On last May 10th, in a press release, the Pacers Sports & Entertainment (PSE) organization, owner of the NBA’s basketball team the Indiana Pacers, revealed that they were the victim of a sophisticated phishing attack at the end of 2018.

For reminder, phishing is a technique used to obtain personal information in order to commit an identity theft.  This is a «social engineering» technique, i.e. consisting in exploiting not an IT flaw but a «human flaw» by deceiving web users through an e-mail seemingly coming from a trustworthy company, typically a bank or a business website.

Pacers Sports & Entertainment victim of a phishing attack

At the end of 2018, the company PSE has then been the target of a phishing emails campaign resulting in the unauthorized access to emails containing personal information related to a limited number of individuals.

This cyberattack affected a limited number of individuals but the amount of the stolen information is important: name, address, date of birth, passport number, driver’s license, state identification number, account number, credit/debit card number, digital signature, username and password and for some individuals, the Social Security number.

The American company has quickly implemented measures to secure the affected email accounts and investigate the incident with the assistance of forensic experts. This investigation then revealed that the hackers had access to the accounts of a limited number of persons between October 15th and December 4th, 2018. The press release doesn’t give any details regarding the identity of the targeted persons.

PSE individually notified each victim whose information has been stolen and assures that “to date, PSE has no evidence of actual or attempted misuse of any personal information”. The organization offered to the victims of the cyberattack an access to credit monitoring and identity protection services at no cost.

Some simple rules against phishing

Phishing attacks are increasing. Above all, they are becoming more and more sophisticated, and target all kinds of industries. Each and every one of us must be extra vigilant.

Lastly, for reminder, here are some simple rules to protect yourself against phishing attempts:

  • Do not reply when someone asks for your personal data by email;
  • Do not ever open an attachment from an unknown sender, or from one who is not entirely trustworthy;
  • Check the links by hovering the cursor over them (without clicking) to ensure that they link to trustworthy websites;
  • Do not trust the name of the mail’s sender. If there is any doubt, contact the sender through another method.

The Nameshield SSL interface has had a complete makeover

The Nameshield SSL interface has had a complete makeover

More user-friendly, more comprehensive, more attractive… our brand new and improved Nameshield SSL interface is being launched on Thursday, June 13th allowing you to manage all of your certificates.

You will now have access to key metrics on your certificate portfolio, to different certificate lookup views (such as complete portfolio, detailed overview, certificates nearing expiry, pending orders, expired or revoked certificates), to an Organization and Contact management tool and a redesigned ordering system.

Lastly, a decision support tool has been included in the interface to help you choose the certificate that’s right for your needs.

The certificate range has been updated to cover all types of certificates, SSL, RGS, Code Signing, Individual certificates and with all levels of authentication.

The SSL team remains at your disposal for a demonstration and a complete user guide is available covering all possible operations and actions.

Contact us directly at certificates@nameshield.net.

Europe decides to apply sanctions to transboundary cybercriminals

Europe decides to apply sanctions to transboundary cybercriminals
Image source: GregMontani via Pixabay

On Friday May 17th, 2019, the Council of Ministers of the European Union presented the creation of a blacklist identifying the perpetrators of cybercrimes located outside the EU.

Thus this is a new legal context which has been validated by the EU in order to try to reduce the continuously growing cyberattacks’ number. Now, the EU will indeed be able to sanction individuals or entities involved in the cyberattacks carried out from outside the EU.

Europe seeks through this measure to protect as far as possible the most critical infrastructures, regarding electoral or health systems for example, from cybercriminals, by abolishing the impunity which the international hackers seemingly enjoyed.

If there is no name on this famous list today, the situation could change soon.

Recently, the British Foreign Secretary, Jeremy Hunt declared that “for too long now, hostile actors have been threatening the EU’s security through disrupting critical infrastructure, attempting to undermine democracy and stealing commercial secrets and money running to billions of Euros. Hence, this decision was necessary.”

It’s now very clear that the cyberattacks carried out by nations, against nations or entities, tend to multiply. It’s important to note that these sanctions can be retroactive. To this day, the sanctions are not clearly defined: travel bans and assets freeze against those we know have been responsible for these actions? Several options are presently being studied.

Cyberattack: G7 and France organize a cyberattack simulation in the finance industry

Cyberattack: G7 and France organize a cyberattack simulation in the finance industry
Image source : TheDigitalArtist via Pixabay

Faced with the upsurge and the continually increasing strength of cyberattacks, a simulation exercise of a cyberattack in the finance industry will be organized by the members of the G7, the world’s major economic powers.

In the French presidency context, France will be the one that will run this test in which 24 financial authorities of the 7 members of the G7 will participate during 3 days.

Today it is no secret that the banking sector is one of the most targeted by cybercriminals [according to an IBM’s research, 19% of the attacks would aim banking institutions].

Thus, for the first time, the G7 countries organize a cyberattack cross-border simulation in early June 2019. This test is organized by the Banque de France (the central bank of France) and proposes the following scenario: a malware will be injected in a technical component widely used in the financial sector.

As indicated by Bruno Le Maire, the Minister of Economy and Finance of France “cyber threats are the proof that we need more multilateralism and cooperation between our countries”.

According to this argument, this same exercise will be conducted at the same time in the other countries, giving it a specific dimension. If other exercises of this kind have indeed already been done before, particularly by the Bank of England and the European Central Bank, none of these tests was done simultaneously.

What are the results sought in this joint exercise? Firmly establishing the risks of a cyberattack’s epidemic spread, in order to be able to enhance the infrastructures security and to ensure the reactivity in case of attack and prevent a wide contagion.

The Black swan time?

IoT-  The Black swan time?
Image source: abudrian via Pixabay

The actors and utility providers invade the connected world, benefiting from the innovations that the rest of the world opportunely provides them. It wouldn’t be a problem if we didn’t live in an age where hacking a power plant became possible.

In 2015 and 2016, hackers shut down power to thousands of users in the middle of the Ukrainian winter. Since then, the American government openly admitted that foreign powers tried every day to take control of the energy grid control rooms of the United States. And this is important because we are currently connecting decades old infrastructures in an environment which is swimming with threats that it was never designed to protect against.

Engineers have not always played well with computer scientists. These disciplines are different, they are different mindsets with different aims, different cultures and of course, different technologies. Engineers can plan for accidents and failures, while cybersecurity professionals plan for attacks. There are completely different industry standards for each discipline and very few standards for the growing field of the Internet of Things (IoT), which is increasingly weaving its way into utility environments. Those two worlds are now colliding.

Much of the IT used in utilities infrastructure was previously isolated, operating without fear of the hackers, with systems built for availability and convenience, not for security. Their creators didn’t consider how a user might have to authenticate to a network to prove that they are a trusted actor. That might have been acceptable in the past, but now we have a landscape littered with outdated machines weighed down with insecure codes that are unequipped for modern IT threats. The upgrading of these systems and the security afterward, won’t solve all those security problems and replacing them entirely would be too expensive, difficult to envisage and almost utopian for many. And today, this is a real problem to connect them in an environment exposed to threats and adversaries searching for the next easy target.

Today, the world tends to connect more and more, particularly through Internet of Things (IoT), we talk about connected cars, baby monitors connected to a parent’s smartphone and doorbells informing homeowners who is at their doors, fridges, washing machines become connected… and utilities follow the trends, naturally wanting to be part of this world’s evolution towards the increasing computerisation of physical objects.

Exciting as these new innovations might sound, evidence mounts every day of the IoT’s insecurity. Whether it’s hardcoded passwords, an inability to authenticate its outward and inward connections or an inability to update, there is little argument about their security. These products are often rushed to market without a thought for this important factor.

Enterprises and governments are seizing the IoT as a way to transform the way they do business, and utilities are doing the same. Large infrastructures will increasingly be made up of IoT endpoints and sensors – able to relay information to its operators and radically improve the overall function of utilities.

Unfortunately, in the rush to innovation, eager adopters often ignore the glaring security problems that shiny new inventions often bring with them. In an industrial or utilities environment the IoT means something that is similar at a descriptive level, but radically different in real-world impact. A connected doll is one thing, a connected power plant is another entirely!

The risks on utilities are real. There are plenty of examples. Stuxnet, the virus which destroyed the Iranian nuclear program is just one. The aforementioned attacks on the Ukrainian power grid could be another. Furthermore Western governments, including France, now admit that foreign actors are attempting to hack their utilities on a daily basis.

But if this is such a big problem, you might ask, then why hasn’t it happened more often? Why haven’t we heard about such potentially devastating attacks even more? Well, the fact is that many won’t know they’ve already been hacked. Many organizations go for weeks, months and often years without realizing that an attacker has been lurking within their systems. The Ponemon Institute has found that the average time between an organization being breached and the discovery of that fact is 191 days, nearly half a year. This is especially true if one of those aged legacy systems has no way of telling what is anomalous. Others may just hide their breach, as many organizations do. Such attacks are often embarrassing, especially with the regulatory implications and public backlash that a cyberattack on a utility brings with it.

Furthermore, most attacks are often not catastrophic events. They are commonly attempts to gain data or access to a critical system. For most, that’s a valuable enough goal to pursue. Edging into the more destructive possibilities of such an attack would essentially be an act of war and not many cybercriminals want to earn the attention – or the ire – of a nation state.

The theory of the black swan – theorized by Nassim Nicholas Taleb:  a situation that is hard to predict and seems wildly unlikely, but has apocalyptic implications – fits perfectly here. We don’t know when, how or if such an event might happen but we had better start preparing for it. Even if the likelihood of such an event is small, the cost of waiting and not preparing for it will be much higher. The IoT market, particularly in the utilities sector need to start preparing for that black swan.

Public Key Infrastructures (PKI) using certificates will allow utilities to overcome many of these threats, providing unparalleled trust for an often hard to manage network. It’s been built on interoperable and standardized protocols, which have been protecting web-connected systems for decades. It offers the same for the IoT.

PKIs are highly scalable, making them a great fit for industrial environments and utilities. The manner in which many utilities will be seizing hold of the IoT is through the millions of sensors that will feed data back to operators and streamline day-to-day operations, making utilities more efficient. The sheer number of those connections and the richness of the data flowing through them make them hard to manage, hard to monitor and hard to secure.

A PKI ecosystem can secure the connections between devices, the systems and those that use them. The same goes for older systems, which have been designed for availability and convenience, but not for the possibility of attack. Users, devices and systems will also be able to mutually authenticate between each other, ensuring that behind each side of a transaction is a trusted party.

The data that is constantly travelling back and forth over those networks is encrypted under PKI using the latest cryptography. Attackers that want to steal that data will find that their ill-gotten gains are useless when they realize they can’t decrypt it.

Further ensuring the integrity of that data is code signing. When devices need to update over the air, code signing lets you know that the author of the updates is who they say they are and that their code hasn’t been insecurely tampered with since they wrote it. Secure boot will also prevent unauthorized code from loading when a device starts up. PKI will only allow secure, trusted code to run on a device, hamstringing hackers and ensuring the data integrity that utilities require.

The possibilities of an attack on a utility can sometimes seem beyond the pale. Just a few years ago a hack on a power grid seemed almost impossible. Today, news of IoT vulnerabilities regularly fills headlines around the world. The full destructive implications of this new situation have yet to be fully realized, but just because all we see are white swans, it doesn’t mean a black one isn’t on its way.

Users will soon start demanding these security provisions from companies. The Federal Energy Regulatory Commission (FERC) has recently fined a utility company that was found guilty of 127 different security violations $10 million. The company wasn’t named, but pressure groups have recently mounted a campaign, filing a petition with FERC to publicly name and shame it. Moreover, with the advent of the General Data Protection Regulation and the NIS directive last year, utilities now have to look a lot closer at the way they protect their data. All over the world, governments are looking at how to secure the IoT, especially when it comes to the physical safety risks involved. Utilities security matters because utilities hold a critical role in the functioning of society. It is just as important that they be dragged into the 21st century, as they are protected from it. PKIs can offer a way to do just that.

Mike Ahmadi, DigiCert VP of Industrial IoT Security, works closely with automotive, industrial control and healthcare industry standards bodies, leading device manufacturers and enterprises to advance cybersecurity best practices and solutions to protecting against evolving threats.

This article on the publication of Mike Ahmadi, is from an article of Intersec website.