March 2, 2020
David Redekop

This Week In Nerd News – March 2, 2020

Your weekly top 5 technical and security issues you should pay attention to:

Firefox now defaults to DNS-over-HTTPS (DoH) in the US for new installs.

Huge implications including user-unintentional security *bypass* for any security layers in companies that rely on DNS-based filtering.

Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users. The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox’s US-based users.

 

Read More: Firefox continues push to bring DNS over HTTPS by default for US users

 

Sophos privatized (now completed) by Thoma Bravo.

$3.8Billion acquisition.

Today, following the completion of the take-private acquisition by Thoma Bravo, Sophos begins an exciting new chapter of continued growth, success, and industry leadership. As a private company, Sophos intends to further accelerate our mission to protect people from cybercrime by developing powerful and intuitive products and services that provide the world’s most effective cybersecurity for organizations of any size.

 

Read More: Sophos opens new chapter with take-private acquisition

 

Apple uses its industry weight to shift the security certificate industry.

Maximum 1-year length certificates. Likely just the beginning of more momentum coming.

Barely noticed by web users, the life expectancy of SSL/TLS leaf certificates has lowered dramatically over the last decade.

Used as the foundation of HTTPS authentication, just over a decade ago domain registrars were selling SSL/TLS certificates that were valid for between 8 and 10 years.

In 2011, a new body called the Certification Authority Browser Forum (CA/Browser Forum), which included all the big browser makers, decided this was too long and imposed a limit of five years.

Then, in 2015 the time limit was dropped to three years, followed by a further drop in 2018 to only two years.

How low could this go?

 

Read More: SSL/TLS certificate validity chopped down to one year by Apple’s Safari

 

Even the RCMP uses ClearviewAI.

There has been a lot of attention and debate recently around the use of facial recognition technology by law enforcement in Canada. While the RCMP generally does not disclose specific tools and technologies used in the course of its investigations, in the interest of transparency, we can confirm that we recently started to use and explore Clearview AI’s facial recognition technology in a limited capacity.

The RCMP’s National Child Exploitation Crime Centre (NCECC) has been using and evaluating Clearview AI’s software for approximately four months for online child sexual exploitation investigations.

 

Read More: RCMP use of Facial Recognition Technology 

 

Clearview AI has been breached.

On Wednesday, Clearview AI told the Daily Beast that an intruder had “gained unauthorized access to its list” of customers. “Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed,” Ekeland told the Daily Beast. “We patched the flaw, and continue to work to strengthen our security.”

 

Read More: Clearview’s Facial Recognition App Has Been Used By The Justice Department, ICE, Macy’s, Walmart, And The NBA

 

Did you know?

TLS 1.3 traffic now exceeds TLS 1.2 requests at Cloudflare. This means a practical end to Proxies and MiTM (Man in The Middle) boxes. Welcome to doing security right 🙂