The KRACK attacks are the work of my colleague Mathy Vanhoef. Vulnerabilities in the WPA2 protocol put wireless traffic at risk.
Even though KRACK affects local network traffic, I still chose to include it in the digest. As you can imagine, these attacks have a direct impact on all HTTP traffic. Another good reason to ensure that all traffic is sent over HTTPS.
The story of HTTP Public Key Pinning sure is a turbulent one. What started as a strong and powerful security measure, now ends as a deprecated feature.
HPKP allows a website to pin specific keys in the browser. HPKP prevents an attacker to use a legitimate but fraudulent certificate to impersonate your website. However, the potential to hurt yourself with this technology is quite large. So Chrome will stop supporting HPKP, and instead, double down on Certificate Transparency.
Certificate Transparency does not prevent the use of fraudulent certificates. Instead, it ensures that the certificate will be logged publicly. This enables you to detect the existence of the certificate and prevent abuse.
If you want to know more about these technologies, check out the upcoming Web Security Essentials course.
And to stay in the realm of HTTPS, I wanted to highlight two stories on Let’s Encrypt, the free and automated CA. Did you know that deploying Let’s Encrypt certificates in Google’s AppEngine is ridiculously easy? And soon, you will be able to automate the installation of Let’s Encrypt certificates in Apache as well.
A couple of months ago, we wrote about the first release candidate of the OWASP top 10 for 2017. Feedback on that edition was harsh and resulted in a change in project ownership. But now, the second release candidate is available, and you can leave your feedback.
Most noteworthy changes are:
- The removal of Cross-Site Request Forgery
- The removal of Unvalidated redirects
- The merging of two issues about authorization.
- The addition of Insecure deserialization
- The addition of dealing with XML External Entities
- The addition of insufficient logging/monitoring.
The final story is about multi-factor authentication. One of the most common weaknesses is the account recovery procedure. Often, a single token or code suffices to bypass the second authentication factor.
To avoid these problems, Google is now offering “strong authentication” for its accounts. Once enabled, multi-factor authentication will always be enforced. This article goes into a lot more depth on this new feature.
Here are two upcoming security courses for which only a limited number of seats is available:
On November 20-21, you can attend a new edition of the Web Security Essentials training course. The course will show you where your applications are vulnerable, how you can protect them, and which best practices you should be applying today. Attending the course also means you get a free set of YubiKeys. More information and registration.
Until mid December, you can also join the free online Web Security Fundamentals course. The course takes you on a journey through the current web security landscape. It covers a majority of the issues in the OWASP top 10 and digs into their causes. More information.
As usual, you can find the full list of events on my speaking page.