News 12-30-2021

Latest News In TLS/SSL: 2021 Year in Review

DigiCert

In 2021, we brought you monthly roundups of the latest news about network and TLS/SSL security. Looking back on the year, we’ve now rounded up the biggest network and TLS security headlines of 2021. Furthermore, a team of DigiCert experts have made some forecasts for 2022 trends which you can read in this post.

TLS news

  • In September the number of web certificates in use surpassed 100 million for the first time. According to Netcraft, there were 100,323,811 valid certificates, an increase of 1.39% since August.
  • At the October CA/B Forum meeting, Apple announced new S/MIME profile requirements and a two-year lifetime on S/MIME certificates that will go into effect April 2022.
  • After Let’s Encrypt root certificate expired on Sept. 30, many websites experienced issues, including Fortinet, Shopify and Google Cloud Monitoring. Let’s Encrypt released a blog post to help users experiencing issues, but this example highlights the major impacts of a root certificate expiration.
  • The NSA warned organizations of a new risk in wildcard certificates named ALPACA. The NSA recommended that organizations inventory the current scope of wildcard certificates in use and, going forward, limit the use of wildcard certificates to avoid this type of attack.
  • Apple is depreciating TLS 1.0 and 1.1 in both iOS and macOS. Currently, TLS 1.0 and 1.1 are not supported in iOS 15 and macOS 12, but all support will be removed in the future.

Data security

Data breaches

Vulnerabilities

  • A new vulnerability in Java, the Log4j flaw, was discovered in December that could have "incalculable damage". Companies like Apple, Google and Microsoft have quickly pushed updates to deal with the flaw, which left unpatched could be used to take over computer servers.
  • The private key used for EU Digital COVID certificates was leaked in late October as forged certificates for Mickey Mouse, Sponge Bob and even Adolf Hitler were generated and recognized as valid. The EU is currently investigating the leak to contain it and prevent any future misuse.

Government regulation

  • The U.K. government introduced new legislation that would better protect consumer IoT devices from hackers and proposed heavy fines of up to £10m (or 4% of global turnover). The proposed requirements include banning universal default passwords, forcing firms to be transparent about how they are fixing security flaws and creating a reporting system for discovered vulnerabilities.
  • The U.S. Office of Management and Budget released a draft of the Federal Zero Trust Strategy, which will help move government agencies to a baseline of zero trust.
  • The U.S. Department of Defense announced that they will launch an office dedicated to zero trust to hasten the adoption of a zero-trust architecture. This comes in response to the 2020 SolarWinds attack and the May U.S. Executive Order on Improving the Nation’s Cybersecurity, which calls for government agencies to move towards a zero-trust architecture.
  • In September, U.S. President Joe Biden issued security guidance for companies to curb cyberattacks, especially following the recent hacks on U.S. companies.

Automation

Outages

  • Facebook, WhatsApp and Instagram were down for about six hours on Oct. 4 due to “an internal technical issue.” The issue took longer than usual to resolve because it affected the company’s internal systems, preventing employees from accessing the building and company networks. Facebook issued a statement apologizing and reassuring users that there was no evidence that user data was compromised as a result.

Quantum Computing

  • IBM announced a breakthrough in quantum computing: creating a quantum processor that can process information that a traditional computer cannot. The Eagle processor, as IBM calls it, can process 127 qubits, whereas a traditional computer can only process 100 qubits.

Malware

  • A former Microsoft security analyst claimed that OneDrive and Office365 have been hosting malware for years. A Microsoft spokesperson responded to the story, saying: "Abuse of cloud storage is an industry-wide issue and we're constantly working to reduce the use of Microsoft services to cause harm. We are investigating further improvements to prevent and rapidly respond to the types of abuse listed in this report."
  • A phishing campaign that targeted the aviation industry with malware had gone unnoticed for two years. Although the malware is not particularly advanced, it shows how small-scale attackers can manage to go under the radar for long periods of time without being detected.

Digital signatures

Internet of Things

  • Smart home device manufacturers such as Google, Apple, Samsung and Amazon have come together on an industry standard: Matter. In early November, Amazon announced support of Matter for Echo and Eero devices. The Matter standard would help ensure interoperability between different devices and ecosystems, but also needs to consider the security of those connections.
  • A report by DigitalEurope found that the Internet of Things is missing product legislation for cybersecurity and lacks monitoring throughout a product’s lifecycle. The researchers recommend that the EU Commission launch proposals for legislation as soon as possible.

We’ll continue to provide updates in 2022 about industry news and events. Meanwhile, click here to see the past series and click here to read our predictions for 2022. For the latest news about DigiCert, visit our newsroom.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-27-2024

6 actionable ways to secure the IIoT at every stage

Tracking the progress toward post-quantum cryptography

The state of PQC since the publication of FIPS 203, 204 and 205