March 2020 Security/Privacy Roundup

Just like last month, there were quite a few important things go on in the world of security and privacy, and I couldn’t find enough time to cover them all!

Of course, the biggest issue for just about everyone has been the almost-total shutdown of schools and work for millions of people in the US (me included!) and across the world. But while we’re all cooped up and social distancing, its worth a few minutes of time to make sure your manage your digital health.

Security

WordPress Plugin Vulnerabilities

On the heels of the major WordPress vulnerabilities I talked about last month, come a few more.

The vulnerable plugins discovered this month (that should be patched immediately) include:

  • Flexible Checkout Fields for Woocommerce
  • Async Javascript
  • Modern Events Calendar Lite
  • 10Web Map Builder for Google Maps

The specific vulnerabilities can be found over on the Wordfence blog, but they all come from cross-site scripting exploits that allow attackers to install malicious plugins, or create admin accounts with elevated permissions.

Needless to say, these can really wreck your site if they are exploited, so if you have any vulnerable plugins, update now!

More information available here.

Safari

Apple dropped a pretty big bomb in late February (too late to make that roundup) when it announced that it would make the maximum lifetime of an SSL certificate 13 months (currently it’s 27 months).

This only affects certificates issued after September 1, 2020, not all certificates. This means that web admins will need to use shorter-duration certificates, for Safari users to see the “secure” padlock in their browser address bar.

This should, in theory, lead to better security for Safari users, since a shorter certificate lifetime will reduce damage done by malicious sites using rogue certificates. This (small) security improvement will trickle down to other browsers too, since anyone who has a website that is accessed by iPhone users will need to make sure their certificates are less than a year old.

More details available here.

Privacy

Firefox

Another thing that arrived in late February/early March – Mozilla’s Firefox browser will enable DNS-over-HTTPS by default for users in the US.

Like I discussed in a previous blog entry, DNS-over-HTTPS will allow web browsers to look up websites over an encrypted HTTPS connection, rather than (the current default) plain text. According to Mozilla, this will help “hide your browsing history from attackers on the network” and “[help] prevent data collection by third parties on the network that ties your computer to websites you visit.”

Since basically all ISPs lobbied against this feature (likely because it will prevent ISPs from seeing (and reselling) your browsing history), I’m incredibly happy to see Mozilla implement it.

Read the full announcement here. And if you’re using Google Chrome still, maybe consider switching to a different browser.

Microsoft

While I know Microsoft has had a tough month, I think it’s fair to say that users of Microsoft products (especially those that lost data) have had it worse.

One bright spot in Windows 10 over the past few months was their moving Microsoft Edge to be a Chromium-based web browser. This means that Edge could now use the vast array of Google Chrome plugins, and it would make it much more likely that users could configure the Windows-default browser to suit their needs.

Unfortunately, it looks like Microsoft has taken a good base (Chromium) and added some “features” that may make it less suitable for users who value privacy.

A research paper published by Trinity College Dublin rated the privacy provided by several major browsers, and ranked Microsoft’s Edge browser at the bottom, alongside the Russian Yandex browser.

The whole paper is interesting, but if you’re interested in browser privacy at all, at least read the conclusion (page 14) to see how all the major browsers stacked up.

Read the whole report.