Connect with us

Social

Apple deprecates SHA-1 certificates in iOS 13 and macOS Catalina

Published

on

TLS 1.3 is out: Major boost for web security
Expect wide and fast adoption of the latest web encryption protocol after engineers finalise Transport Layer Security (TLS) version 1.3.

More than two years after Google, Firefox, and Microsoft have taken steps to deprecate TLS/SSL certificates signed with the SHA-1 algorithm, Apple has finally announced a similar measure this week.

In a support page published last night, the Cupertino OS maker said that starting with iOS 13 and macOS 10.15 (Catalina), the two operating systems won’t support HTTPS traffic that uses TLS certificates signed with the SHA-1 algorithm.

“TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm,” the company said. “SHA-1 signed certificates are no longer trusted for TLS.”

All HTTPS traffic — from apps and the Safari browser — must now use a TLS certificate that has been signed with at least the SHA-2 algorithm, Apple said.

Took a while…

Apple was the last major browser maker that was still supporting TLS/SHA-1 certificates. Google removed SHA-1 support from Chrome with the release of Chrome 56, at the end of January 2017; Firefox removed SHA-1 support in Firefox 51, also released at the end of January 2017; and Microsoft dropped support for SHA-1 in Edge and Internet Explorer in mid-2017.

Browser makers abandoned SHA-1 after a team of academics broke the SHA-1 hashing function in February 2016. Their research showed that it was possible, albeit at high costs, to create two files with identical SHA-1 hashes, allowing for file forgeries.

Creating SHA-1 collisions is currently extremely expensive, but the cost of launching an SHA-1 attack is expected to go down in the coming years.

Besides dropping SHA-1-signed TLS certificates, Apple also announced other minimum requirements for TLS communications:

  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
  • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID. [for TLS server certificates issued after July 1, 2019]
  • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate). [for TLS server certificates issued after July 1, 2019]

Related cybersecurity coverage:

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Social

TikTok is confronting Holocaust misinformation, but antisemitism persists – TechCrunch

Published

on

In honor of International Holocaust Remembrance Day, TikTok launched a portal on its Discover page this morning, intended to educate users about the historic catastrophe, as well as the ongoing threat of antisemitism. The platform also hosted a similar portal last year.

When users navigate to the Discover page on the TikTok mobile app, they will see a clickable banner acknowledging International Holocaust Remembrance Day. This directs them to a page with three educational TikToks from Jewish creators, including a 98-year-old Holocaust survivor who makes TikToks with the help of her great-grandson. Plus, from now on, when users search terms like “Holocaust” or “Holocaust survivor” on TikTok, they will see a banner prompting them to “consult trusted sources to prevent the spread of hate and misinformation,” directing them to visit a multilingual website about the Holocaust. In the coming months, TikTok will add a similar notice as a permanent banner on videos about the Holocaust. TikTok made these changes in collaboration with UNESCO and the World Jewish Congress, an organization that has been working with the platform since 2020.

This initiative directly addresses Holocaust denial, a false conspiracy theory that the Holocaust didn’t happen. But some Jewish TikTokers think that antisemitism on the platform is a larger, more complex issue that can’t be solved through a few pop-ups on Holocaust content.

A stylist with 74,000 followers, Liv Schreiber partnered with Jewish dating app The Lox Club on an advertisement in November. A week later, she posted a video showing a cascade of antisemitic comments she received each day since posting the video.

“I don’t understand why antisemitism is tolerated,” Schreiber said in her video. “I don’t understand why it doesn’t get taken down. This is non-negotiable, TikTok.” 

Conversations about antisemitism on TikTok swelled last April when one trend went viral, in which users would sing “If I Were a Rich Man” from the Jewish musical “Fiddler on the Roof” while using a filter that elongated their facial features, like their nose. For Jewish people on TikTok, this trend evoked a historic stereotype, where antisemitic caricatures depicted Jewish people with exaggerated noses, alongside other harmful antisemitic imagery.

As that trend percolated through TikTok, the platform tried to shine a positive light on the app’s Jewish creators through a tag called #MyJewishHeritage, which the app created to celebrate Jewish Heritage Month in May 2021. TikTok highlighted some posts about Judaism on the Discover page, but the creators who had their content promoted got no warning from TikTok. As a result, some Jewish creators were suddenly flooded with a barrage of antisemitic comments.

TikTok said that the creators featured on this year’s International Holocaust Remembrance Day portal were compensated for their work.

“The issue with TikTok antisemitism is you end up being harassed from all sides,” Ezra, a political TikToker with over 37,000 followers, told TechCrunch. “You have far-right accounts, troll accounts, unintentionally antisemitic accounts that don’t know better, and left-wing accounts that can’t differentiate between Jews and Israel. So cracking down on antisemitism is a multi-pronged issue.”

TikTok has publicly condemned antisemitism on its platform, but public gestures of solidarity like the launch of the new portal might ring hollow for users who have experienced harassment on the platform. It’s also unclear how much time TikTok spent on the effort because when TechCrunch first accessed the Holocaust Remembrance Day portal — several hours after its release at 3 AM ET — its link to report an antisemitic incident to the Anti-Defamation League didn’t work. A few hours later, the issue appeared to be fixed. TikTok has not yet responded to inquiries as to why it launched without a functioning link.

Stephanie Gurewitz (@shachar.mg), a grad student who posts about antisemitism on TikTok, was surprised to see that the International Holocaust Remembrance Day portal only addressed the impact of the Holocaust on Jewish people. Yom HaShoah, a separate day of remembrance, specifically observes the death of six million Jewish people in the Holocaust. But the Nazis also persecuted disabled, homosexual and Romani people, among other marginalized populations.

“This is International Holocaust Remembrance Day, rather than the remembrance day that’s specifically for Jewish people,” Gurewitz told TechCrunch. “Today’s about all victims of the Holocaust, and it doesn’t mention anything about Romani people. There are some things missing there, and that’s an issue.”

They mentioned that they’ve received antisemitic comments on their videos today, too.

“People come on TikTok with biases already, and I don’t think banners are enough to stop that,” they said.

Content moderation on a platform with one billion monthly active users is no easy task. But users regularly get around detection mechanisms through means that are obvious to any regular user — even when talking about something like sexuality, users might write “s3xuality” to avoid being wrongfully flagged as violating guidelines (adult content is a violation; talking about homosexuality, for example, is not). These same tactics are regularly applied by malicious users to send antisemitic messages, which TikTok fails to detect.

“I really am all about TikTok and other social media platforms doing what they can to bring attention to important causes […] When I see that [Holocaust Remembrance] portal, I think of all the meetings they had about it internally, and because of that, I’m grateful,” Schreiber told TechCrunch.

Continue Reading

Social

Messenger upgrades its end-to-end encrypted chat experience – TechCrunch

Published

on

Although default end-to-end encryption won’t fully arrive on Facebook Messenger until sometime in 2023, the company says today its feature offering end-to-end encrypted group chats and calls in Messenger is now fully rolled out. In addition, Messenger is adding another security feature with the launch of screenshot notifications in end-to-end encrypted chats, similar to rival Snapchat, that will alert you if someone snaps a photo from Messenger’s disappearing messages. Users will also now be able to add GIFs, stickers, and reactions to their encrypted chats, too.

Support for end-to-end encrypted (E2EE) group chats and calls was first announced in August 2021, promising Messenger users a way to keep their personal conversations safe from criminals and nation-state surveillance. Many governments, however, have not necessarily been on board with the idea, saying that Messenger’s plans to expand its encryption efforts would complicate law enforcement’s ability to investigate crimes. But Meta has pushed back, noting that E2EE was already widely used by apps like WhatsApp and was becoming an industry standard.

E2EE for group calls and chats wasn’t fully launched at the time of last year’s announcement, though. Instead, Meta said it would first begin testing the feature for friends and family who already had an existing chat thread and were already connected. It also said it would begin a test for delivery controls that would work with E2EE encrypted chats, allowing users to prevent unwanted interactions so they could decide who went to their chat list, their message requests folder, and who couldn’t message you at all.

Now, months later, the feature is fully rolled out to Messenger users globally, who can choose to turn on E2EE for their private conversations.

Soon, Messenger will also warn users if someone screenshots a disappearing message in E2EE chats. This is the same feature that’s already offered in Messenger’s vanish mode — a feature that functions much like Snapchat, where messages will disappear after they’ve been seen. If someone takes a screenshot of a vanish mode chat — and now a disappearing message in E2EE chats, as well — you’ll receive a notification so you can address this with the other party, or even block or report the conversation if need be. The company says these notifications will roll out “over the next few weeks.”

Image Credits: Meta

Finally, E2EE chats will also gain access to other features that have been available to non-E2EE before, including GIFs, stickers, and reactions, as well as support for replies to a specific thread, typing indications, and forwarding options. Verified badges will also be available to E2EE chats to help you identify authentic accounts, when chatting. And users will be able to save media with a long-press and edit photos and videos before sending. These features are not new, but they’re new to end-to-end encrypted chats.

Image Credits: Meta

Meta says all the features are available on all platforms, including web and mobile, for all users. But the rollout is ongoing, so some people won’t see all of the features immediately.

Continue Reading

Social

U.S. consumers lost $770 million in social media scams in 2021, up 18x from 2017 – TechCrunch

Published

on

A growing number of U.S. consumers are getting scammed on social media according to a new report by the Federal Trade Commission (FTC), which revealed that consumers lost $770 million to social media scams in 2021 — a figure that accounted for about one-fourth of all fraud losses for the year. That number has also increased 18 times from the $42 million in social media fraud reported in 2017, the FTC said, as new types of scams involving cryptocurrency and online shopping became more popular. This has also led to many younger consumers getting scammed, as now adults ages 18 to 39 reported fraud losses at a rate that’s 2.4x higher than adults 40 and over.

Scammers have clearly found that social media is one of the most profitable places to commit fraud. More than 95,000 fraud victims said they were first contacted on social media — more than double 2020’s number, and up 19x from 2017.

Image Credits: FTC

More than one in four individuals who reported losing money to fraud to the FTC last year said they first saw a post, message, or ad on social media which had prompted the scam. Excluding reports that didn’t indicate a contact method, social media scams accounted for 26% of the losses attributed to fraud in 2021 ($770 million), followed by websites and apps at 19% ($554 million), then phone calls at 18% ($546 million). The median individual losses, however, were highest with phone fraud at $1,110 compared with $468 for social media fraud.

Facebook and Instagram were where most of these social media scams took place, the data indicated.

In the case of online romance scams, more than a third of users reported the first outreach they had from the scammer was on Facebook or Instagram. Specifically, Facebook accounted for 23% and Instagram 13% of romance scams. These scams would begin with a seemingly innocent friend request, followed by sweet talk, then a request for money, the report explained.

Meanwhile, more than half (54%) of the investment scams in 2021 began with social media platforms, where scammers would promote bogus investment opportunities or connect with people directly to encourage them to invest. Instagram was popular with scammers here, accounting for 36% of investment scams, followed by Facebook at 28%, then messaging apps WhatsApp and Telegram at 9% and 7%, respectively.

A large majority of the investment scams now involve cryptocurrency, the report also found. In 2021, cryptocurrency was the method of payment in 64% of social media investment scams reported to the FTC. Payment apps and services were the payment methods used in 13% of cases, followed by bank transfers or bank payments in 9%.

Image Credits: FTC

Although romance and investment scams continued to account for the largest losses by dollar amounts, even reaching record highs, the scams with the largest number of reports to the FTC involve consumers trying to purchase something they first saw on social media. In most cases, people were trying to make a purchase of something they saw marketed on Facebook or Instagram.

In 2021, 45% of reports sent to the FTC over money lost in social media scams were related to online shopping. Nearly 70% of those involved people who placed an order, typically after seeing an ad on social media, but then never received the merchandise. Some also noted the ads would direct them to “lookalike” websites, designed to fool them into thinking they were purchasing from a real online retailer. Facebook and Instagram served as the platforms of choice for 9 out of 10 of these scams, the report noted.

The increase in online shopping scams isn’t just an issue for the consumers losing money — it’s determinantal to the overall e-commerce ecosystem and social media companies’ businesses. In recent years, Facebook and Instagram have invested heavily in making online shopping a core part of their services, promising to connect advertisers with targeted customers. The Meta-owned apps also now include their own “Shop” sections, where consumers can browse goods and check out directly — without having to exit to an external website. But if consumers become wary of the legitimacy of the online retailers featured on these platforms, they may hesitate to shop from social media in the future.

For Meta, a change in consumer shopping behavior would matter more today than in years past, as the company’s larger ad business has been impacted by Apple’s privacy changes on iOS which let consumers opt out of tracking. Anticipating the market shift that would result from this reduced ability to personalize ads, Meta has been diversifying its revenue by creating in-app shops where it can capture more first-party data based on consumer shopping inside its own platform. It’s also tapping into new revenue streams from the creator economy, like subscriptions and tipping.

The FTC said that investment, romance, and e-commerce scams, combined, accounted for 70% of social media scams in 2021, but there were other types of fraud also associated with social platforms. The report did not break these down by category, however.

Continue Reading

Trending