Google kick-started it and Mozilla has smoothly implemented it:
An algorithm we’ve depended on for most of the life of the Internet — SHA-1 — is aging, due to both mathematical and technological advances. Digital signatures incorporating the SHA-1 algorithm may soon be forgeable by sufficiently-motivated and resourceful entities.
Via our and others’ work in the CA/Browser Forum, following our deprecation plan announced last year and per recommendations by NIST, issuance of SHA-1 certificates mostly halted for the web last January, with new certificates moving to more secure algorithms. Since May 2016, the use of SHA-1 on the web fell from 3.5% to 0.8% as measured by Firefox Telemetry.
In early 2017, Firefox will show an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.
Related notes: WordPress now supports Let’s Encrypt (free ssl certs for your blog), as well as Squarespace; Danish government entities using email servers now have to implement STARTTLS and DANE for their SMTP servers. An unprecedented look at SSL implementation in North Korea. Reversing direction, neverssl.com pledges to stay available over HTTP in order to provide a default URL for Wi-Fi captive portals. And finally in our SSL/TLS round-up, draft 17 and draft 18 of TLS 1.3 have been published.
Oh those fun Germans!
When they crash, self-driving Mercedes will be programmed to save the driver, and not the person or people they hit. That’s the design decision behind the Mercedes Benz’s future Level 4 and Level 5 autonomous cars, according to the company’s manager of driverless car safety, Christoph von Hugo. Instead of worrying about troublesome details like ethics, Mercedes will just program its cars to save the driver and the car’s occupants, in every situation.
One of the biggest debates about driverless cars concerns the moral choices made when programming a car’s algorithms. Say the car is spinning out of control, and on course to hit a crowd queuing at a bus stop. It can correct its course, but in doing so, it’ll kill a cyclist for sure. What does it do? Mercedes’s answer to this take on the classic Trolley Problem is to hit whichever one is least likely to hurt the people inside its cars. If that means taking out a crowd of kids waiting for the bus, then so be it…
A reminder; it’s always about the money…
DDoS — distributed denial of service — is an unsophisticated form of attack that overwhelms sites with spam traffic so legitimate users can’t get through. DDoS is a war of economics: whoever has the most computing power, defender or attacker, usually wins.
This makes DDoS a useful tool for censorship of small and mid-level publishers, but major sites usually have defenses in place and aren’t susceptible to these attacks. However, Friday wasn’t business as usual. The series of attacks that took out Dyn, the DNS service that provides the backbone of many major sites, were powered in part by a botnet of hacked DVRs and webcams known as Mirai. Mirai first emerged several weeks ago during a DDoS against Brian Krebs, a cybersecurity journalist who runs his own publication KrebsOnSecurity.com.
The DDoS attack on Krebs, the scramble for protection that followed, and Friday’s massive attack mark a new chapter in DDoS. More and more websites are being forced to seek shelter behind a shrinking number of powerful DDoS protection providers. But that centralization means that, as potent botnets like Mirai become stronger, larger sections of the internet can be knocked offline during attacks.
Mirai is irritating for the American internet users who couldn’t access their favorite websites Friday, and a thorn in the side of companies that are now forced to recall their easily hacked IoT devices — but the botnet is also influencing the market for DDoS protection.