MIGUEL HELFT: SAN FRANCISCO — Computer security researchers are raising alarms about vulnerabilities in some of the Web’s most secure corners: the banking, e-commerce and other sites that use encryption to communicate with their users.

Those sites, which are typically identified by a closed lock displayed somewhere in the Web browser, rely on a third-party organization to issue a certificate that guarantees to a user’s Web browser that the sites are authentic. But as the number of such third-party “certificate authorities” has proliferated into hundreds spread across the world, it has become increasingly difficult to trust that those who issue the certificates are not misusing them to eavesdrop on the activities of Internet users, the security experts say.

The power to appoint certificate authorities has been delegated by browser makers like Microsoft, Mozilla, Google and Apple to various companies, including Verizon. Those entities, in turn, have certified others, creating a proliferation of trusted “certificate authorities,” according to Internet security researchers.

 
According to the Electronic Frontier Foundation, more than 650 organizations can issue certificates that will be accepted by Microsoft’s Internet Explorer and Mozilla’s Firefox, the two most popular Web browsers. Some of these organizations are in countries like Russia and China, which are suspected to engage in widespread surveillance of their citizens.

It’s a disturbing trend, especially when bringing in China or Russia. In some cases, like GoDaddy, they seem to simply be a reseller for Verisign, as opposed to being their own issuing authority. A reseller situation is different than outsourcing. Reseller’s are given restricted access to only the art of selling the product. The distribution and overall ownership of that certificate remains with the owning company, like Verisign. Outsourcing on the other hand gives the contracted entity full access to manage, distribute, and record the public and private keys of all applicants.

It’s probably nothing to worry about in regards you using big name sites like BofA, American Express, or any other Fortune 500 company’s who take that security extremely seriously. Plus, these sites are likely housed in the US, so even the transmission and storage of that information is at east on the home court.

This post is in relation to a story I received from eSecurity Planet. I know Microsoft usually releases their fixes on the Tuesday schedule, but for some reason Microsoft is making a bigger deal than usual about this patch release.

Microsoft notified IT security administrators this week that it plans to release ten patches, three of them rated "critical," on Tuesday.

That will likely mean a little more work to install and test June's Patch Tuesday fixes than last month, when Microsoft released only two critical patches. Microsoft releases most of its software patches on the second Tuesday of each month -- thus the term "Patch Tuesday."

The past two months have seen fewer fixes than usual. For instance, in April, Microsoft rolled out five fixes for a total of nine critical security vulnerabilities.

In February, however, Microsoft came close to breaking its all-time record of fixes in one Patch Tuesday release when it shipped 13 patches for 26 vulnerabilities. In that mammoth release, only five of the patches were rated "critical," which is Microsoft's highest severity rating.

In order to give IT administrators some warning of how much work they face when a new batch of patches comes out, Microsoft releases an advance notification on the Thursday before Patch Tuesday.

The three critical patches for June primarily affect Windows 2000, Windows XP, Windows Vista and Windows 7. However, one or more of them also critically affect some server versions of Windows, including Windows Server 2003 Service Pack 2 (SP2) and Windows Server 2008 SP2 for both 32-bit and 64-bit editions, according to the advance notification e-mail.

Most of the other patches, which range from "important" to "moderate" in severity, impact Microsoft Office XP, Office 2003 and Office 2007. The just-released Office 2010 is not listed as affected.