12 votes

Finland launches data security guarantee label – certification symbol serves as a guarantee to consumers that a device's basic information security features are in order

2 comments

  1. anahata
    Link
    This certification is "based on" the ETSI EN 303 645 standard (of which I can only find drafts). I'm reading through this specification and some of it seems to be pretty basic, some of it is very...

    This certification is "based on" the ETSI EN 303 645 standard (of which I can only find drafts). I'm reading through this specification and some of it seems to be pretty basic, some of it is very vague and hard to enforce / interpret. The points are as follows:

    • No universal default passwords
    • Implement a means to manage reports of vulnerabilities
    • Keep software updated
    • Securely store sensitive security parameters
    • Communicate securely
    • Minimize exposed attack surfaces
    • Ensure software integrity
    • Ensure that personal data is protected
    • Make systems resilient to outages
    • Examine system telemetry data
    • Make it easy for consumers to delete personal data
    • Make installation and maintenance of devices easy
    • Validate input data

    These are defined in section 4 starting on page 12.

    They do mandate response windows for reports by researchers (90 days, which is on the upper end of what I'd call reasonable), but they don't mandate response windows for updates. They do mandate the OEM disclose what the support period is for a device (this is very valuable and rare for consumer devices!), but not what that support period is.

    They have reasonable policies around passwords and keys, mandating that they're either device-unique or otherwise not-default (no backdoors based on default passwords or keys). The policies for minimizing attack surfaces are valid (default deny and what you'd otherwise expect). Some of the wording here is a little vague, though.

    "Ensure software integrity" mandates secure booting, which may get in the way of flashing alternate ROMs if an exploit isn't found. Personal data protection is required for GDPR compliance. The outage resilience will be nice; sometimes you don't see this in consumer kit so it's great that it's required. The point about deleting personal data is also relevant for GDPR compliance. Examining telemetry data is very vaguely worded and will be hard to enforce. There's a requirement that the user should be informed about the telemetry data, if any, and IIRC this is for GDPR compliance as well.

    Validating input data is, as you probably know, one of the hardest parts of software development. The requirement is nice, but actually doing it is another matter.

    In sum, about as good of an effort as you can expect. Do read the specification yourself and make your own decision about it, though; don't just take my opinionated word for it. It's not a very long read.

    4 votes
  2. daychilde
    Link
    This is interesting if the program can be useful enough to actually detect problems, but it almost seems like they'd need access to the source code and a lot of time/labour to make it really worth...

    This is interesting if the program can be useful enough to actually detect problems, but it almost seems like they'd need access to the source code and a lot of time/labour to make it really worth it.

    I'm not down on this, mind, I'm just worried about a false sense of security when there's worries about foreign countries managing to get nefarious code and backdoors in code. I absolutely like the concept of this program, at the very least.

    3 votes