Articles about https

Piranha fish pattern illustration

Phishing scum going legit to beat browser warnings

Browser-makers' decision to put big red warning lights in the faces of users when they hit sites too slack to use HTTPS is backfiring a little, as crooks are accelerating their use of encryption. So says Netcraft, which has turned its web server probes onto phishing sites in the wake of Chrome 56 and Firefox 51 adding warnings …
Simon Sharwood, 19 May 2017

TCP/IP headers leak info about what you're watching on Netflix

An infosec educator from the United States Military Academy at West Point has taken a look at Netflix's HTTPS implementation, and reckons all he needs to know what programs you like is a bit of passive traffic capture. The problem, writes Michael Kranch (with collaborator Andrew Reed), is information in TCP/IP headers are …

Google slaps Symantec for sloppy certs, slow show of SNAFUs

Updated Google's Chrome development team has posted a stinging criticism of Symantec's certificate-issuance practices, saying it has lost confidence in the company's practices and therefore in the safety of sessions hopefully-secured by Symantec-issued certificates. Google's post says “Since January 19, the Google Chrome team has been …
Simon Sharwood, 24 Mar 2017

Are you undermining your web security by checking on it with the wrong tools?

Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent US-CERT advisory have warned. The issue comes with the use of HTTPS interception middleboxes and network monitoring products. They are extremely common and are used to check that nothing untoward is going on …
Kieren McCarthy, 17 Mar 2017

Privacy concerns over gaps in eBay crypto

eBay uses HTTPS on its most critical pages, such as those where payment or address information is entered, but a lack of encryption on several sensitive pages still poses a concern for the privacy conscious. Many pages on the site, which require user input or contain their personal info, are not HTTPS encrypted, according to …
John Leyden, 22 Feb 2017
Emily Schechter

Google's Chrome is about to get rather in-your-face about HTTPS

Usenix Enigma 2017 Google and Firefox have been key drivers in the quest to get more people using HTTPS online, and starting this week the hammer is coming down. In a speech at Usenix Enigma 2017, Emily Schechter, a product manager for Chrome security, said that progress on HTTPS adoption was going well – currently over half of the top 100 …
Iain Thomson, 31 Jan 2017

On last day as president, Obama's CIO shrouds future .gov websites in secret code

On United States president Barack Obama's last day in office, the U.S. Chief Information Officer and the Federal CIO Council have announced a new rule that will see all future .gov websites shrouded in impenetrable secret codes. Sorry, alt.right readers, there's nothing sinister about it: the CIO has announced that its policy …
Simon Sharwood, 20 Jan 2017
Apple

Apple drops requirement for apps to use HTTPS by 2017

One of the initiatives Apple trumpeted at its 2016 WorldWide Developer Conference was a requirement for all iOS and OS X apps in its Store to use adopt App Transport Security as of December 31st 2016. App Transport Security (ATS) arrived in 2015 iOS and OS X in 2015, in Apple's own words, “improves privacy and data integrity …
Simon Sharwood, 23 Dec 2016

How a chunk of the web disappeared this week: GlobalSign's global HTTPS snafu explained

GlobalSign has performed a postmortem examination on how, as one of the world's root certificate authorities, it managed to break a chunk of the web. The New Hampshire, US-based biz has to date sold 2.5 million SSL/TLS certificates to websites around the world. This week, it inadvertently smashed its own chain of trust: it …
Chris Williams, 15 Oct 2016

GlobalSign screw-up cancels top websites' HTTPS certificates

Final update GlobalSign's efforts as a root certificate authority have gone TITSUP this afternoon – that's a total inability to support usual protocols. The result is that many websites big and small have had their HTTPS certificates incorrectly scrapped, meaning that for some people their browsers no longer trust websites and refuse or …

Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January

Starting New Year's Day, Google will begin labeling as "insecure" all websites that transmit passwords or ask for credit card details over plain text HTTP. If you use the ad giant's Chrome browser, and a lot of people do, in its 56th build and onwards any website that does not use a security certificate will feature a red …

How the HTTPS-snooping, email addy and SSN-raiding HEIST JavaScript code works

Black Hat Malicious ads can potentially masquerade as people online and grab their personal information from HTTPS-protected websites, two boffins have shown. The technique is dubbed HEIST – HTTP Encrypted Information can be Stolen through TCP-Windows – and it was devised by Tom Van Goethem and Mathy Vanhoef, both PhD researchers at the …
Iain Thomson, 5 Aug 2016

Apple starts clock on HTTPS app rule

Apple says that iOS app developers will need to adopt HTTPS security before the year is out. Speaking in a session (iOS or Safari required) at Apple's Worldwide Developers Conference, head of security engineering and architecture Ivan Krstić announced that effective at the end of this calendar year, Apple will mandate the use …
Shaun Nichols, 15 Jun 2016
Laptop user, photo via Shutterstock

Hacked in a public space? Thanks, HTTPS

Have you ever bothered to look at who your browser trusts? The padlock of a HTTPS connection doesn't mean anything if you can't trust the other end of the connection and its upstream signatories. Do you trust CNNIC (China Internet Network Information Centre). What about Turkistan trust or many other “who are they” type …
Stuart Burns, 20 May 2016

Juniper starts waving fixes for DROWN vuln

Juniper Networks has identified products it says are vulnerable to the DROWN attack. DROWN turned up at the end of February, and is a relic of enduring but pointless support for the long-deprecated SSLv2 protocol. The most prominent exposure to DROWN is in web sites that weren't configured to refuse attempts at SSLv2 …

Google adds worldwide HTTPS info to transparency report

Call it another shot in Crypto Wars 2: Google has launched a transparency report specifically to track the progress of the Internet's encryption efforts. The aim is in support of the general push to have encryption available everywhere. As the Chocolate Factory's security blog post explains, even within the Google universe …

Free HTTPS certs for all – Let's Encrypt opens doors to world+dog

How-to The Let's Encrypt project has opened to the public, allowing anyone to obtain free TLS certificates and set up HTTPS websites in a few simple steps. It's a major leap forward in encrypting the world's web traffic, keeping people's information and browser histories out of the hands of eavesdroppers and and other miscreants. …

Lazy IoT, router makers reuse skeleton keys over and over in thousands of devices – new study

It's what we all assumed, but quietly hoped wasn't quite this bad. Lazy makers of home routers and the Internet of Things are reusing the same small set of hardcoded security keys, leaving them open to hijacking en masse, researchers have warned. In other words, if you can log into one gizmo remotely, you can probably log …
Shaun Nichols, 26 Nov 2015

Create a news alert about https, or find more stories about https.

Biting the hand that feeds IT © 1998–2017