Articles about https

FTP

Get the FTP outta here, says Firefox

Mozilla developers have decided to block requests for File Transfer Protocol (FTP) subresources inside web pages. A bug report and Intent to implement notice suggest the change will land in Firefox 61. The browser’s currently at version 59, with 61 due in May 2018. The change will permit access to FTP resources in hyperlinks …
Simon Sharwood, 11 Apr 2018

Leading by example: UK.gov's secure server setup is patchy at best

The security of UK government websites is inconsistent, and local authorities are among the worst offenders. Ministers have for years spoken about making the UK "one of the most secure places in the world to do business in cyberspace", one component of which is making government services available online. The government also …
John Leyden, 20 Mar 2018
Let's Encrypt browser certificate

Let's Encrypt updates certificate automation, adds splats

Let's Encrypt has updated its certificate automation support and added Wildcard Certificates to its system. Certificate automation replaces what are otherwise manual and ad hoc mechanisms to apply for an X.509 certificate, and for the applicant's admins to prove they manage the domain in the certificate. ACME is the …
Broken chain graphic

23,000 HTTPS certs will be axed in next 24 hours after private keys leak

Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours. This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are …
John Leyden, 1 Mar 2018

Use of HTTPS among top sites is growing, but weirdly so is deprecated HTTP public key pinning

The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections. A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since …
John Leyden, 27 Feb 2018

From July, Chrome will name and shame insecure HTTP websites

Three years ago, Google's search engine began favoring in its results websites that use encrypted HTTPS connections. Sites that secure their content get a boost over websites that used plain-old boring insecure HTTP. In a "carrot and stick" model, that's the carrot: rewarding security with greater search visibility. Later …
Mozilla's new logo for 2017

Mozilla edict: 'Web-accessible' features need 'secure contexts'

Mozilla has decided to further locking down the Internet with the announcement that developers can only access new Firefox features from what it calls “secure contexts”. The decision means that sites wanting to fingerprint or snoop on users with web features will still be able to, but only over HTTPS. Outside snoops will …
Let's Encrypt browser certificate

FREE wildcard HTTPS certs from Let's Encrypt for every Reg reader*

Let's Encrypt plans to begin offering free wildcard certificates in January 2018, a move likely to make web security easier and a bit less costly for many organizations. Announced in 2014 as an effort to enhance and accelerate online security, the public benefit certificate authority (CA) has been issuing free X.509 (TLS/SSL) …
Piranha fish pattern illustration

Phishing scum going legit to beat browser warnings

Browser-makers' decision to put big red warning lights in the faces of users when they hit sites too slack to use HTTPS is backfiring a little, as crooks are accelerating their use of encryption. So says Netcraft, which has turned its web server probes onto phishing sites in the wake of Chrome 56 and Firefox 51 adding warnings …
Simon Sharwood, 19 May 2017

TCP/IP headers leak info about what you're watching on Netflix

An infosec educator from the United States Military Academy at West Point has taken a look at Netflix's HTTPS implementation, and reckons all he needs to know what programs you like is a bit of passive traffic capture. The problem, writes Michael Kranch (with collaborator Andrew Reed), is information in TCP/IP headers are …

Google slaps Symantec for sloppy certs, slow show of SNAFUs

Updated Google's Chrome development team has posted a stinging criticism of Symantec's certificate-issuance practices, saying it has lost confidence in the company's practices and therefore in the safety of sessions hopefully-secured by Symantec-issued certificates. Google's post says “Since January 19, the Google Chrome team has been …
Simon Sharwood, 24 Mar 2017

Are you undermining your web security by checking on it with the wrong tools?

Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent US-CERT advisory have warned. The issue comes with the use of HTTPS interception middleboxes and network monitoring products. They are extremely common and are used to check that nothing untoward is going on …
Kieren McCarthy, 17 Mar 2017

Privacy concerns over gaps in eBay crypto

eBay uses HTTPS on its most critical pages, such as those where payment or address information is entered, but a lack of encryption on several sensitive pages still poses a concern for the privacy conscious. Many pages on the site, which require user input or contain their personal info, are not HTTPS encrypted, according to …
John Leyden, 22 Feb 2017
Emily Schechter

Google's Chrome is about to get rather in-your-face about HTTPS

Usenix Enigma 2017 Google and Firefox have been key drivers in the quest to get more people using HTTPS online, and starting this week the hammer is coming down. In a speech at Usenix Enigma 2017, Emily Schechter, a product manager for Chrome security, said that progress on HTTPS adoption was going well – currently over half of the top 100 …
Iain Thomson, 31 Jan 2017

On last day as president, Obama's CIO shrouds future .gov websites in secret code

On United States president Barack Obama's last day in office, the U.S. Chief Information Officer and the Federal CIO Council have announced a new rule that will see all future .gov websites shrouded in impenetrable secret codes. Sorry, alt.right readers, there's nothing sinister about it: the CIO has announced that its policy …
Simon Sharwood, 20 Jan 2017
Apple

Apple drops requirement for apps to use HTTPS by 2017

One of the initiatives Apple trumpeted at its 2016 WorldWide Developer Conference was a requirement for all iOS and OS X apps in its Store to use adopt App Transport Security as of December 31st 2016. App Transport Security (ATS) arrived in 2015 iOS and OS X in 2015, in Apple's own words, “improves privacy and data integrity …
Simon Sharwood, 23 Dec 2016

How a chunk of the web disappeared this week: GlobalSign's global HTTPS snafu explained

GlobalSign has performed a postmortem examination on how, as one of the world's root certificate authorities, it managed to break a chunk of the web. The New Hampshire, US-based biz has to date sold 2.5 million SSL/TLS certificates to websites around the world. This week, it inadvertently smashed its own chain of trust: it …
Chris Williams, 15 Oct 2016

GlobalSign screw-up cancels top websites' HTTPS certificates

Final update GlobalSign's efforts as a root certificate authority have gone TITSUP this afternoon – that's a total inability to support usual protocols. The result is that many websites big and small have had their HTTPS certificates incorrectly scrapped, meaning that for some people their browsers no longer trust websites and refuse or …

Create a news alert about https, or find more stories about https.

Biting the hand that feeds IT © 1998–2018