Articles about http

PayPal logo and credit cards

PayPal reminds users: TLS 1.2 and HTTP/1.1 are no longer optional

PayPal has reminded merchants that they must support TLS 1.2 and HTTP/1.1 by June 30. The reason? That's the date the PCI Council mandated for those standards to come into effect. In this notice, PayPal warns: “You will need to verify that your environment supports TLS 1.2 and HTTP/1.1 and if necessary make appropriate …
Face Palm D'oh from Shutterstock

IETF protects privacy and helps net neutrality with DNS over HTTPS

The Internet Engineering Task Force has taken the first steps towards a better way of protecting users' DNS queries and incidentally made a useful contribution to making neutrality part of the 'net's infrastructure instead of the plaything of ISPs. The Register first noticed the technology in this article by Mark Nottingham ( …
Double thumbs up photo via Shutterstock

SSL spy boxes on your network getting you down? But wait, here's an IETF draft to fix that

The Internet Engineering Task Force (IETF) has just put out a new draft for a standard that would enable folks to effectively bypass surveillance equipment on their networks to maintain secure connections. The working draft from three Cisco employees notes that so-called middleboxes – which intercept and decrypt connections – …
Red teapot

Ancient IETF 'teapot' gag preserved for posterity as a standard

The august and serious folk at the IETF have always had a soft spot for their April Fool's jokes, and so do others – so much that a proposal to deprecate a joke has met with successful resistance. From what feels like the Internet Dark Ages of the 1990s, was the Hyper Text Coffee Pot Control Protocol, a joking anticipation of …
Piranha fish pattern illustration

Phishing scum going legit to beat browser warnings

Browser-makers' decision to put big red warning lights in the faces of users when they hit sites too slack to use HTTPS is backfiring a little, as crooks are accelerating their use of encryption. So says Netcraft, which has turned its web server probes onto phishing sites in the wake of Chrome 56 and Firefox 51 adding warnings …
Simon Sharwood, 19 May 2017

Phew! Chrome to warn when you watch insecure smut

Google's efforts to make unsecured HTTP connections untenable will step up in October, when its Chrome browser starts to warn users that more web sites are insecure. October will see the advent of Chrome version 62, an update that will see the browser warn users that HTTP-only pages are insecure if they ask for any data entry …
Simon Sharwood, 28 Apr 2017

Google: There are three certainties in life – death, taxes and IPv6

CloudFlare Internet Summit As internet engineer jokes go, Google's Ilya Grigorik came up with a good one. On stage to answer the question "what can we expect from the internet in 2020?", he offered: As far as I can tell, by 2020, we will have flying cars, singularity... and IPv6. It's an amusing but pointed stab at the fundamental internet protocol …
Kieren McCarthy, 16 Sep 2016

Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January

Starting New Year's Day, Google will begin labeling as "insecure" all websites that transmit passwords or ask for credit card details over plain text HTTP. If you use the ad giant's Chrome browser, and a lot of people do, in its 56th build and onwards any website that does not use a security certificate will feature a red …

FalseCONNECT sends vendors scrambling to patch proxy MITM bug

For the many people that dislike corporate proxies, this probably won't be much of a surprise: a bunch of environments are vulnerable to man-in-the-middle attacks. “FalseCONNECT” is a combination of protocol bug and implementation error – which means it affects end users via operating systems, as well as network devices. The …
Doom

The web is DOOM'd: Average page now as big as id's DOS classic

The average web page is now roughly the same size as the full install image for the classic DOS game Doom, apparently. This is according to Ronan Cremin, a lead engineer with Afilias Technologies and dotMobi's representative for the W3C (World Wide Web Consortium). Cremin points to data from the HTTP Archive showing that, at …
Shaun Nichols, 22 Apr 2016

Now you can easily see if a site's HTTP headers are insecure, beams dev

A new coding tool aims to do the same for HTTP response headers as Qualys SSL Labs has done for secure server configurations. The securityheaders.io site allows users to scan to get a grade between A+ to F for response headers. The free service is primarily designed to allow sysadmins to test their own sites, much like the …
John Leyden, 26 Jan 2016
Wordpress logo

WordPress blogger patch foot-drag nag: You're tempting hackers

Misconfigured and unpatched WordPress sites are causing a rash of problems both to themselves and the wider internet. In fact, this ever-present internet security threat has flared up again over the last week because of several new issues. The most pressing problem involves a recent brute force amplification attack on …
John Leyden, 20 Oct 2015
Photo of the White House at dusk

NASA guy to White House: Be really careful with that HTTPS stuff

A webserver and database administrator at NASA has penned an epic plea on the White House's GitHub repository to include a waiver process as part of the HTTPS-Only project, which is intended to improve security for citizens visiting federal websites, but may interfere with niche services. Joe Hourclé has taken to GitHub to …

Sysadmins, patch now: HTTP 'pings of death' are spewing across web to kill Windows servers

The SANS Institute has warned Windows IIS web server admins to get patching as miscreants are now exploiting a flaw in the software to crash websites. The security bug (CVE-2015-1635) allows attackers to knock web servers offline by sending a simple HTTP request. Microsoft fixed this denial-of-service vulnerability on Tuesday …
Iain Thomson, 16 Apr 2015

Finally, Mozilla looks at moving away from 'insecure' HTTP. Maybe

Calls to finally move away from HTTP and on to HTTPS are, like grumbles to oust an aging dictator, finding themselves encouraged by the public square/echo chamber of Mozilla's developers' platform. Posting to the Mozilla dev platform, security engineer Richard Barnes said: "In recent months, there have been statements from …
HTTP/2 flow diagram

HTTP/2 spec gets green light: Faster web or needless complexity?

The Internet Engineering Steering Group (IESG) has approved the specifications for HTTP/2 and HPACK (a compression format for HTTP/2 header fields), says working group chair Mark Nottingham. HTTP/2 is based on SPDY, a Google-developed protocol designed to speed up web page loading by compressing the content and reducing the …
Tim Anderson, 18 Feb 2015

Wanna be Facebook? It just open-sourced some of its web server code. Now to find 1bn users...

Facebook has rolled out another chunk of open-source code, this time a C++ HTTP stack called Proxygen, which includes a web server. Techies at the social network hope other developers will use the BSD-licensed software as the basis of their own web apps, and have included a bunch of “sensible defaults” to get people on their …
linkedin logo

LinkedIn ignored SIX WARNINGS about account-hijacking bug

LinkedIn accounts can be hijacked through simple man in the middle (MITM) attacks due to a failure to promptly fix a SSL stripping vulnerability . The flaw described ambitiously as a zero-day vulnerability allowed attackers to gain full control of a user's account after they had logged in via SSL. Attackers could jump between …
Darren Pauli, 20 Jun 2014

Create a news alert about http, or find more stories about http.

Biting the hand that feeds IT © 1998–2018