Articles about https

cookie

Google bod wants cookies to crumble and be remade into something more secure

A key member of the Google Chrome security team has proposed the death of cookies to be replaced with secure HTTP tokens. This week Mike West posted his "not-fully-baked" idea on GitHub and asked for comments. "This isn't a proposal that's well thought out, and stamped solidly with the Google Seal of Approval," he warns. "It's …
Kieren McCarthy, 15 Aug 2018
Cheesy pic of man holding face in shame as accusatory finger emerges from display. Photo via Shutterstock

Insecure web still too prevalent: Boffins unveil HSTS wall of shame

How's that migration to "HTTPS everywhere" going? With some Chrome browsers* now flagging insecure sites, there's a lot of work still to do, according to security bods Troy Hunt and Scott Helme. Sceptical looking people check something on a laptop Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks READ MORE …
Sceptical looking people check something on a laptop

Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks

Google Chrome users who visit unencrypted websites will be confronted with warnings from tomorrow. The changes will come for surfers using the latest version of Google Chrome, version 68. Any web page not running HTTPS with a valid TLS certificate will show a "Not secure" warning in the Chrome address bar from version 68 …
John Leyden, 23 Jul 2018
Oh no, photo via Shutterstock

Google Chrome update to label HTTP-only sites insecure within WEEKS

A looming deadline – now less than three weeks away – means that Google Chrome users who visit unencrypted websites will be confronted with warnings. Game of Thrones septa ringing bell of shame From July, Chrome will name and shame insecure HTTP websites READ MORE The changes will come for surfers once Chrome 68 stable …
John Leyden, 3 Jul 2018
FTP

Get the FTP outta here, says Firefox

Mozilla developers have decided to block requests for File Transfer Protocol (FTP) subresources inside web pages. A bug report and Intent to implement notice suggest the change will land in Firefox 61. The browser’s currently at version 59, with 61 due in May 2018. The change will permit access to FTP resources in hyperlinks …
Simon Sharwood, 11 Apr 2018

Leading by example: UK.gov's secure server setup is patchy at best

The security of UK government websites is inconsistent, and local authorities are among the worst offenders. Ministers have for years spoken about making the UK "one of the most secure places in the world to do business in cyberspace", one component of which is making government services available online. The government also …
John Leyden, 20 Mar 2018
Let's Encrypt browser certificate

Let's Encrypt updates certificate automation, adds splats

Let's Encrypt has updated its certificate automation support and added Wildcard Certificates to its system. Certificate automation replaces what are otherwise manual and ad hoc mechanisms to apply for an X.509 certificate, and for the applicant's admins to prove they manage the domain in the certificate. ACME is the …
Broken chain graphic

23,000 HTTPS certs will be axed in next 24 hours after private keys leak

Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours. This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are …
John Leyden, 1 Mar 2018

Use of HTTPS among top sites is growing, but weirdly so is deprecated HTTP public key pinning

The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections. A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since …
John Leyden, 27 Feb 2018

From July, Chrome will name and shame insecure HTTP websites

Three years ago, Google's search engine began favoring in its results websites that use encrypted HTTPS connections. Sites that secure their content get a boost over websites that used plain-old boring insecure HTTP. In a "carrot and stick" model, that's the carrot: rewarding security with greater search visibility. Later …
Mozilla's new logo for 2017

Mozilla edict: 'Web-accessible' features need 'secure contexts'

Mozilla has decided to further locking down the Internet with the announcement that developers can only access new Firefox features from what it calls “secure contexts”. The decision means that sites wanting to fingerprint or snoop on users with web features will still be able to, but only over HTTPS. Outside snoops will …
Let's Encrypt browser certificate

FREE wildcard HTTPS certs from Let's Encrypt for every Reg reader*

Let's Encrypt plans to begin offering free wildcard certificates in January 2018, a move likely to make web security easier and a bit less costly for many organizations. Announced in 2014 as an effort to enhance and accelerate online security, the public benefit certificate authority (CA) has been issuing free X.509 (TLS/SSL) …
Piranha fish pattern illustration

Phishing scum going legit to beat browser warnings

Browser-makers' decision to put big red warning lights in the faces of users when they hit sites too slack to use HTTPS is backfiring a little, as crooks are accelerating their use of encryption. So says Netcraft, which has turned its web server probes onto phishing sites in the wake of Chrome 56 and Firefox 51 adding warnings …
Simon Sharwood, 19 May 2017

TCP/IP headers leak info about what you're watching on Netflix

An infosec educator from the United States Military Academy at West Point has taken a look at Netflix's HTTPS implementation, and reckons all he needs to know what programs you like is a bit of passive traffic capture. The problem, writes Michael Kranch (with collaborator Andrew Reed), is information in TCP/IP headers are …

Google slaps Symantec for sloppy certs, slow show of SNAFUs

Updated Google's Chrome development team has posted a stinging criticism of Symantec's certificate-issuance practices, saying it has lost confidence in the company's practices and therefore in the safety of sessions hopefully-secured by Symantec-issued certificates. Google's post says “Since January 19, the Google Chrome team has been …
Simon Sharwood, 24 Mar 2017

Are you undermining your web security by checking on it with the wrong tools?

Your antivirus and network protection efforts may actually be undermining network security, a new paper and subsequent US-CERT advisory have warned. The issue comes with the use of HTTPS interception middleboxes and network monitoring products. They are extremely common and are used to check that nothing untoward is going on …
Kieren McCarthy, 17 Mar 2017

Privacy concerns over gaps in eBay crypto

eBay uses HTTPS on its most critical pages, such as those where payment or address information is entered, but a lack of encryption on several sensitive pages still poses a concern for the privacy conscious. Many pages on the site, which require user input or contain their personal info, are not HTTPS encrypted, according to …
John Leyden, 22 Feb 2017
Emily Schechter

Google's Chrome is about to get rather in-your-face about HTTPS

Usenix Enigma 2017 Google and Firefox have been key drivers in the quest to get more people using HTTPS online, and starting this week the hammer is coming down. In a speech at Usenix Enigma 2017, Emily Schechter, a product manager for Chrome security, said that progress on HTTPS adoption was going well – currently over half of the top 100 …
Iain Thomson, 31 Jan 2017

Create a news alert about https, or find more stories about https.

Biting the hand that feeds IT © 1998–2018