Articles about https

tv television cable cableco entertainment netflix hbo

HTTPS crypto-shame: TV Licensing website pulled offline

The UK's TV Licensing agency has taken its website offline "as a precaution" after being blasted for running transactional pages that were not sent over HTTPS. The publicly funded outfit had been criticised for inviting folk to submit sensitive data over unencrypted links. Just a few hours after proclaiming "we will soon …
John Leyden, 6 Sep 2018

Give yourselves a pat on the back, top million websites, half of you now use HTTPS

More than half (51.8 per cent) of the Alexa Top 1 Million sites are actively redirecting to HTTPS for the first time. The milestone was crossed during another strong six months moving towards a fully encrypted web, according to the latest stats from security researcher Scott Helme, published on Friday. Back in February, at …
John Leyden, 28 Aug 2018
Woman in hospital (in hospital gown) covers face with hands

If it doesn't need to be connected, don't: Nurse prescribes meds for sickly hospital infosec

BSides Manchester A children's nurse prescribed hospitals ways to improve their computer security at the BSides conference in Manchester, England, earlier this month. Jelena Milosevic developed an interest in cybersecurity over the past four years while working as an on-call nurse in several hospitals across the Netherlands, where she said …
John Leyden, 23 Aug 2018
cookie

Google bod wants cookies to crumble and be remade into something more secure

A key member of the Google Chrome security team has proposed the death of cookies to be replaced with secure HTTP tokens. This week Mike West posted his "not-fully-baked" idea on GitHub and asked for comments. "This isn't a proposal that's well thought out, and stamped solidly with the Google Seal of Approval," he warns. "It's …
Kieren McCarthy, 15 Aug 2018
Cheesy pic of man holding face in shame as accusatory finger emerges from display. Photo via Shutterstock

Insecure web still too prevalent: Boffins unveil HSTS wall of shame

How's that migration to "HTTPS everywhere" going? With some Chrome browsers* now flagging insecure sites, there's a lot of work still to do, according to security bods Troy Hunt and Scott Helme. Sceptical looking people check something on a laptop Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks READ MORE …
Sceptical looking people check something on a laptop

Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks

Google Chrome users who visit unencrypted websites will be confronted with warnings from tomorrow. The changes will come for surfers using the latest version of Google Chrome, version 68. Any web page not running HTTPS with a valid TLS certificate will show a "Not secure" warning in the Chrome address bar from version 68 …
John Leyden, 23 Jul 2018
Oh no, photo via Shutterstock

Google Chrome update to label HTTP-only sites insecure within WEEKS

A looming deadline – now less than three weeks away – means that Google Chrome users who visit unencrypted websites will be confronted with warnings. Game of Thrones septa ringing bell of shame From July, Chrome will name and shame insecure HTTP websites READ MORE The changes will come for surfers once Chrome 68 stable …
John Leyden, 3 Jul 2018
FTP

Get the FTP outta here, says Firefox

Mozilla developers have decided to block requests for File Transfer Protocol (FTP) subresources inside web pages. A bug report and Intent to implement notice suggest the change will land in Firefox 61. The browser’s currently at version 59, with 61 due in May 2018. The change will permit access to FTP resources in hyperlinks …
Simon Sharwood, 11 Apr 2018

Leading by example: UK.gov's secure server setup is patchy at best

The security of UK government websites is inconsistent, and local authorities are among the worst offenders. Ministers have for years spoken about making the UK "one of the most secure places in the world to do business in cyberspace", one component of which is making government services available online. The government also …
John Leyden, 20 Mar 2018
Let's Encrypt browser certificate

Let's Encrypt updates certificate automation, adds splats

Let's Encrypt has updated its certificate automation support and added Wildcard Certificates to its system. Certificate automation replaces what are otherwise manual and ad hoc mechanisms to apply for an X.509 certificate, and for the applicant's admins to prove they manage the domain in the certificate. ACME is the …
Broken chain graphic

23,000 HTTPS certs will be axed in next 24 hours after private keys leak

Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours. This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are …
John Leyden, 1 Mar 2018

Use of HTTPS among top sites is growing, but weirdly so is deprecated HTTP public key pinning

The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections. A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since …
John Leyden, 27 Feb 2018

From July, Chrome will name and shame insecure HTTP websites

Three years ago, Google's search engine began favoring in its results websites that use encrypted HTTPS connections. Sites that secure their content get a boost over websites that used plain-old boring insecure HTTP. In a "carrot and stick" model, that's the carrot: rewarding security with greater search visibility. Later …
Mozilla's new logo for 2017

Mozilla edict: 'Web-accessible' features need 'secure contexts'

Mozilla has decided to further locking down the Internet with the announcement that developers can only access new Firefox features from what it calls “secure contexts”. The decision means that sites wanting to fingerprint or snoop on users with web features will still be able to, but only over HTTPS. Outside snoops will …
Let's Encrypt browser certificate

FREE wildcard HTTPS certs from Let's Encrypt for every Reg reader*

Let's Encrypt plans to begin offering free wildcard certificates in January 2018, a move likely to make web security easier and a bit less costly for many organizations. Announced in 2014 as an effort to enhance and accelerate online security, the public benefit certificate authority (CA) has been issuing free X.509 (TLS/SSL) …
Piranha fish pattern illustration

Phishing scum going legit to beat browser warnings

Browser-makers' decision to put big red warning lights in the faces of users when they hit sites too slack to use HTTPS is backfiring a little, as crooks are accelerating their use of encryption. So says Netcraft, which has turned its web server probes onto phishing sites in the wake of Chrome 56 and Firefox 51 adding warnings …
Simon Sharwood, 19 May 2017
tv television cable cableco entertainment netflix hbo

TCP/IP headers leak info about what you're watching on Netflix

An infosec educator from the United States Military Academy at West Point has taken a look at Netflix's HTTPS implementation, and reckons all he needs to know what programs you like is a bit of passive traffic capture. The problem, writes Michael Kranch (with collaborator Andrew Reed), is information in TCP/IP headers are …

Google slaps Symantec for sloppy certs, slow show of SNAFUs

Updated Google's Chrome development team has posted a stinging criticism of Symantec's certificate-issuance practices, saying it has lost confidence in the company's practices and therefore in the safety of sessions hopefully-secured by Symantec-issued certificates. Google's post says “Since January 19, the Google Chrome team has been …
Simon Sharwood, 24 Mar 2017

Create a news alert about https, or find more stories about https.

Biting the hand that feeds IT © 1998–2018