Items tagged with HTTPS

Microsoft is having a "Do'h!" moment, though not in the bumbling, Homer Simpson sense. Quite the opposite, actually. In a blog post, Microsoft announced its Windows Core Networking team is working on improving user privacy by implementing DNS over HTTPS, or DoH for short, into a future build of Windows 10. From Microsoft's vantage point, supporting encrypted DNS queries in Windows 10 would essentially close one of the last remaining plain-text domain name transmissions in common web traffic. At the same time, Microsoft says providing encrypted DNS support will not be easy without breaking existing Windows device admin configurations. "With the decision made to build support for encrypted DNS,... Read more...
Judgement Day has arrived for site operators that haven't fully switched over to HTTPS. Google Chrome, the world's most popular web browser, has been updated to version 68. And with that upgrade, sites that still rely on plain HTTP will be marked as "Not Secure" within the browser. With Chrome 67 and earlier versions of Chrome, accessing a website that has fully embraced HTTPS will show a closed lock icon and the word "Secure" in green in the address bar. Visiting a site that still uses HTTP would show an "i" icon in the address bar. Clicking on the "i" would present the following prompt: "Your connection to this site is not secure". Chrome 68 With Chrome 68, Google lays it all out for everyone... Read more...
At the behest of President Obama, Federal Chief Information Officer Tony Scott yesterday issued Memorandum M-15-13 calling for the provision of government service for all Federal websites via HTTPS (Hypertext Transfer Protocol Secure).  The HTTPS standard was described by the American Civil Liberties Union (ACLU) as a "great first step", this despite it being written off as a "top-down solution" by a database administrator for NASA.  Memorandum M-15-13 explicitly states that "All browsing activity should be considered private and sensitive." It also provides guidance to government agencies on transitioning to the HTTPS protocol, including the directive that all newly... Read more...
After taking heavy fire in a California court from plaintiffs who contend its Gmail data mining practices within Google Apps for Education are illegal, Google is changing its practices so that it’s not possible to scan those users’ emails for advertising purposes. Further, “We’ve permanently removed the “enable/disable” toggle for ads in the Apps for Education Administrator console,” wrote Google for Education’s Bram Bout. “This means ads in Apps for Education services are turned off and administrators no longer have the option or ability to turn ads in these services on.” In the post, Bout also defended Google for Education, noting... Read more...
Terrible news, everyone: There’s a coding error in the OpenSSL cryptographic software library that allows anyone with the right tools and a little know-how to access secret encryption keys, usernames, passwords, and even content on sites using OpenSSL for protection. That includes roughly two-thirds of the Internet’s web servers, according to Ars Technica. The problem with the so-called Heartbleed bug is that there’s a missing bounds check. “By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space,” wrote cryptographer Matthew Green in a blog post. “Since this is... Read more...
Security researcher Carlos Reventlov discovered a vulnerability in Instagram version 3.1.2 on the iPhone 4 (iOS 6) that leaves users’ Instagram accounts open to attacks. Specifically, users are at risk for partial eavesdropping and man-in-the-middle attacks that a ne’er-do-well could use to delete photos or even take over a user’s account and download private photos. Instagram’s login and profile data are sent via a secure HTTPS connection, but other requests are sent through plain ‘ol HTTP that uses only an unencrypted cookie for authentication. If an attacker is connected to the same LAN as a given user’s iPhone, the game is on. “An attacker on the... Read more...