Items tagged with HTTPS

Judgement Day has arrived for site operators that haven't fully switched over to HTTPS. Google Chrome, the world's most popular web browser, has been updated to version 68. And with that upgrade, sites that still rely on plain HTTP will be marked as "Not Secure" within the browser. With Chrome 67 and earlier versions of Chrome, accessing a website that has fully embraced HTTPS will show a closed lock icon and the word "Secure" in green in the address bar. Visiting a site that still uses HTTP would show an "i" icon in the address bar. Clicking on the "i" would present the following prompt: "Your... Read more...
At the behest of President Obama, Federal Chief Information Officer Tony Scott yesterday issued Memorandum M-15-13 calling for the provision of government service for all Federal websites via HTTPS (Hypertext Transfer Protocol Secure).  The HTTPS standard was described by the American Civil Liberties Union (ACLU) as a "great first step", this despite it being written off as a "top-down solution" by a database administrator for NASA.  Memorandum M-15-13 explicitly states that "All browsing activity should be considered private and sensitive." It also provides guidance to... Read more...
After taking heavy fire in a California court from plaintiffs who contend its Gmail data mining practices within Google Apps for Education are illegal, Google is changing its practices so that it’s not possible to scan those users’ emails for advertising purposes. Further, “We’ve permanently removed the “enable/disable” toggle for ads in the Apps for Education Administrator console,” wrote Google for Education’s Bram Bout. “This means ads in Apps for Education services are turned off and administrators no longer have the option or ability to... Read more...
Terrible news, everyone: There’s a coding error in the OpenSSL cryptographic software library that allows anyone with the right tools and a little know-how to access secret encryption keys, usernames, passwords, and even content on sites using OpenSSL for protection. That includes roughly two-thirds of the Internet’s web servers, according to Ars Technica. The problem with the so-called Heartbleed bug is that there’s a missing bounds check. “By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its... Read more...
Security researcher Carlos Reventlov discovered a vulnerability in Instagram version 3.1.2 on the iPhone 4 (iOS 6) that leaves users’ Instagram accounts open to attacks. Specifically, users are at risk for partial eavesdropping and man-in-the-middle attacks that a ne’er-do-well could use to delete photos or even take over a user’s account and download private photos. Instagram’s login and profile data are sent via a secure HTTPS connection, but other requests are sent through plain ‘ol HTTP that uses only an unencrypted cookie for authentication. If an attacker is... Read more...