Google details how it will overturn encryption signals in Chrome

Credit to Author: Gregg Keizer| Date: Mon, 21 May 2018 13:45:00 -0700

Google has further fleshed out plans to upend the historical approach browsers have taken to warn users of insecure websites, spelling out more gradual steps the company will take with Chrome this year.

Starting in September, Google will stop marking plain-vanilla HTTP sites – those not secured with a digital certificate, and which don’t encrypt traffic between browser and site servers – as secure in Chrome’s address bar. The following month, Chrome will tag HTTP pages with a red “Not Secure” marker when users enter any kind of data.

Eventually, Google will have Chrome label every HTTP website as, in its words, “affirmatively non-secure.” By doing so, Chrome will have completed a 180-degree turn from browsers’ original signage – marking secure HTTPS sites, usually with a padlock icon of some shade, to indicate encryption and a digital certificate – to labeling only those pages that are insecure.

To read this article in full, please click here

Read more

(Insider Story)

Read more

Microsoft boosts anti-phishing skills of Chrome, the IE and Edge killer

Credit to Author: Gregg Keizer| Date: Mon, 23 Apr 2018 05:02:00 -0700

Microsoft has ceded a major asset of its Edge browser to rival Google by releasing an add-on that boosts Chrome’s phishing detection skills.

The Redmond, Wash. company had little choice, according to one analyst. “Phishing is a huge problem, and people are going to use the browser they use,” said Michael Cherry of Directions on Microsoft. “They’re doing this to protect the Windows ecosystem.”

Dubbed “Windows Defender Browser Protection” (WDBP) the free extension can be added to Chrome on Windows or macOS, and after a post-launch fix, Chrome OS as well. Like the defenses built into Edge, the add-on relies on Microsoft’s SmartScreen technology that warns users of potentially malicious websites that may try to download malware to the machine or of sites linked in email messages that lead to known phishing URLs.

To read this article in full, please click here

Read more

Chrome 68 to condemn all unencrypted sites by summer

Credit to Author: Gregg Keizer| Date: Tue, 13 Feb 2018 03:10:00 -0800

Google has put a July deadline on a 2016 promise that its Chrome browser would tag all websites that don’t encrypt their traffic.

“Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as ‘not secure,'” wrote Emily Schechter, a Chrome security product manager, in a Feb. 8 post to a company blog.

Google has scheduled Chrome 68 to release in Stable form – analogous to production-level quality – during the week of July 22-28.

Starting then, Chrome will insert a “Not secure” label into the address bar of every website that uses HTTP connections between its servers and users. Sites that instead rely on HTTPS to encrypt the back-and-forth traffic will display their URLs normally in the address bar.

To read this article in full, please click here

Read more

Browser makers build bulwarks to stump Spectre attacks

Credit to Author: Gregg Keizer| Date: Sat, 06 Jan 2018 12:58:00 -0800

Amid the panicked response this week to the news of significant, though not-yet-exploited, vulnerabilities in the vast bulk of the world’s microprocessors, it went almost unnoticed that most browser makers responded by updating their wares in the hope of fending off possible web-based attacks.

The Google-driven revelations – it was members of the search firm’s Project Zero security team who identified the multiple flaws in processors designed by Intel, AMD and ARM – were to go public next week, on Jan. 9, this month’s Patch Tuesday. At that time, a coordinated effort by multiple vendors, from OS developers to silicon makers, was to debut with patches to protect, as best could be done without replacing the CPU itself, systems against flaws grouped under the umbrella terms of Meltdown and Spectre. That plan went out the window when leaks started to circulate earlier this week.

To read this article in full, please click here

Read more

Microsoft's anti-malware sniffing service powers Edge to top spot in browser blocking tests

Credit to Author: Gregg Keizer| Date: Sat, 14 Oct 2017 12:58:00 -0700

Microsoft’s Edge browser, the default in Windows 10, blocked a higher percentage of phishing and socially-engineered malware (SEM) attacks than Google’s Chrome and Mozilla’s Firefox, a Texas security testing firm said Friday.

According to NSS Labs of Austin, Tex., Edge automatically blocked 92% of all in-browser credential phishing attempts and stymied 100% of all SEM attacks. The latter encompassed a wide range of attacks, but their common characteristic was that they tried to trick users into downloading malicious code. The tactics that SEM attackers deploy include links from social media, such as Facebook and Twitter, and bogus in-browser notifications of computer infections or other problems.

To read this article in full or to leave a comment, please click here

Read more

Google squeezes Symantec until it certs

Credit to Author: Gregg Keizer| Date: Fri, 15 Sep 2017 11:41:00 -0700

Google has finalized a schedule that, over the next 12 months, will send companies scrambling to replace the digital certificates that secure their websites or risk being viewed with suspicion by users running Chrome, the world’s most popular browser.

“Companies are staring down the barrel of a boat load of work,” said David Anthony Mahdi, a research director at Gartner, and the industry research firm’s resident expert on digital certificates and the CAs (certificate authorities) that issue them. “This is massive.”

Beginning with Chrome 66, currently set to show up the third week of April next year, Google will “remove trust in Symantec-issued certificates issued prior to June 1, 2016,” wrote three members of the browser’s security team, in a post to a company blog. “If you are a site operator with a certificate issued by a Symantec CA prior to June 1, 2016, then prior to the release of Chrome 66, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome.”

To read this article in full or to leave a comment, please click here

Read more