Chrome 68 to condemn all unencrypted sites by summer

Credit to Author: Gregg Keizer| Date: Tue, 13 Feb 2018 03:10:00 -0800

Google has put a July deadline on a 2016 promise that its Chrome browser would tag all websites that don’t encrypt their traffic.

“Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as ‘not secure,'” wrote Emily Schechter, a Chrome security product manager, in a Feb. 8 post to a company blog.

Google has scheduled Chrome 68 to release in Stable form – analogous to production-level quality – during the week of July 22-28.

Starting then, Chrome will insert a “Not secure” label into the address bar of every website that uses HTTP connections between its servers and users. Sites that instead rely on HTTPS to encrypt the back-and-forth traffic will display their URLs normally in the address bar.

To read this article in full, please click here

Read more

Browser makers build bulwarks to stump Spectre attacks

Credit to Author: Gregg Keizer| Date: Sat, 06 Jan 2018 12:58:00 -0800

Amid the panicked response this week to the news of significant, though not-yet-exploited, vulnerabilities in the vast bulk of the world’s microprocessors, it went almost unnoticed that most browser makers responded by updating their wares in the hope of fending off possible web-based attacks.

The Google-driven revelations – it was members of the search firm’s Project Zero security team who identified the multiple flaws in processors designed by Intel, AMD and ARM – were to go public next week, on Jan. 9, this month’s Patch Tuesday. At that time, a coordinated effort by multiple vendors, from OS developers to silicon makers, was to debut with patches to protect, as best could be done without replacing the CPU itself, systems against flaws grouped under the umbrella terms of Meltdown and Spectre. That plan went out the window when leaks started to circulate earlier this week.

To read this article in full, please click here

Read more

Microsoft's anti-malware sniffing service powers Edge to top spot in browser blocking tests

Credit to Author: Gregg Keizer| Date: Sat, 14 Oct 2017 12:58:00 -0700

Microsoft’s Edge browser, the default in Windows 10, blocked a higher percentage of phishing and socially-engineered malware (SEM) attacks than Google’s Chrome and Mozilla’s Firefox, a Texas security testing firm said Friday.

According to NSS Labs of Austin, Tex., Edge automatically blocked 92% of all in-browser credential phishing attempts and stymied 100% of all SEM attacks. The latter encompassed a wide range of attacks, but their common characteristic was that they tried to trick users into downloading malicious code. The tactics that SEM attackers deploy include links from social media, such as Facebook and Twitter, and bogus in-browser notifications of computer infections or other problems.

To read this article in full or to leave a comment, please click here

Read more

Google squeezes Symantec until it certs

Credit to Author: Gregg Keizer| Date: Fri, 15 Sep 2017 11:41:00 -0700

Google has finalized a schedule that, over the next 12 months, will send companies scrambling to replace the digital certificates that secure their websites or risk being viewed with suspicion by users running Chrome, the world’s most popular browser.

“Companies are staring down the barrel of a boat load of work,” said David Anthony Mahdi, a research director at Gartner, and the industry research firm’s resident expert on digital certificates and the CAs (certificate authorities) that issue them. “This is massive.”

Beginning with Chrome 66, currently set to show up the third week of April next year, Google will “remove trust in Symantec-issued certificates issued prior to June 1, 2016,” wrote three members of the browser’s security team, in a post to a company blog. “If you are a site operator with a certificate issued by a Symantec CA prior to June 1, 2016, then prior to the release of Chrome 66, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome.”

To read this article in full or to leave a comment, please click here

Read more

3 important things to know about the Equifax data breach

Credit to Author: John Brandon| Date: Fri, 08 Sep 2017 11:14:00 -0700

Read more

Verifying and testing that Firefox is restricted to TLS 1.2

Credit to Author: Michael Horowitz| Date: Sun, 16 Jul 2017 12:56:00 -0700

TLS is the protocol invoked under the covers when viewing secure websites (those loaded with HTTPS rather than HTTP). There are multiple versions of the TLS protocol, and the most recent version, 1.2, is the most secure. Last time, I discussed tweaking Firefox so that it only supports TLS version 1.2 and not the older versions (1.0 and 1.1) of the protocol.

But that begs the question: what happens when a security-reinforced copy of Firefox encounters a website that does not support TLS 1.2? The answer is shown below.

To read this article in full or to leave a comment, please click here

Read more