Google details how it will overturn encryption signals in Chrome

Credit to Author: Gregg Keizer| Date: Mon, 21 May 2018 13:45:00 -0700

Google has further fleshed out plans to upend the historical approach browsers have taken to warn users of insecure websites, spelling out more gradual steps the company will take with Chrome this year.

Starting in September, Google will stop marking plain-vanilla HTTP sites – those not secured with a digital certificate, and which don’t encrypt traffic between browser and site servers – as secure in Chrome’s address bar. The following month, Chrome will tag HTTP pages with a red “Not Secure” marker when users enter any kind of data.

Eventually, Google will have Chrome label every HTTP website as, in its words, “affirmatively non-secure.” By doing so, Chrome will have completed a 180-degree turn from browsers’ original signage – marking secure HTTPS sites, usually with a padlock icon of some shade, to indicate encryption and a digital certificate – to labeling only those pages that are insecure.

To read this article in full, please click here

Read more

TLS 1.3 is nearly here

Credit to Author: Christopher Boyd| Date: Fri, 30 Mar 2018 15:00:00 +0000

TLS 1.3 is nearly upon us, and with it comes a more secure way to do business online. We look at some of the changes coming into force soon.



(Read more…)

The post TLS 1.3 is nearly here appeared first on Malwarebytes Labs.

Read more

Chrome 68 to condemn all unencrypted sites by summer

Credit to Author: Gregg Keizer| Date: Tue, 13 Feb 2018 03:10:00 -0800

Google has put a July deadline on a 2016 promise that its Chrome browser would tag all websites that don’t encrypt their traffic.

“Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as ‘not secure,'” wrote Emily Schechter, a Chrome security product manager, in a Feb. 8 post to a company blog.

Google has scheduled Chrome 68 to release in Stable form – analogous to production-level quality – during the week of July 22-28.

Starting then, Chrome will insert a “Not secure” label into the address bar of every website that uses HTTP connections between its servers and users. Sites that instead rely on HTTPS to encrypt the back-and-forth traffic will display their URLs normally in the address bar.

To read this article in full, please click here

Read more

Mozilla mandates that new Firefox features rely on encrypted connections

Credit to Author: Gregg Keizer| Date: Thu, 18 Jan 2018 10:37:00 -0800

Mozilla this week decreed that future web-facing features of Firefox must meet an under-development standard that requires all browser-to-server-and-back traffic be encrypted.

“Effective immediately, all new features that are web-exposed are to be restricted to secure contexts,” wrote Mozilla engineer Anne van Kesteren in a post to a company blog. “A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR.”

Secure contexts, dubbed a “minimum security level,” is a pending standard of the W3 (World Wide Web Consortium), the primary standards body for the web. Secure contexts’ main purpose, according to its documentation: “Application code with access to sensitive or private data be delivered confidentially over authenticated channels that guarantee data integrity.”

To read this article in full, please click here

Read more

How blockchain makes self-sovereign identities possible

Credit to Author: Phillip Windley| Date: Wed, 10 Jan 2018 03:12:00 -0800

One of the curious constructions of the Internet is the term identity provider. You don’t need anyone to provide you with an identity, of course. You have an innate one by virtue of being human. Rather, so-called identity providers, or IDPs, provide you with an identifier, a means of recording attributes important to that provider, and some method of proving it’s you – usually a password.

This is not surprising since online identity has traditionally been viewed through the lens of an organization and its needs, not the individual and his or her needs. Identity systems are created to administer identifiers and attributes within a specific domain. The result: people end up with hundreds of online personas at hundreds of organizations. Each of these administrative identity systems is proprietary and owned by the organization that provides it; you really don’t have an online identity that’s independent of these many systems. Got a new address, or an updated credit card number? You’ll have to deal with each of these systems one at a time in whatever manner they require.

To read this article in full, please click here

Read more