Indian Express: Google’s new chat service won’t be secure like iMessage and WhatsApp: Amnesty International . “Google has been slammed by Amnesty International’s Technology and Human Rights researcher Joe Westby for a new ‘Chat’ feature that will not be encrypted. Westby called the decision to launch a messaging service without end-to-end encryption ‘baffling’ and said the move aims to show Google’s ‘utter contempt for the privacy of Android users’ as it easily allows cybercriminals and government spies to access to take control of users’ private communication.”
ZDNet: Telegram told to give encryption keys to Russian authorities. “A top Russian court has told encrypted messaging app Telegram to share its encryption keys with state authorities. Telegram, founded by Russian entrepreneur Pavel Durov, has been fighting an effort by the FSB, the state’s security service formerly known as the KGB, which last year demanded that the company hand over its private encryption keys.”
Ars Technica: Let’s Encrypt takes free “wildcard” certificates live. “In July of 2017, the nonprofit certificate authority Let’s Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free “wildcard” certificates to enable secure HTTP connections for entire domains. Today, Let’s Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests.”
Ars Technica: 23,000 HTTPS certificates axed after CEO emails private keys. “A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates.” Womp womp womp wooooooompppp.
Ars Technica: One-stop counterfeit certificate shops for all your malware-signing needs. “The Stuxnet worm that targeted Iran’s nuclear program almost a decade ago was a watershed piece of malware for a variety of reasons. Chief among them, its use of cryptographic certificates belonging to legitimate companies to falsely vouch for the trustworthiness of the malware. Last year, we learned that fraudulently signed malware was more widespread than previously believed. On Thursday, researchers unveiled one possible reason: underground services that since 2011 have sold counterfeit signing credentials that are unique to each buyer.”
Search Engine Journal: Migrating a WordPress Website from HTTP to HTTPS: A Complete Guide. “In this post, I will share the experience I had from migrating the SEJ website to HTTPS and many other WordPress-based websites I’ve worked on. I’ll be assuming you have basic WordPress coding skills and have already installed an SSL certificate on your website, since most hosting providers offer that feature with one click.” This is VERY thorough with LOTS of screenshots.
Google Online Security Blog: A secure web is here to stay. “For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as ‘not secure’. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as ‘not secure’.”