Wired: HTTPS Isn’t Always As Secure As It Seems

Wired: HTTPS Isn’t Always As Secure As It Seems . “Widespread adoption of the web encryption scheme HTTPS has added a lot of green padlocks—and corresponding data protection—to the web. All of the popular sites you visit every day likely offer this defense, called Transport Layer Security, or TLS, which encrypts data between your browser and the web servers it communicates with to protect your travel plans, passwords, and embarrassing Google searches from prying eyes. But new findings from researchers at Ca’ Foscari University of Venice in Italy and Tu Wien in Austria indicate that a surprising number of encrypted sites still leave these connections exposed.”

ZDNet: Firefox will soon warn users of software that performs MitM attacks

ZDNet: Firefox will soon warn users of software that performs MitM attacks. “The Firefox browser will soon come with a new security feature that will detect and then warn users when a third-party app is performing a Man-in-the-Middle (MitM) attack by hijacking the user’s HTTPS traffic.”

TechCrunch: These are all the federal HTTPS websites that’ll expire soon because of the US government shutdown

TechCrunch: These are all the federal HTTPS websites that’ll expire soon because of the US government shutdown . “During the government shutdown, security experts noticed several federal websites were throwing back browser errors because the TLS certificate, which lights up your browser with ‘HTTPS’ or flashes a padlock, had expired on many domains. And because so many federal workers have been sent home on unpaid leave — or worse, working without pay but trying to fill in for most of their furloughed department — expired certificates aren’t getting renewed. Renewing certificates doesn’t take much time or effort — sometimes just a click of a mouse. But some do cost money, and during a government shutdown, there isn’t any. Depending on the security level, most websites will kick back browser errors. Some won’t let you in at all until the expired certificate is renewed.”

Krebs on Security: Half of all Phishing Sites Now Have the Padlock

Krebs on Security: Half of all Phishing Sites Now Have the Padlock. “Maybe you were once advised to ‘look for the padlock’ as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.”

CNET: Chrome’s HTTP warning seeks to cut web surveillance, tampering

CNET: Chrome’s HTTP warning seeks to cut web surveillance, tampering. “The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering. That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.”