ZDNet: The good and the bad with Chrome web browser’s new security defaults

ZDNet: The good and the bad with Chrome web browser’s new security defaults. “First, the good news. Starting with the mid-April release of Google’s Chrome 90 web browser, Chrome will default to trying to load the version of a website that’s been secured with a Transport Layer Security (TLS). These are the sites that show a closed lock in the Chrome Omnibox, what most of us know as the Chrome address (URL) bar. The bad news is that just because a site is secured by HTTPS doesn’t mean it’s trustworthy.”

Neowin: Let’s Encrypt has issued its billionth certificate

Neowin: Let’s Encrypt has issued its billionth certificate. “Let’s Encrypt has announced that its billionth certificate was issued today. By automating the issuance of website certificates, Let’s Encrypt hoped to increase the number of HTTPS-compatible websites, making the web more secure for everyone. The announcement comes just a week after Let’s Encrypt introduced support for multi-perspective domain validation.”

Ubergizmo: Hackers Modify Chrome And Firefox To Track Secure Web Traffic

Ubergizmo: Hackers Modify Chrome And Firefox To Track Secure Web Traffic. “There is a reason why companies like Google are trying to push for more websites to use HTTPS is because it helps to secure your web traffic. It helps to prevent attackers from interfering with the data transferred between the website and your browser. Unfortunately, a report from Kaspersky has revealed that Russian hackers might have found a way to track secure web traffic.”

Wired: HTTPS Isn’t Always As Secure As It Seems

Wired: HTTPS Isn’t Always As Secure As It Seems . “Widespread adoption of the web encryption scheme HTTPS has added a lot of green padlocks—and corresponding data protection—to the web. All of the popular sites you visit every day likely offer this defense, called Transport Layer Security, or TLS, which encrypts data between your browser and the web servers it communicates with to protect your travel plans, passwords, and embarrassing Google searches from prying eyes. But new findings from researchers at Ca’ Foscari University of Venice in Italy and Tu Wien in Austria indicate that a surprising number of encrypted sites still leave these connections exposed.”

TechCrunch: These are all the federal HTTPS websites that’ll expire soon because of the US government shutdown

TechCrunch: These are all the federal HTTPS websites that’ll expire soon because of the US government shutdown . “During the government shutdown, security experts noticed several federal websites were throwing back browser errors because the TLS certificate, which lights up your browser with ‘HTTPS’ or flashes a padlock, had expired on many domains. And because so many federal workers have been sent home on unpaid leave — or worse, working without pay but trying to fill in for most of their furloughed department — expired certificates aren’t getting renewed. Renewing certificates doesn’t take much time or effort — sometimes just a click of a mouse. But some do cost money, and during a government shutdown, there isn’t any. Depending on the security level, most websites will kick back browser errors. Some won’t let you in at all until the expired certificate is renewed.”

Krebs on Security: Half of all Phishing Sites Now Have the Padlock

Krebs on Security: Half of all Phishing Sites Now Have the Padlock. “Maybe you were once advised to ‘look for the padlock’ as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.”

CNET: Chrome’s HTTP warning seeks to cut web surveillance, tampering

CNET: Chrome’s HTTP warning seeks to cut web surveillance, tampering. “The Hypertext Transfer Protocol lets your web browser fetch a web page from the server that hosts it. HTTP has had a good run, but it has a problem: It doesn’t protect communications with encryption that blocks eavesdropping and tampering. That’s why Google, Mozilla and other tech industry allies have been pushing websites everywhere to switch to the secure version, called HTTPS. And it’s why, starting with the release of Chrome 68 on Tuesday, Google’s browser will warn you whenever it loads an unencrypted HTTP website.”

Gizmodo: Firefox May Soon Start Publicly Shaming Sites With Crappy Security

Gizmodo: Firefox May Soon Start Publicly Shaming Sites With Crappy Security. “In the constant battle to ensure your privacy online, there are some precautions you can take to protect yourself, such as avoiding clicking random links and using different passwords for every site. But other measures require some help from the websites you visit, and based on a hidden option found in the latest Firefox beta, Mozilla may start publicly shaming websites that are still clinging on to HTTP.”

Engadget: The EFF wants to make email servers more secure

Engadget: The EFF wants to make email servers more secure. “The Electronic Frontier Foundation (EFF) launched HTTPS-encryption initiative Let’s Encrypt two years ago with Mozilla and Cisco. Now it’s turning its attention to email servers with a new project called STARTTLS Everywhere, which aims to help server admins run STARTTLS emails servers properly. Because according to the EFF, most aren’t.”

Ars Technica: Let’s Encrypt takes free “wildcard” certificates live

Ars Technica: Let’s Encrypt takes free “wildcard” certificates live. “In July of 2017, the nonprofit certificate authority Let’s Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free “wildcard” certificates to enable secure HTTP connections for entire domains. Today, Let’s Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests.”