https
Latest
Google's annual report shows more web traffic is encrypted
For several years now, Google has been exerting pressure to increase the usage of HTTPS across the internet. By defaulting to secure connections on both ends, users can be protected from anyone who may intercept or even manipulate data as it flows back and forth -- quite useful in a world where you can't even trust WiFi. For its own products, Google says HTTPS use is up to 89 percent overall, up from just 50 percent at the beginning of 2014. The number of top 100 websites defaulting to HTTPS has nearly doubled since last year (way to catch up), growing from 37 to 71.
The Senate has finished encrypting all its websites
Google would approve of the Senate's latest security move: according to ZDNet, it has just finished encrypting its main website and all its Senators' pages. You'll now see a small lock in their address bars when you visit, along with the HTTPS protocol indicative of encrypted websites. They're what tells you that you're on the right page and not on some copycat's that's trying to steal your info. ZDNet says it took the Senate a year to complete the migration, since its IT department had to migrate everything on its own. It received no help from any of America's agencies like the executive branch did when the White House wanted to make HTTPS a standard for all federal websites.
Chrome warns you when typing anything into non-secure sites
As part of Google's quest to compel all websites to use the more secure HTTPS protocol, Chrome 62 will flash more warnings when you visit HTTP sites. A few months ago, Chrome 56 (rightly) started labeling unencrypted sites as "not secure" right next to their URLs in the address line if they're asking for passwords and credit card details. As the Chrome Security Team's blog post said, though, passwords and credit card numbers aren't the only types of data worth protecting. That's why when Chrome 62 rolls out in October, you'll see the warning pop up whenever you type anything in an HTTP website.
Pornhub adds HTTPS to keep your kinks hidden
Now that your ISP will soon be able to sell your browsing history to advertisers, it's good to know which companies have your back, privacy-wise. Around the web, the recent switch to HTTPS encryption has been a step in the right direction, but adult websites -- the ones with the most potentially embarrassing content -- have been slow to adopt. This week Pornhub, the most popular porn site on the internet, announced it now supports HTTPS to keep users' browsing habits within its network of sites as private as possible.
When the 'S' in HTTPS also stands for shady
Just when we'd learned the importance of HTTPS in address bars, spammers and malicious hackers have figured out how to game the system. Let's Encrypt is an automated service that lets people turn their old unencrypted URLs into safely encrypted HTTPS addresses with a type of file called a certificate. It's terrific, especially because certificates are expensive (overpriced, actually) and many people can't afford them. So it's easy to argue that the Let's Encrypt service has done more than we may ever realize to strengthen the security of the internet and users everywhere.
Server bug leaks user data for thousands of popular websites
A number of high-profile websites have been leaking their users personal data into the ether, thanks to an error by a prominent web services provider. Cloudflare, which provides security and content delivery services to companies like Patreon, Fitbit and OKCupid among others, had an error in its code that caused pieces of memory to dump into web pages. The Register described the issue as sitting down to a fresh table in a restaurant and being handed the previous diner's wallet.
Chrome warns you when a shopping site isn't secure
Paying bills and shopping online is great, but sometimes it's difficult to tell when the site you're using is protecting your sensitive information. The latest update for Chrome should make that a bit easier. Now, when you're on a site that asks for a password or credit card info and it isn't using HTTPS, it'll be flagged as "not secure" in red type and with a caution sign in the address field. It seems as though Google is using these literal scarlet letters as a way to advance its "HTTPS for all" initiative. Hopefully the shaming pushes more places into action.
Apple gives app makers more time to switch to HTTPS connection
Earlier this year, Apple required all app developers to switch on App Transport Security by January 1st, 2017. The feature (introduced with iOS 9 back in 2015) would have boosted apps' security, since it forces them to connect to the internet over HTTPS. Unfortunately, not everyone took advantage of the feature, and Google even released some codes that allowed developers to bypass ATS. If you were expecting to be protected by this extra layer of security in a few days' time, though, you'd be sorely disappointed. Cupertino has decided to extend the deadline and give developers more time to prepare for the switch. In a post on the Apple Developer website, the company wrote:
Chrome will provide clearer warnings for insecure retail sites
Chrome's developers have futzed with the way that it displays insecure sites over the past few years, and for now, non-HTTPS sites display a "neutral" info symbol. Google warned that would change soon for certain types of sites, however, and we can now see how with the Chrome 56 beta. Any non-encrypted HTTP pages that collect passwords or credit card numbers will prominently display as "not secure" in the URL bar. That, Google says, is the prelude to a bigger scheme to clearly mark all HTTP sites as non-secure, something it kind of did before.
Google shows the web is a lot more secure than it was a year ago
As we spend more time online, the need for secure browsing and communications has become more and more important. Messaging apps now incorporate encryption as standard and many of your favorite websites (including this one) are moving to HTTPS to protect their visitors. For the longest time, Google has helped champion that movement by rolling out secure apps and services, but its latest move is all about highlighting the good work of others. The web is a lot more secure than it was just a year and a half ago, and thanks to its new Transparency Report metric, Google has the stats to prove it.
Increased encryption will help keep porn browsing private
Thanks to boosts in visibility when it comes to search and web browsers, you've probably noticed more websites (like Engadget) switching to HTTPS, which uses encryption to secure the connection between browser and server. Despite benefits to privacy and security most adult sites, even larger ones, haven't rolled it out across their domains, but the Washington Post points out there's a new industry push to change that.
Chrome cracks down on sites that don't use encryption
Chrome is embarking on a crusade to crack down on websites that still aren't using encryption, and it starts with the latest version of the browser, Chrome 56.
Netflix explains how and why it's switching to HTTPS streaming
Netflix has always used DRM to keep studios happy and make an effort to stop people from copying its video streams, but now it's added a new layer of protection. Last year the video streaming giant announced it would roll out HTTPS encryption for streams, and a new post on its tech blog explains how you do that for 80+ million customers at once. It developed a scheme to add encryption on its Open Connect servers -- the boxes hosted by or near ISPs to bring Netflix's library closer to the homes of viewers -- without impacting efficiency.
Exploit can attack secure websites through ads
Some web-based exploits are more dangerous than others... and unfortunately, this is one of the nasty ones. Security researchers at KU Leuven have discovered an attack technique, HEIST (HTTP Encrypted Information can be Stolen Through TCP-Windows), that helps compromise an encrypted website using only a JavaScript file hidden in a maliciously-crafted ad or page. Unlike many similar attacks, you don't need a man-in-the-middle spot to make this work -- it can gauge the size of an encrypted response (and thus enable an attack) all on its own. Combine it with another technique and it's relatively easy to pluck sensitive info from encrypted data traffic, such as email addresses and banking details.
Apple will deactivate Flash by default on Safari 10
You know that Maya Angelou quote that says "Never make someone a priority when all you are to them is an option?" If Flash were a person following that tenet, then it now has to drop Safari from its dwindling list of priorities. In a post on the WebKit blog, Apple engineer Ricky Mondello has revealed that the company is deactivating Adobe Flash by default on Safari 10. That's the version of the browser shipping with macOS Sierra this fall.
Engadget moved to HTTPS because we love you
It's been a long time, we shouldn't have left you... without a secure site to connect to. Security is (or at least should be) top of mind for everyone who uses the internet. We can't go more than a week or two without news of another breach that has compromised customer or user information. In such an environment, securing websites is no longer a luxury -- it's a necessity. Which is why, after over a year of hard work by Engadget's intrepid product team, we've made the switch to HTTPS. But what does that mean? And, why should you care?
Google moves every Blogspot domain to HTTPS
Google's quest to make the internet a more secure place is taking another step. The internet juggernaut's flipped the switch on HTTPS for all Blogspot domains, according to a post on the Google Security Blogspot account. Naturally. It's automatic and doesn't rely on you using the "HTTPS Availability" option, but if you were worried about not having a switch of your own to flip anymore, Google has you covered there with HTTPS Redirect.
Chrome's latest tool checks your website's security
You may never notice Chrome's green lock showing that an HTTPS site is 100 percent secure, but developers pay rapt attention to it. That's because Google prioritizes search results for sites with the strongest security, so a problematic site could find itself on the dreaded second page. The symbol also tells users that they're less likely to be victims of man-in-the-middle and other "content injection" attacks. However, many operators still aren't sure why their sites appear insecure, so Google has unveiled a security panel for DevTools in its latest version 48 of Chrome.
Gmail will soon warn you when an unencrypted message arrives
In its on-going quest to lock down your email communication, Google is working on a new notification system for Gmail. The alerts will let you know when you receive a message from an incoming mail server that's not encrypted. Mountain View continues its work on email security, partnering with researchers to analyze changes since 2013. A multi-year study found that while email security improved over the last two years, but threats remain from those tampering with SSL requests and malicious DNS servers. The issues don't impact Gmail to Gmail messages, but they could cause issues with correspondence from outside email providers. So, to combat the issue, Google came up with the warning system. Those Warnings will alert users to potential dangers, and they're expected to roll out in the months to come.
Chrome shows sites with minor security issues as totally insecure
Google has just launched Chrome 46, and there's a significant change in how it notifies you about web security. If you're on an HTTPS site that's 100 percent secure, you'll still see a green lock icon, and broken sites show a red "X" symbol, as before. However, when you hit a protected site with minor issues, you'll see absolutely no symbol, as if you were on a regular, unencrypted HTTP site (below). That's a big change from Chrome 45, when Google showed a lock symbol with a yellow triangle on such "mixed" sites.
