https
Latest
Russia bans all of Reddit over a single 'shroom thread
Russia's censoring spree continued on Wednesday when the government's internet agency, the Roskomnadzor, banned the entire Reddit website from Russian access -- all because of a single thread that discussed how to grow psilocybin (aka "magic") mushrooms titled, "Minimal and Reliable Methods for Growing Psilocybe". According to reports from Meduza, the ban came at the behest of Russia's Federal Drug Control Service, which felt that the content promoted discussion of these substances. The government had first sought to ban just the individual threads it found objectionable but, because Reddit uses HTTPS, the only way to eliminate of those threads was to nuke the entire site from orbit (it's the only way to make sure).
Reddit announces it will encrypt site traffic data
Following the lead of Google, Wikipedia and Facebook, Reddit announced on Wednesday that it will begin encrypting all of its traffic by the end of the month. Once July rolls around, users will see the increasingly common HTTPS header in Reddit URLs. The move comes as privacy advocates push for the encrypted protocol to be used universally across the internet, efforts that have gained momentum after the recent revelations of widespread government snooping. Ironically, the Federal government has itself called for all of its public-facing systems be encrypted by the end of the year, despite its demands for security backdoors from websites that have already enabled encryption.
Wikipedia's secure pages stop others from tracking your fact finding
You may not think that the security of your Wikipedia research is a big deal, but it can be. You don't want spies to misinterpret your searches for potassium nitrate and the Gunpowder Plot as evidence of a terrorist conspiracy, after all. Appropriately, the Wikimedia Foundation is starting to encrypt all web traffic on Wikipedia and other associated websites through HTTPS, making it decidedly harder to monitor your knowledge hunts. The initiative should also make it at least a bit tougher for censorship-happy governments to block inconvenient facts. Encryption isn't new on the organization's sites (you've had a manual HTTPS option since 2011), but this always-on policy means that you never have to think about it -- you can assume that there's a basic level of privacy.
US government wants a single website security standard
We've known that most of the government's anonymous tiplines aren't secure, and Uncle Sam is implementing changes across the board to make HTTPS a standard for federal websites. It's a a "new, strong baseline of user privacy and security" according to a post by 18F, one of the government's internal data agencies. Once in place, this would effectively bring all federal websites up to the security standards many private sector outfits already employ. The White House has put the proposed and final versions on Github if you'd like to compare one against the other, too.
Mozilla: All new web features should require secure HTTP
A number of internet organizations and even the government want websites to use encryption by default in the future, and from the sound of it, Mozilla shares their view. The non-profit has announced that it plans to limit the capabilities of "the non-secure web" (aka websites that don't use HTTPS), in order to encourage a more widespread use of encryption. Mozilla has a two-element approach in place, one of which is making all new features of the Firefox browser and its other products available only to secure websites when we reach a certain date. The org will consult its users -- just like it did before it ultimately decided it wants to stop supporting unencrypted sites in the long run -- not only to pinpoint that date, but also to decide what features are considered "new" by that time.
1,500 iOS apps are vulnerable to an HTTPS-crippling bug
According to analytics service SourceDNA, nearly 1,500 iPhone and iPad apps currently available in the App Store include a bug that breaks HTTPS. This could leave users' sensitive personal information exposed to hackers. Analysts have identified an out-of-date version of open-source code library AFNetworking as the source of the vulnerability. The library itself has already been patched, however, many apps are still using the older, insecure version. "We tested the app on a real device and, unexpectedly, we found that all the SSL traffic could be regularly intercepted through a proxy like Burp without any intervention," researchers Simone Bovi and Mauro Gentile wrote in March.
Most of the government's anonymous tiplines aren't secure
When it comes to whistleblowing, privacy is paramount -- just ask Edward Snowden. It's also why news from an American Civil Liberties Association report (PDF) about anonymous government tiplines not using HTTPS encryption is all the more alarming. In a letter to Tony Scott -- not the late filmmaker, the United States chief information officer -- the ACLU's Michael W. Macleod-Ball and Christopher Soghoian implore the government to fast-track efforts to swap the some 29 websites that are required by law to protect the anonymity of tipsters over to HTTPS. If that can't happen immediately (Scott has a two-year plan to encrypt all government websites) then the ACLU suggests allowing people to use the Tor browser for alerting the authorities about fraud or waste in the interim. Currently, the anonymity-minded browser is blocked by certain federal agency websites.
Netflix will roll out a new look for its TV apps later this year
This quarter's Netflix earnings report is especially interesting because it's the first one since HBO's online-only Now service launched, so investors and other looking to see how it responds to direct competition. The streaming company just announced that it not only added nearly five million subscribers in the last three months, but it has a new UI coming for its TV apps in the second half of this year. It's described as bringing video playback "forward" into the browsing experience, but there's not much more detail available and Netflix isn't talking yet. We're wondering if Netflix could start pushing live streaming channels like traditional TV, or just video previews that start playing even before you choose what to watch. At CES in January, director of corporate communications and technology Cliff Edwards told us that it's looking to put internet TV on the same footing as cable, and a new way of using its apps could do a lot to help that. As usual, Netflix will broadcast its earnings call live on YouTube at 6PM ET, and the video is embedded below. If there's any news from there, we'll update the post and let you know.
Google's about to blacklist thousands of Chinese websites
China's relationship with America's tech firms is barely friendly, but things are about to get that little bit rougher. Google has announced that it'll stop trusting the security certificates provided by CNNIC, China's Internet Network Information Center. The dust-up between the two is pretty dry, but all you need to know right now is that if you visit a website that begins with https:// and ends with .cn, Chrome's about to bombard you with warning messages.
Your BMW just downloaded a security patch
Have a BMW, Mini or Rolls Royce with the ConnectedDrive feature parked in your driveway? Maybe all three? Well, it turns out there was a bug that allowed ne'er-do-wells to manipulate it -- entirely wirelessly. According to Reuters, by simulating a fake phone network researchers at German outfit ADAC (essentially Deutschland's AAA) were able to gain access to systems governed by the platform's SIM card by spoofing a cell tower. They've even put together a video describing the gap in security which you can check out after the break -- if you speak German. While the vulnerabilities didn't include anything related to steering, acceleration or braking, the ConnectedDrive does have access to traffic information, air conditioning and... door locks.
Gogo's in-flight WiFi uses fake web security to keep you off YouTube
It's easy to understand why Gogo would curb video streaming given the limited headroom on its current in-flight WiFi service. You don't want to miss important email just because someone in row 29 is watching the latest Epic Rap Battle, after all. However, the company's approach to keeping you off those forbidden sites is raising some major security concerns. Google's Adrienne Porter Felt recently noticed that Gogo is using fake google.com web security certificates to deter people from visiting YouTube. You can bypass any warnings from your browser, but the move theoretically lets Gogo decrypt and monitor your mid-air activity on any secure website, so long as it has the matching credentials.
Google now considers website security for search rankings
There really isn't such a thing as being too secure online, and Google is trying something new to get more website owners thinking about keeping their users' information safe. After a few months of experimentation, the search giant now considers how secure a site is when it decides how prominently it gets placed in search results.
Google makes Gmail more secure in light of NSA snooping
Your Gmail inbox may well be full of chain letters and kitten photos, but Google just announced two security changes that'll help keep prying eyes away from all your important messages. From now on, Google will always use a secure HTTPS connection when you're checking or firing off emails. You may remember that Google made such secure browser connections the default back in early 2010, but you always had the option to disable HTTPS if you really believed in the security of your network. The second (and arguably juicier) change is that your messages will be encrypted as they get routed through the company's many data centers. Google isn't exactly being coy about why, either. It said in a blog post that internally encrypting those messages became a priority "after last summer's revelations"... a not-so-subtle way of saying it doesn't want organizations like the NSA poking around where users don't want them.
Yahoo search gets safer with automatic encryption
Just as Marissa Mayer promised, Yahoo has started plugging security holes ahead of its self-imposed Q1 2014 deadline. From now on, all of your searches done via the internet giant's home page will be automatically routed through a secure server. However, this appears to only be in place for the US site, as the UK and Japan versions still conducted our queries through insecure means. We've reached out to Yahoo and will update this post if we hear back about international availability. Hopefully this move is strong enough to keep prying eyes -- or anyone's besides your own -- out of your search history.
Marissa Mayer: Yahoo will encrypt all user data by early 2014
Yahoo recently announced that it will encrypt webmail by default, and today Marissa Mayer shared that the security measure will be applied across all Yahoo products "by the end of Q1 2014." In a post on the company Tumblr, CEO Mayer outlined three specific measures to protect user data: Encrypt all information that moves between our data centers by the end of Q1 2014; Offer users an option to encrypt all data flow to/from Yahoo by the end of Q1 2014; Work closely with our international Mail partners to ensure that Yahoo co-branded Mail accounts are https-enabled. This news is no doubt a response to persisting questions -- and court cases -- about the scope of the NSA's information-tapping policies as they relate to internet giants such as Facebook, Google and Yahoo. As the company has previously asserted, Mayer emphasized that Yahoo has "never given access to... data centers to the NSA or to any other government agency. Ever."
Apple uses HTTPS in China, thwarts censors
Intentionally or not, Apple has made a switch to the hypertext transfer protocol secure (HTTPS) Internet communications protocol for the App Store. By doing so, the company has made it impossible for censors in China to block users from searching for certain types of apps. Before the change, searching for VPN apps -- which are popular with Chinese users for allowing access outside of the "Great Firewall of China" -- would cause connections to the App Store to reset. That kept Chinese users from being able to download such apps if they were available in the Chinese App Store. HTTPS keeps the Great Firewall of China from interrupting the connection to apps. The Next Web and Greatfire.org (a site that monitors Chinese Internet censorship) performed testing and found that certain apps blocked under HTTP are available now that HTTPS is being used to access the App Store. It's unlikely that the authoritarian government of China will allow this loophole to remain open.
Daily Update for December 21, 2012
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top Apple stories of the day in three to five minutes for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for daily listening through iTunes, click here. No Flash? Click here to listen. Subscribe via RSS
Firefox 14 rolls out: Google searches default to HTTPS, OS X Lion users get fullscreen support
The changes in Firefox 14 may not be quite as immediately noticeable as those in the recently released Firefox 13, but they're still fairly notable nonetheless. One of the biggest is Mozilla delivering on its promise to move to HTTPS for all Google search results and search suggestions, giving users a bit of added security. Mac OS X Lion users will also be glad to know that the full screen mode is now fully supported, and all users can also now expect better mouse performance in web-based games and other applications thanks to Mozilla's implementation of the Pointer Lock API. As is the norm now, though, you'll just have to wait another six weeks for the next release if a feature you've been waiting for didn't make it into this one.
Replacing iDisk with online storage of your own
With the June 30, 2012 death of Apple's MobileMe service looming just a little over two months away, some Mac users are still wondering what to do to replace one of the keystone pieces of the service -- iDisk. Macworld's Glenn Fleishman provided some tips today on how to replace iDisk with your own online storage using some common Mac apps that let you treat a remote FTP, SFTP, WebDAV, or Amazon S3 server like a Mac volume. The trick, says Fleishman, is to get file-sharing access via a hosting company or a storage system like Amazon S3, Google Storage, or Rackspace Cloud Files, and then use either Nolobe Software's Interarchy (US$30) or Panic's Transmit ($34) to create a Mac-mountable volume. Of the two Mac apps, Fleishman notes that Transmit works most like the default mode of iDisk. It provides a glimpse into the remote server's file structure, but doesn't download or sync files locally. As such, if you need to open a large remote file to edit it on the Mac, you must first wait for the file to be downloaded. After an edit is made, saving the file requires the file to be uploaded back to the source. That can definitely take some time. Interarchy's Net Disk feature is more like iDisk with synchronization enabled, allowing a Net Disk to synchronize changes to your computer, from your computer to the server, or in both directions. This ends up working more like Dropbox, where files are stored locally instantaneously, but then synchronize with the server behind the scenes. Fleishman includes instructions on how to create a mountable disk using either Transmit or Interarchy. Just remember to get your iDisk replacement into place prior to June 30th!
Twitter acquires dynamic duo at Whisper Systems, works to beef up privacy / security
You know that tweet you just wrote about your innermost emotions and the tasty sandwich you just ate? It's about to become that much more secure. Adding to its list of available resources, Twitter has acquired Whisper Systems, a two-man security outfit specializing in mobile device security and data scrambling on the Android operating system. Whisper, founded in 2010 by security industry mainstays Moxie Marlinspike and Stuart Anderson, has garnered a reputation for exposing high-profile vulnerabilities in systems that encrypt data over the Internet and WiFi networks. An exact buyout price for the company has yet to be released publicly -- though Marlinspike has released tools like SSLStrip that demonstrate vulnerabilities in supposedly secure web sites and has been working on a tool known as 'Convergence' -- which helps point out unreliable web certificate authorities. Not a bad find for Twitter, a company that has yet to switch over to a default HTTPS option for its 100 million active members' posts.
