Security News
Let's Encrypt, a non-profit organization that helps people obtain free SSL/TLS certificates for websites, plans to revoke a non-trivial number of its certs on Friday because they were improperly issued. In a post to the Let's Encrypt discussion community forum, site reliability engineer Jillian Tessa explained that on Tuesday, a third party reported "Two irregularities" in the code implementing the "TLS Using ALPN" validation method in Boulder, its Automatic Certificate Management Environment software.
As you can imagine, some classes of RCE bug are considered much more wormable than others, especially bugs that can be triggered directly via a simple network interaction. HTTP.sys is part of Windows and is available to any program that uses ASP.NET. HTTP.sys works on Windows 7 clients and later.
Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022. The bug, tracked as CVE-2022-21907 and patched during this month's Patch Tuesday, was discovered in the HTTP Protocol Stack used as a protocol listener for processing HTTP requests by the Windows Internet Information Services web server.
Almost a third of the world wide web's top million sites are still not using HTTPS by default, according to infosec researcher Scott Helme's analysis. TLS v1.1 - which browser-maker Mozilla said it would actively block from March 2020 onwards - has completely disappeared from Helme's analysis, while v1.3 has spread from around 16 per cent of websites to 37 per cent of the million sites analysed, itself an increase of 129 per cent over the last 18 months.
In a paper distributed this month through ArXiv, they describe a HTTP protocol called HTTPS Attestable to enhance online security with remote attestation - a way for apps to obtain an assurance that data will be handled by trusted software in secure execution environments. "We propose a general solution to standardize attestation over HTTPS and establish multiple trusted connections to protect and manage requested data for selected HTTP domains," they say.
A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks. HTTP Request Smuggling, as the name implies, is a web application attack that tampers the manner a website processes sequences of HTTP requests received from more than one user.
A distributed denial-of-service attack earlier this year takes the top spot for the largest such incident, peaking at 17.2 million requests per second. The attack was recorded by Cloudflare's DDoS protection systems and accounted for almost 70% of all average rate for legitimate HTTP traffic for the second quarter of 2021.
This change builds on the inclusion of default blocks for cross-site tracking in private browsing, first introduced after Total Cookie Protection was released with Firefox 86 in February. Enhanced Cookie Clearing is triggered automatically whenever you're clearing cookies and other site data after enabling Strict Tracking Protection.
Node.js has released updates for a high severity vulnerability that could be exploited by attackers to corrupt the process and cause unexpected behaviors, such as application crashes and potentially remote code execution. In a client-server architecture, if a client application wants to end the connection, it would send an RST STREAM frame to the server.
Google is about to give Chrome users a small security boost with new functionality that will attempt to automatically upgrade web pages to HTTPS. Dubbed HTTPS-First mode, the feature resembles the HTTPS-only mode in Firefox. For years, Google and other Internet companies out there have been actively advocating for the wide adoption of HTTPS across the web, both there still are websites that don't use encryption yet, thus posing a threat to their users.