Security News
"Beginning in M94, Chrome will offer HTTPS-First Mode, which will attempt to upgrade all page loads to HTTPS and display a full-page warning before loading sites that don't support it." Google said. "Users who enable this mode gain confidence that Chrome is connecting them to sites over HTTPS whenever possible, and that they will see a warning before connecting to sites over HTTP.".
Google is working on adding an HTTPS-Only Mode to the Chrome web browser to protect users' web traffic from eavesdropping by upgrading all connections to HTTPS. This new feature is now being tested in the Chrome 93 Canary preview releases for Mac, Windows, Linux, Chrome OS, and Android. Google has previously updated Chrome to default to HTTPS for all URLs typed in the address bar if the user specifies no protocol.
Microsoft has added a privacy feature to Windows 11 called DNS-over-HTTPS, allowing users to perform encrypted DNS lookups to bypass censorship and Internet activity. DNS-over-HTTPS allows your computer to perform these DNS lookups over an encrypted HTTPS connection rather than through normal plain text DNS lookups, which ISPs and governments can snoop on.
Microsoft Edge now can automatically switch users to a secure HTTPS connection when visiting websites over HTTP after enabling Automatic HTTPS. This new feature is in preview in the Canary and Developer preview channels and is rolling out to select users of Microsoft Edge 92. "Automatic HTTPS switches your connections to websites from HTTP to HTTPS on sites that are highly likely to support the more secure protocol," Microsoft said today.
A wormable vulnerability in the HTTP Protocol Stack of the Windows IIS server can also be used to attack unpatched Windows 10 and Server systems publicly exposing the WinRM service. Luckily, although it can be abused by threat in remote code execution attacks, the vulnerability ONLY impacts versions 2004 and 20H2 of Windows 10 and Windows Server.
Proof-of-concept exploit code has been released over the weekend for a critical wormable vulnerability in the latest Windows 10 and Windows Server versions. The bug, tracked as CVE-2021-31166, was found in the HTTP Protocol Stack used by the Windows Internet Information Services web server as a protocol listener for processing HTTP requests.
The Redmond-based firm's Office and Windows flagships house many of the identified vulnerabilities, alongside Internet Explorer, Visual Studio, Visual Studio Code, Skype, and other software. Those who recall the slew of Exchange Server fixes in March and April may experience a sense of deja vu: May brings still more Exchange Server fixes, for Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9.
Microsoft Edge will automatically redirect users to a secure HTTPS connection when visiting websites using the HTTP protocol, starting with version 92, coming in late July. By default, this new option will allow Edge users to switch from HTTP to HTTPS on websites that are likely to support the more secure protocol.
The Mozilla Foundation fixed a flaw in its Firefox browser that allowed spoofing of the HTTPS secure communications icon, displayed as a padlock in the browser address window. Successful exploitation of the flaw could have allowed a rogue website to intercept browser communications.