Security News
Here's our latest Naked Security Live talk, explaining why HTTPS is vital, even if you're publishing public data that isn't confidential. Thats because HTTPS isn't just about the confidentiality of the data you browse to - it's also about improving your privacy in respect of what you chose to look at, when you looked at it, what you browsed to next, and so on.
We advise you how to react when a friend suddenly asks for money, explain why Chromium is finally aiming for HTTPS by default, and warn you why you should never, ever hardcode passwords into your software. WHERE TO FIND THE PODCAST ONLINE. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.
HTTPS, as you probably know, stands for secure HTTP, and it's a cryptographic process - a cybersecurity dance, if you like - that your browser performs with a web server when it connects, improving privacy and security by agreeing to encrypt the data that goes back and forth. Why is HTTP still the default choice of your browser if you type an URL into the address bar and don't explicitly put https:// at the start?
This new protocol, called Oblivious DNS-over-HTTPS, hides the websites you visit from your ISP. Here's how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can't see what's inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with.
"In light of the very high availability of HTTPS, we believe that it is time to let our users choose to always use HTTPS. That's why we have created HTTPS-Only Mode, which ensures that Firefox doesn't make any insecure connections without your permission," Mozilla says. Once HTTPS-Only Mode has been enabled, Firefox will attempt to always establish a fully secure connection to the visited website, and even if the user clicks on an HTTP link or manually enters it, the browser will still use HTTPS instead. The new feature can be enabled from the "Preferences" menu, in the "Privacy & Security" section.
Mozilla Firefox 83 was released today with a new feature called 'HTTPS-Only Mode' that secures your browsing sessions by rewriting URLs to secure HTTPS versions. Windows, Mac, and Linux desktop users can upgrade to Firefox 83 by going to Options -> Help -> About Firefox.
Now Apple has stressed that this app security check does not send anyone's Apple IDs nor device identifiers over the 'net, though it did log people's public IP addresses. "To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs," Apple said.
A researcher has detailed several new variants of an attack named HTTP request smuggling, and he has proposed some new defenses against such attacks. HTTP request smuggling, also known as HTTP desyncing, has been known since 2005, but Amit Klein, VP of security research at SafeBreach, believes the method has not been fully analyzed, which is why he has decided to conduct a research project focusing on this attack technique.
A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers. Amit Klein, VP of Security Research at SafeBreach who presented the findings today at the Black Hat security conference, said that the attacks highlight how web servers and HTTP proxy servers are still susceptible to HTTP request smuggling even after 15 years since they were first documented.
Since measuring the time taken to execute cryptographic algorithms is crucial to carrying out a timing attack and consequently leak information, the jitter on the network path from the attacker to the server can make it impractical to successfully exploit timing side-channels that rely on a small difference in execution time. The new method, called Timeless Timing Attacks by researchers from DistriNet Research Group and New York University Abu Dhabi, instead leverages multiplexing of network protocols and concurrent execution by applications, thus making the attacks immune to network conditions.