Security News

A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers. Amit Klein, VP of Security Research at SafeBreach who presented the findings today at the Black Hat security conference, said that the attacks highlight how web servers and HTTP proxy servers are still susceptible to HTTP request smuggling even after 15 years since they were first documented.

Since measuring the time taken to execute cryptographic algorithms is crucial to carrying out a timing attack and consequently leak information, the jitter on the network path from the attacker to the server can make it impractical to successfully exploit timing side-channels that rely on a small difference in execution time. The new method, called Timeless Timing Attacks by researchers from DistriNet Research Group and New York University Abu Dhabi, instead leverages multiplexing of network protocols and concurrent execution by applications, thus making the attacks immune to network conditions.

A notice emitted by the certificate biz explained that a number of its intermediate certificate authorities had issued EV certs to customers despite not being included in DigiCert's WebTrust audits - which goes against the rules for EV certs. "Although there is no security threat, the EV Guidelines require that we revoke EV certificates signed by the affected ICAs by July 11, 2020 at 12pm MDT.".

From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS certificates that are valid for more than 398 days, plus or minus some caveats. "Connections to TLS servers violating these new requirements will fail," Apple warned in its official note.

Comcast has agreed to be the first home broadband internet provider to handle secure DNS-over-HTTPS queries for Firefox browser users in the US, Mozilla has announced. This means the ISP, which has joined Moz's Trusted Recursive Resolver Program, will perform domain-name-to-IP-address lookups for subscribers using Firefox via encrypted HTTPS channels.

HTTPS inspection is a process by which you can analyze the encrypted web traffic and content, though some organizations shy away from this technique as it can do more harm than good if not implemented properly. In its Internet Security Report for Q1 2020, WatchGuard reported that 67% of all malware last quarter was delivered via HTTPS. Since more websites now use HTTPS for encrypted connections, many WatchGuard customers have enabled HTTPS inspection, which looks for malicious content by decrypting traffic at the gateway.

67% of all malware in Q1 2020 was delivered via encrypted HTTPS connections and 72% of encrypted malware was classified as zero day, so would have evaded signature-based antivirus protection, according to WatchGuard. "Some organizations are reluctant to set up HTTPS inspection due to the extra work involved, but our threat data clearly shows that a majority of malware is delivered through encrypted connections and that letting traffic go uninspected is simply no longer an option," said Corey Nachreiner, CTO at WatchGuard.

The US government just announced its plans for HTTPS on all dot-gov sites. As well as saying all dot-gov sites should be available over HTTPS, the government wants to get to the point that all of its web servers are publicly committed to use HTTPS by default.

Gov domains over encrypted connections, and this week laid out plans to preload the entire top-level domain. Gov domains have yet to adopt the secure HTTPS protocol, which protects their visitors against eavesdropping.

"Small and midsize organizations without adequate security resources require the best of both worlds. With leading throughput levels, layered security services, zero-touch SD-WAN capabilities and many other benefits, our new line of tabletop security appliances provides just that." WatchGuard's new tabletop security appliances are built to provide the advanced throughput and improved HTTPS traffic processing today's organizations need to keep up with the ever-increasing velocity of business, along with a comprehensive set of security services.