Security News

When version 90 of Google's Chrome browser arrives in mid-April, initial website visits will default to a secure HTTPS connection in the event the user has failed to specify a preferred URI scheme. Chrome 90 will make HTTPS the default for first time website visits where no transport has been declared.

Microsoft is testing a fix for performance issues in Microsoft Edge's DNS-over-HTTPS feature and has once again enabled a list of suggested DoH servers. DNS-over-HTTPS allows DNS resolution to be performed over an encrypted HTTPS connection rather than through normal plain text DNS lookups.

Sectigo's chief compliance officer has hit out at Google for minimizing the visibility of Extended Validation HTTPS certificates in Chrome. In a chat with The Register, Sectigo CCO Tim Callan said his biz, which among other things is one of the biggest sellers of EV HTTPS certificates, was "Going to remove street and postal information from all of our public sites," seeing as Google thinks no one cares where a business is based.

The U.S. National Security Agency on Friday said DNS over HTTPS - if configured appropriately in enterprise environments - can help prevent "Numerous" initial access, command-and-control, and exfiltration techniques used by threat actors. "DNS over Hypertext Transfer Protocol over Transport Layer Security, often referred to as DNS over HTTPS, encrypts DNS requests by using HTTPS to provide privacy, integrity, and 'last mile' source authentication with a client's DNS resolver," according to the NSA's new guidance.

Here's our latest Naked Security Live talk, explaining why HTTPS is vital, even if you're publishing public data that isn't confidential. Thats because HTTPS isn't just about the confidentiality of the data you browse to - it's also about improving your privacy in respect of what you chose to look at, when you looked at it, what you browsed to next, and so on.

We advise you how to react when a friend suddenly asks for money, explain why Chromium is finally aiming for HTTPS by default, and warn you why you should never, ever hardcode passwords into your software. WHERE TO FIND THE PODCAST ONLINE. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

HTTPS, as you probably know, stands for secure HTTP, and it's a cryptographic process - a cybersecurity dance, if you like - that your browser performs with a web server when it connects, improving privacy and security by agreeing to encrypt the data that goes back and forth. Why is HTTP still the default choice of your browser if you type an URL into the address bar and don't explicitly put https:// at the start?

This new protocol, called Oblivious DNS-over-HTTPS, hides the websites you visit from your ISP. Here's how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can't see what's inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with.

"In light of the very high availability of HTTPS, we believe that it is time to let our users choose to always use HTTPS. That's why we have created HTTPS-Only Mode, which ensures that Firefox doesn't make any insecure connections without your permission," Mozilla says. Once HTTPS-Only Mode has been enabled, Firefox will attempt to always establish a fully secure connection to the visited website, and even if the user clicks on an HTTP link or manually enters it, the browser will still use HTTPS instead. The new feature can be enabled from the "Preferences" menu, in the "Privacy & Security" section.

Mozilla Firefox 83 was released today with a new feature called 'HTTPS-Only Mode' that secures your browsing sessions by rewriting URLs to secure HTTPS versions. Windows, Mac, and Linux desktop users can upgrade to Firefox 83 by going to Options -> Help -> About Firefox.