Security News

CA domains, among other important internet functions, is rolling out a free Canada-wide DNS-over-HTTPS service to protect people's privacy. The Canadian Internet Registry Authority today said its new Canadian Shield service will allow people and businesses to encrypt their DNS queries in transit between their devices and CIRA's servers, providing an added layer of security at a time where millions in the country are transitioning to working from home mid-coronavirus pandemic.

Converting websites from HTTP to HTTPS over the last decade must count as one of the most successful quiet security upgrades ever to affect web browsing. There are some HTTPS security caveats worth mentioning, but before getting to them we'll start with the news that that Mozilla's Firefox will, from May's version 76, offer the option to browse in an HTTPS-only mode.

While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site's source code: "Http[.]ps". This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Ps domain is hosted in Russia, and sits on a server with one other malicious domain - autocapital[.

A vulnerability in Avast's anti-tracking solution could allow malicious actors to perform man-in-the-middle attacks on HTTPS traffic, a security researcher has discovered. The security flaw, which impacts both Avast and AVG AntiTrack, as they share underlying code, resides in the manner in which the software filters HTTPS traffic.

Compounding the issue is that certain operating systems and browsers use new encryption technologies - DNS over TLS and DNS over HTTPS - in the query response handshake with these unauthorized DNS services that make them harder to block. Today I'm going to talk about DNS over HTTPS misuse or abuse.

Let's Encrypt has halted its plans to cancel all three million flawed web security certificates - after fearing the super-revocation may effectively break a chunk of the internet for netizens. Earlier this week, the non-profit certificate authority, which issues HTTPS certs for free, announced a plan to disable some three million certificates tainted by a software bug.

On Wednesday, March 4, Let's Encrypt - the free, automated digital certificate authority - will briefly become Let's Revoke, to undo the issuance of more than three million flawed HTTPS certs. In a post to the service's online forum on Saturday, Jacob Hoffman-Andrews, senior staff technologist at the EFF, said a bug had been found in the code for Boulder, Let's Encrypt's automated certificate management environment.

Mozilla has said it plans to make a privacy technology called DNS-over-HTTPS the default setting for US users of Firefox within weeks. Although not a perfect shield against DNS snooping, DoH makes that a lot harder.

An eavesdropper doesn't have to be logged into the target device's wireless network to exploit KrØØk. If successful, the miscreant can take repeated snapshots of the device's wireless traffic as if it were on an open and insecure Wi-Fi. These snapshots may contain things like URLs of requested websites, personal information in transit, and so on. When these disassociation packets are received, vulnerable Wi-Fi controllers - made by Broadcom and Cypress, and used in countless computers and gadgets - will overwrite the shared encryption key with the value zero.

Mozilla has started rolling out encrypted DNS-over-HTTPS by default for its Firefox users in the United States. DoH provides increased security for Internet users, the DoH protocol ensures that DNS queries and DNS responses are sent and received over HTTP using TLS. Mozilla has been working on bringing DoH to Firefox since 2017, and tens of thousands were already using the protocol in September 2019, when it revealed plans to roll out DoH to Firefox users in the U.S., in fallback mode.