Security News
Mozilla has started rolling out encrypted DNS-over-HTTPS by default for its Firefox users in the United States. DoH provides increased security for Internet users, the DoH protocol ensures that DNS queries and DNS responses are sent and received over HTTP using TLS. Mozilla has been working on bringing DoH to Firefox since 2017, and tens of thousands were already using the protocol in September 2019, when it revealed plans to roll out DoH to Firefox users in the U.S., in fallback mode.
In theory DNS over HTTPS does not hide the "Fact" of the request transmission, "When" or "Length" of the request from a "Third party" evesdropper only the request "Contents". That is whilst DNS over HTTPS might hide the request contents it does not hide the request or the time it happened at, nore does it hide the traffic to the site the DNS request was for.
Starting today, Mozilla is activating the DNS-over-HTTPS security feature by default for all Firefox users in the U.S. by automatically changing their DNS server configuration in the settings. That means, from now onwards, Firefox will send all your DNS queries to the Cloudflare DNS servers instead of the default DNS servers set by your operating system, router, or network provider.
Safari will, later this year, no longer accept new HTTPS certificates that expire more than 13 months from their creation date. The aim of the move is to improve website security by making sure devs use certs with the latest cryptographic standards, and to reduce the number of old, neglected certificates that could potentially be stolen and re-used for phishing and drive-by malware attacks.
If you're a regular Naked Security reader, you'll know that we've been fans of HTTPS for years. Search engines now rate unencrypted sites lower than encrypted equivalents, and browsers do their best to warn you away from sites that won't talk HTTP. Even the modest costs associated with acquiring the cryptographic certificates needed to convert your webserver from HTTP to HTTPS have dwindled to nothing.
An infosec researcher has published a JavaScript-based proof of concept for the Netgear routerlogin.com vulnerability revealed at the end of January. Through service workers, scripts that browsers run as background processes, Saleem Rashid reckons he can exploit Netgear routers to successfully compromise admin panel credentials.
Mozilla Firefox will require user intervention to connect to websites using the TLS 1.0 or 1.1 protocol from March 2020 - and plans to eventually block those weak HTTPS connections entirely. Web servers should really be using TLS 1.2 or 1.3 for their encrypted and secure HTTPS connections.
In an attempt to improve the security of its users, the Chrome browser will soon start blocking insecure downloads on HTTPS pages, Google announced. The announcement comes just days after the release of Chrome 80, which by default blocks mixed audio and video resources if they cannot be automatically upgraded to HTTPS. The same will happen with image files in Chrome 81, which is expected to be released to the stable channel in March 2020.
GOV validation and HTTPS encryption among county election websites in 13 states projected to be critical in the 2020 U.S. Presidential Election, a McAfee survey reveals. GOV validation across these states, and 88.9% and 90.0% of websites lacked such certification in Iowa and New Hampshire respectively.
DNS-over-HTTPS (DoH) traffic can apparently be identified without actually decrypting it, a security researcher has discovered. The DoH protocol is aimed at improving the overall security of the...