HTTPS adoption has surged over the past few years, mostly thanks to the availability of free SSL/TLS certificates from Let's Encrypt. Browser vendors have also been encouraging sites to switch to HTTPS, and Google said earlier this year that Chrome would eventually mark all HTTP-only sites as 'Not Secure.'
Chrome 68 is due to be released tomorrow (at least on desktop platforms), and it's the first release that will display a 'Not secure' message in the address bar on HTTP pages. Chrome already displays the message on HTTP sites with data entry fields, but starting tomorrow, all non-secure pages will be shamed. Read More
Earlier this year, the team behind Chrome stated that all HTTP pages will be marked as 'Not secure' later on this year, in a bid to encourage even more site owners to move to the more secure HTTPS standard. We now know a little bit more about planned changes to Chrome's security indicators, including how HTTPS pages will be shown as default pages going forward. Read More
Three years ago, Google paid $25 million for exclusive rights to the '.app' top-level web domain. At long last, the company is now opening up registrations for .app, with the Early Access Program in full swing. The general public will have to wait until May 8, but various companies have already bought over 3,000 .app domains. Read More
For years, HTTPS was regarded as only necessary for sites handling critical information, like bank portals. The movement for all sites to use HTTPS has gained traction over the past few years, partially thanks to the availability of free SSL/TLS certificates from Let's Encrypt, and partially thanks to browsers encouraging sites to switch. Starting with version 68, Chrome will start marking all HTTP sites as 'Not Secure.' Read More
Google has been planning to mark all HTTP sites as non-secure in Chrome for a while now, but the company is taking baby steps to ensure users (and owners of HTTP-only sites) don't freak out. Chrome already identifies HTTP sites with password or credit card fields as "Not Secure" in the address bar, and Chrome 62 will expand that to any HTTP site with any data entry fields. Read More
Ever noticed how your Android Downloads folder easily gets cluttered with useless files and documents that you viewed once and never needed again? This is especially true of PDF files since Chrome can't open them natively and thus hands them over to other applications, the default being Google Drive's PDF viewer. Well, I noticed a strange thing recently: sometimes PDF files would just load in Drive directly and it seemed that my phone's Downloads folder clutter wasn't getting out of hand as fast as it used to. Some investigation was in order.
Turns out that a new feature crept up in Google Drive's 2.3.544.17 release on January 28. Read More
Alert! Alert! If you use Instagram's Android app, complete strangers could be looking at your photos of appetizers and makeup techniques right now! ...which is kind of the point of Instagram, I suppose. But security researcher Mazin Ahmed discovered that the app uses standard HTTP to transmit photos, cookies, and authentication (including usernames and unique IDs), instead of the encrypted HTTPS protocol. As Mr. Mackie is so fond of saying, that's bad.
Using a set of freely-available tools, Ahmed was able to hijack the app's connection from a PC on the same network and authenticate as the relevant user. It's a fairly standard technique for hackers, which is why most sites and services with any kind of log-in functionality usually use HTTPS by default, including Instagram's owner, Facebook. Read More