News

Web Browser Security

• August 16, 2018 16 Aug'18

  Finalized TLS 1.3 update has been published at last

  The finalized TLS 1.3 update has been published after a four-year process. The new protocol promises to be faster and more secure than its predecessor, TLS 1.2.

• July 13, 2018 13 Jul'18

  Chrome site isolation arrives to mitigate Spectre attacks

  In an effort to mitigate the risk of Spectre attacks, Google Chrome site isolation has been enabled for 99% of browser users to minimize the data that could be gleaned by an attacker.

• July 09, 2018 09 Jul'18

  How did an old, unpatched Firefox bug expose master passwords?

  A Firefox bug went undetected for nine years. Expert Michael Cobb explains how it enabled attackers to access the browser's master password and what's being done to mitigate it.

• June 29, 2018 29 Jun'18

  WebAssembly updates may cancel out Meltdown and Spectre fixes

  News roundup: Upcoming WebAssembly updates may undo the Meltdown and Spectre mitigations. Plus, FireEye denied claims it 'hacked back' China, and more.

• June 08, 2018 08 Jun'18

  Apple plans to disable Facebook web tracking capabilities

  News roundup: Apple wants to protect its users from Facebook web tracking with the next version of Safari. Plus, genealogy website MyHeritage suffers data breach, and more.

• March 27, 2018 27 Mar'18

  TLS 1.3 update is finalized with encryption upgrade

  The IETF approves the TLS 1.3 encryption protocol upgrade after four years and 28 versions; improvements include better security and performance, as well as middlebox support.

• March 21, 2018 21 Mar'18

  Firefox bug exposes passwords to brute force -- for nine years

  A Firefox bug exposing the browser's master password to a simple brute force attack against inadequate SHA-1 hashing is still on the books after nearly nine years.

• February 27, 2018 27 Feb'18

  Ad network cryptojacking attack bypasses ad blockers

  Qihoo 360's Netlab team discovered an online ad network has been bypassing ad blockers and running cryptomining software in the browsers of unsuspecting visitors.

• February 21, 2018 21 Feb'18

  Google discloses Microsoft Edge vulnerability without a patch

  Google's Project Zero publicly published an Edge browser vulnerability after the 90-day disclosure deadline expired, and Microsoft has yet to patch the flaw.

• February 07, 2018 07 Feb'18

  Grammarly vulnerability exposed user documents

  A Grammarly vulnerability in its browser extension authentication could have exposed users' sensitive documents if the popular spelling and grammar checker were left unpatched.

• December 29, 2017 29 Dec'17

  Browser login managers allow tracking scripts to steal credentials

  News roundup: Login managers enable the exposure of user credentials in over 1,000 websites. Plus, Mozilla patched a critical vulnerability in Thunderbird, and more.

• December 19, 2017 19 Dec'17

  Flawed Keeper password manager preinstalled on Windows 10

  Google Project Zero's Tavis Ormandy discovered a flaw in the Keeper password manager browser extension that could allow attackers to steal credentials.

• November 03, 2017 03 Nov'17

  Certificate authority business undergoes major changes

  News roundup: Comodo and Symantec sales signal important changes in the certificate authority business. Plus, an Oracle vulnerability gets a CVSS score of 10.0, and more.

• August 18, 2017 18 Aug'17

  Hijacked Chrome extensions infect millions of users

  News roundup: Hackers leveraged eight hijacked Chrome extensions to attack 4.8 million browser users. Plus, Cloudflare stopped protecting a neo-Nazi website from DDoS attacks, and more.

• August 03, 2017 03 Aug'17

  Symantec Website Security, certificate authority business sold to DigiCert

  DigiCert agrees to buy majority stake in Symantec Website Security just days after Google releases an April 2018 distrust date for Symantec certificates.