News

Web Browser Security

• March 27, 2018 27 Mar'18

  TLS 1.3 update is finalized with encryption upgrade

  The IETF approves the TLS 1.3 encryption protocol upgrade after four years and 28 versions; improvements include better security and performance, as well as middlebox support.

• March 21, 2018 21 Mar'18

  Firefox bug exposes passwords to brute force -- for nine years

  A Firefox bug exposing the browser's master password to a simple brute force attack against inadequate SHA-1 hashing is still on the books after nearly nine years.

• February 27, 2018 27 Feb'18

  Ad network cryptojacking attack bypasses ad blockers

  Qihoo 360's Netlab team discovered an online ad network has been bypassing ad blockers and running cryptomining software in the browsers of unsuspecting visitors.

• February 21, 2018 21 Feb'18

  Google discloses Microsoft Edge vulnerability without a patch

  Google's Project Zero publicly published an Edge browser vulnerability after the 90-day disclosure deadline expired, and Microsoft has yet to patch the flaw.

• February 07, 2018 07 Feb'18

  Grammarly vulnerability exposed user documents

  A Grammarly vulnerability in its browser extension authentication could have exposed users' sensitive documents if the popular spelling and grammar checker were left unpatched.

• December 29, 2017 29 Dec'17

  Browser login managers allow tracking scripts to steal credentials

  News roundup: Login managers enable the exposure of user credentials in over 1,000 websites. Plus, Mozilla patched a critical vulnerability in Thunderbird, and more.

• December 19, 2017 19 Dec'17

  Flawed Keeper password manager preinstalled on Windows 10

  Google Project Zero's Tavis Ormandy discovered a flaw in the Keeper password manager browser extension that could allow attackers to steal credentials.

• November 03, 2017 03 Nov'17

  Certificate authority business undergoes major changes

  News roundup: Comodo and Symantec sales signal important changes in the certificate authority business. Plus, an Oracle vulnerability gets a CVSS score of 10.0, and more.

• August 18, 2017 18 Aug'17

  Hijacked Chrome extensions infect millions of users

  News roundup: Hackers leveraged eight hijacked Chrome extensions to attack 4.8 million browser users. Plus, Cloudflare stopped protecting a neo-Nazi website from DDoS attacks, and more.

• August 03, 2017 03 Aug'17

  Symantec Website Security, certificate authority business sold to DigiCert

  DigiCert agrees to buy majority stake in Symantec Website Security just days after Google releases an April 2018 distrust date for Symantec certificates.

• July 20, 2017 20 Jul'17

  Industry reacts to Symantec certificate authority trust remediation

  As the Symantec certificate authority scrambles to transition its certificate-issuance operations to a subordinate certificate authority, the CA industry sharpens its knives.

• July 19, 2017 19 Jul'17

  Symantec agrees to transfer certificate issuance to third party

  Symantec has agreed to a plan that would transfer its certificate issuance and validation operations to as-yet-unnamed third-party partner starting Dec. 1.

• July 13, 2017 13 Jul'17

  Symantec certificate authority business reportedly for sale

  As Google and Mozilla prepare plans to reduce trust for Symantec's certificate authority, the antivirus vendor is reported to be seeking a buyer for its web certificate business.

• July 10, 2017 10 Jul'17

  WoSign CA certificates get end-of-trust date in Chrome

  Google to distrust all WoSign CA certificates in Chrome starting in September, as the troubled certificate authority passed a key audit and is seeking a new CEO to help return trust.

• June 14, 2017 14 Jun'17

  Symantec CA remediation plan faces more delays

  The battle over Symantec CA operations continues as the antivirus vendor pushes back against a consensus remediation proposal from the web browser community.