As part of its campaign to make the web more secure for users, Google will enhance Chrome browser security to start...
flagging websites using HTTP to transmit passwords or credit card information.
Because web traffic transmitted over HTTP is not encrypted, it can be monitored -- or even changed -- by an attacker. Google's announcement is part of a long-term strategy to motivate users and content providers to migrate away from transmitting unencrypted web content.
"Beginning in January 2017 (Chrome 56), we'll mark HTTP sites that transmit passwords or credit cards as nonsecure, as part of a long-term plan to mark all HTTP sites as nonsecure," Emily Schechter, a product manager in the Chrome security team, wrote on the Google Security Blog. "Chrome currently indicates HTTP connections with a neutral indicator. This doesn't reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or modify the site before it gets to you."
The plan to move away from HTTP is ongoing. "In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as 'not secure' in Incognito mode, where users may have higher expectations of privacy," Schechter wrote. "Eventually, we plan to label all HTTP pages as nonsecure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS."
Previous steps in the campaign to improve Chrome browser security included Google's launch of its Certificate Transparency Report. Google -- and other leading browser providers -- has also been removing support for other deprecated or insecure protocols and algorithms, including SHA-1, RC4 and SSLv3.
"Google is taking a great step toward improving security on the web by alerting users to websites that are using weak encryption that endangers security and privacy. It remains to be seen if users will pay attention," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, based in Salt Lake City. "Unfortunately, many organizations are struggling to keep up with Google's efforts to increase authentication, confidence and privacy. Many organizations still blindly trust all encrypted traffic, even though we know that cybercriminals have been able to subvert encryption in a variety of cyberattacks. As far back as 2012, a broad range of industry voices, including Gartner, started sounding the alarm on this topic, but, so far, most organizations have been less than responsive."
In other news:
- The FBI has arrested two more of the "Crackas with Attitude," who last year managed to create a stir after they hacked CIA Director John Brennan's AOL account. The U.S. Attorney's Office of the Eastern District of Virginia announced in a press release that two North Carolina men had been arrested in connection with their alleged roles in the hacking of several senior U.S. government officials and U.S. government computer systems. According to charging documents filed with the court, the two conspired with other members of the group from about October 2015 to February 2016, using "'social engineering' hacking techniques, including victim impersonation, to gain unlawful access to the personal online accounts of senior U.S. government officials, their families and several U.S. government computer systems. In some instances, members of the conspiracy uploaded private information that they obtained from victims' personal accounts to public websites; made harassing phone calls to victims and their family members; and defaced victims' social media accounts. At least three other members of the conspiracy are located in the United Kingdom and are being investigated by the Crown Prosecution Service."
- According to research from the German security consulting firm SEC Consult, millions of internet-facing devices are still sharing private keys, and the problem has gotten 40% worse over the past nine months. The research discovered millions of routers, modems, internet gateways and other embedded devices use secret keys and certificates that have been improperly baked in to firmware images to allow access to SSH and HTTPS for remote management of devices. "The number of devices on the web using known private keys for HTTPS server certificates has gone up by 40% in the last nine months (3.2 million in November 2015 vs. 4.5 million now)," SEC Consult wrote.
- Google finished patching four vulnerabilities, collectively dubbed Quadrooter, in Android devices using Qualcomm chips. Two of the four vulnerabilities (CVE 2016-2503 and CVE 2016-2504) were patched in Google's Android Security Bulletins for July and August; the last two (CVE-2016-2059 and CVE-2016-5340) were patched in the September bulletin. As many as 900 million devices were vulnerable to the flaws, which were presented by Check Point researchers at DEF CON in Las Vegas this summer. According to Check Point, the flaws could be exploited by an attacker using a malicious app. "Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing."
- Dell finally swallowed EMC in the final chapter of the $60 billion deal that included the acquisition of RSA. RSA President Amit Yoran wrote in a blog post that the new ownership would not change RSA's mission, stating: "There will be no changes to our product strategies, sales models, customer support interactions, processes or resources that we are not driving." EMC bought RSA in 2006 for $2.1 billion. At the time, many questioned the wisdom of EMC's purchase of RSA.
Find out more about using the Let's Encrypt open certificate authority.
Learn about the benefits and limitations of switching to HTTPS.
Read about how HTTP Strict Transport Security enhances application security.