HackDig : Dig high-quality web security articles

[SANS ISC] HTTPS Support for All Internal Services

I published the following diary on isc.sans.edu: “HTTPS Support for All Internal Services“: SSL/TLS has been on stage for a while with deprecated protocols, free certificates for everybody. The landscape is changing to force more and more people to switch to encrypted communications and this is good! Like Johannes explained yesterday, Chrome 9
Publish At:2021-04-16 06:44 | Read:213 | Comments:0 | Tags:SANS Internet Storm Center Security HTTPS network SANS ISC

Naked Security Live – HTTPS: do we REALLY need it?

byPaul DucklinHere’s our latest Naked Security Live talk, explaining why HTTPS is vital, even if you’re publishing public data that isn’t confidential.Thats because HTTPS isn’t just about the confidentiality of the data you browse to – it’s also about improving your privacy in respect of what you chose to look at, when you
Publish At:2021-01-11 14:55 | Read:596 | Comments:0 | Tags:Audio and Video Cryptography Privacy Video crypto https Nake

It’s Always DNS – But Not in the Way You May Think

A popular joke among technologists says that it’s always DNS, even when it initially didn’t seem that way. DNS issues come in many shapes and forms, including some often-overlooked security issues.DNS (short for the Domain Name System) continues to be described as “the phonebook of the Internet,” but many people, including most readers of this blog, will be
Publish At:2021-01-11 02:08 | Read:710 | Comments:0 | Tags:Cyber Security DNS Domain Name System HTTPS Network Security

S3 Ep14: Money scams, HTTPS by default, and hardcoded passwords [Podcast]

byPaul DucklinWe advise you how to react when a friend suddenly asks for money, explain why Chromium is finally aiming for HTTPS by default, and warn you why you should never, ever hardcode passwords into your software.With Kimberly Truong, Doug Aamoth and Paul Ducklin.Intro and outro music: Edith Mudge.LISTEN NOWClick-and-drag on the soundwaves below to ski
Publish At:2021-01-07 09:31 | Read:423 | Comments:0 | Tags:Podcast https Naked Security Podcast passwords Scam

APWG Q3 Report: Four Out of Five Criminals Prefer HTTPS

<div> <img src="https://info.phishlabs.com/hs-fs/hubfs/APWG%20Q3%20Report-%20Four%20Out%20of%20Five%20Criminals%20Prefer%20HTTPS.jpg?width=1600&amp;name=APWG%20Q3%20Report-%20Four%20Out%20of%20Five%20Criminals%20Prefer%20HTTPS.jpg" alt="APWG Q3 Report- Four Out of Five Criminals Prefer HTTPS" width="1600" style="width: 1600px; margin: 0px 0px
Publish At:2020-12-03 16:23 | Read:825 | Comments:0 | Tags:Phishing BEC business email compromise https Domains

Demystifying two common misconceptions with e-commerce security

Online shopping has seen a dramatic increase in the months following the Covid-19 outbreak as more and more people opt-out of visiting physical stores. Such a phenomenon does not go unnoticed or without additional consequences. During the same time period, we have seen an increase in the usual scams but also digital skimming, the online equivalent of credit
Publish At:2020-11-20 12:42 | Read:607 | Comments:0 | Tags:Cybercrime e-commerce HTTPS iframe Magecart merchant padlock

Digicert revokes a raft of web security certificates

byPaul DucklinHere’s a bureaucratic nightmare that unfolded over the weekendDigicert is one of the Big Five commercial CAs, short for certificate authorities – companies that sign and vouch for the digital certificates that put the the S in HTTPS and the padlock in your browser’s address bar.As we’ve mentioned before, web certificates
Publish At:2020-07-13 11:32 | Read:863 | Comments:0 | Tags:Cryptography CA Digicert https TLS web certificate

United States wants HTTPS for all government sites, all the time

byPaul DucklinThe US government just announced its plans for HTTPS on all dot-gov sites.HTTPS, of course, is short for for “secure HTTP”, and it’s the system that puts the padlock in your browser’s address bar.Actually, the government is going one step further than that.As well as saying all dot-gov sites should be available over HTTP
Publish At:2020-06-23 12:49 | Read:1053 | Comments:0 | Tags:Uncategorized Encryption https TLS US government web securit

Abuse of HTTPS on Nearly Three-Fourths of all Phishing Sites

<p>Since 2015, PhishLabs has and continues to track how threat actors abuse HTTPS or SSL certs. In particular, threat actors often use HTTPS on their phishing sites to add a layer of legitimacy, better mimic the target site in question, and reduce being flagged or blocked from some browsers.&nbsp;</p> <p>Last year, threat actors hit
Publish At:2020-06-16 16:16 | Read:906 | Comments:0 | Tags:APWG https

The Problem with HTTPS

Reading Time: ~ 3 min. Despite the intent of ensuring safe transit of information to and from a trusted website, encrypted protocols (usually HTTPS) do little to validate that the content of certified websites is safe. With the widespread usage of HTTPS protocols on major websites, network and security devices relying on interception of user traffic to ap
Publish At:2020-04-14 12:47 | Read:1170 | Comments:0 | Tags:Business + Partners Threat Intelligence https threat intelli

Chrome may bring back ‘www’ with option to show full URLs

byLisa VaasEnough people must have griped about the loss of “www” and “https” in Chrome’s address bar to make Google rethink it: Chromium developers are testing a new Omnibox context menu that would give users the option to “Always Show Full URLs.”You can see what the final rendition of the “Show Full URLs̶
Publish At:2020-03-30 10:29 | Read:1466 | Comments:0 | Tags:Google Google Chrome Web Browsers Always Show Full URLs Cana

Firefox 76 will have option to enforce HTTPS-only connections

byJohn E DunnConverting websites from HTTP to HTTPS over the last decade must count as one of the most successful quiet security upgrades ever to affect web browsing.Using an HTTPS site means that your browser and the site establish an encrypted connection which can’t be snooped on by ISPs, rogue Wi-Fi access points, or anyone else trying to monitor the cont
Publish At:2020-03-27 10:24 | Read:1425 | Comments:0 | Tags:Firefox Google Mozilla Security threats Web Browsers browser

Rocket Loader skimmer impersonates CloudFlare library in clever scheme

Fraudsters are known for using social engineering tricks to dupe their victims, often times by impersonating authority figures to instill trust. In a recent blog post, we noted how criminals behind Magecart skimmers mimicked content delivery networks in order to hide their payload. This time, we are looking at a far more clever scheme. This latest skim
Publish At:2020-03-10 12:32 | Read:1439 | Comments:0 | Tags:Threat analysis HTTPS JavaScript Magecart skimmer skimming C

APWG Year-End Report: 2019 A Roller Coaster Ride for Phishing

<p>The latest Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG), which compiles insights from member companies, announced that the year-end number of reported phishing websites for 2019 reached a record high. Most menacing; however, are the trends of phishing gangs targeting users of web-hosted email, social media, and busines
Publish At:2020-03-03 17:11 | Read:1409 | Comments:0 | Tags:APWG BEC https social media

Let’s Encrypt issues one billionth free certificate

byDanny BradburyLast week was a big one for non-profit digital certificate project Let’s Encrypt – it issued its billionth certificate. It’s a symbolic milestone that shows how important this free certificate service has become to web users.Publicly announced in November 2014, Let’s Encrypt offers TLS certificates for free. These cert
Publish At:2020-03-02 09:21 | Read:1592 | Comments:0 | Tags:Cryptography ACME Automated Certificate Management Environme