Tag Archives: https

Chrome 66 to Untrust Symantec-issued Certificates

Chrome is really tightening up the security game here. In Chrome 66 it will untrust Symantec-issued SSL/TLS certificates, after Symantec has repeatedly screwed up by wrongly issuing certificates for domains, including google.com itself. Thanks to a decision in September by … Continue reading

Elsewhere , , Leave a comment

Extended Validation Is Broken

https://stripe.ian.sh/ is an interesting site by Ian Carroll. See it? Take a closer look at the certificate. Yes, that’s one for “Stripe, Inc” … but, that’s not “Stripe, Inc” is it? This site uses an EV certificate for “Stripe, Inc”, … Continue reading

Elsewhere , , , Leave a comment

Get HTTPS working on localhost, with green padlock

In On “Secure Contexts” in Firefox, HTTPS for local development, and a potential nice gesture by Chrome I said: One of the things that’s still not really frictionless for your local development domains is the use of certificates. To circumvent … Continue reading

Elsewhere , , Leave a comment

On “Secure Contexts” in Firefox, HTTPS for local development, and a potential nice gesture by Chrome

👋 This post also got published on Medium. If you like it, please give it some love a clap over there. Earlier today, in a post entitled Secure Contexts Everywhere, it was announced on the Mozilla Security Blog that Firefox … Continue reading

Original Content , , , , 1 Comment

Monitoring for the encrypted web with “Oh Dear!”

Because there’s more to HTTPs than just monitoring for certificate expiration dates. Next to SSL Certificate Expirations, Oh Dear! also scans for Mixed Content, Revoked (Intermediate) Certificates, the use of bad or insecure ciphers, etc. Knowing that this service is … Continue reading

Elsewhere , Leave a comment

Mixed Content and Responsive Images

Interesting issue Jonathan Snook ran into when switching a site over to HTTPS. Even though images from HTTP resources should still get loaded by the browser (as they are Passive Mixed Content, and thus tolerated), they weren’t: After some digging, … Continue reading

Elsewhere , , , Leave a comment

API

(Source: xkcd #1481)

Elsewhere , , , , Leave a comment

Marking HTTP As Non-Secure

My name is Bramus and I approve this message: We, the Chrome Security Team, propose that user agents (UAs) gradually change their UX to display non-secure origins as affirmatively non-secure. We intend to devise and begin deploying a transition plan … Continue reading

Elsewhere , , , Leave a comment

Mixed Content Scan: Scan your HTTPS-enabled website for Mixed Content

With my recent move to HTTPS I wasn’t sure if there were any pages left on my site that had Mixed Content or not. If an HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only … Continue reading

Elsewhere , , , , 2 Comments

Yik Yak Messaging App Vulnerability

Yik Yak’s HTTPS communication for iOS is actually fine […] so what’s the problem? […] The vulnerability begins in the fact that Yik Yak’s sole means of user identification is one string; the userID. There are no passwords. […] Yik … Continue reading

Elsewhere , , Leave a comment