Wikipedia goes all-HTTPS, starting immediately

The next time you look up the Wikipedia entry on the Zimbabwean dollar, it will be a lot harder for someone to snoop on you.

The Wikimedia Foundation announced that starting Friday, it has begun “the process of implementing HTTPS by default to encrypt all Wikimedia traffic.”

It will also use HTTP Strict Transport Security (HSTS) “to protect against efforts to ‘break’ HTTPS and intercept traffic.”

Read 2 remaining paragraphs | Comments

Ding dong, the witch is dead: Microsoft AV gets tough on Ask Toolbar

Microsoft has started classifying most versions of the Ask Toolbar as unwanted software and has updated its malware programs to automatically remove them.

The move drew applause from security and support professionals because the Ask Toolbar has long been a source of performance problems that can sometimes be hard to correct. Making the toolbar more vexing is its ability to sneak its way on to computers when end users aren't paying attention. Oracle's Java software framework, for instance, has long installed it automatically unless users remember to uncheck a hard-to-see box during updates. Even after unchecking the box during one update, the box would be checked during subsequent updates, requiring end users to remain vigilant each time they installed frequent security fixes for Java.

In a recent addition to Microsoft's Malware Protection Center, the company said all but the most recent version of the Ask Toolbar will be classified as unwanted software. As a result, Windows Defender, Microsoft Security Essentials, and Microsoft Security Scanner will automatically remove it when detected.

Read 2 remaining paragraphs | Comments

OpenSSL Patches Multiple Vulnerabilities

Original release date: June 12, 2015

OpenSSL has released updates addressing multiple vulnerabilities, one of which allows a remote attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography—an attack known as Logjam (CVE-2015-4000). Exploitation of some of these vulnerabilities could allow the attacker to read and modify data passed over the connection.

Updates available include:

  • OpenSSL 1.0.2b for 1.0.2 users
  • OpenSSL 1.0.1n for 1.0.1 users
  • OpenSSL 1.0.0s for 1.0.0d (and below) users
  • OpenSSL 0.9.8zg for 0.9.8r (and below) users

Users and administrators are encouraged to review the OpenSSL Security Advisory and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Even with a VPN, open Wi-Fi exposes users

By now, any sentient IT person knows the perils of open Wi-Fi. Those free connections in cafes and hotels don't encrypt network traffic, so others on the network can read your traffic and possibly hijack your sessions. But one of the main solutions to this problem has a hole in it that isn't widely appreciated.

Large sites like Twitter and Google have adopted SSL broadly in order to protect users on such networks. But for broader protection, many people use a virtual private network (VPN). Most people, if they use a VPN at all, use a corporate one. But there are public services as well, such as F-Secure's Freedome and Privax's HideMyAss. Your device connects with the VPN service's servers and establishes an encrypted tunnel for all your Internet traffic from the device to their servers. The service then proxies all your traffic to and from its destination.

It's a better solution than relying on SSL from websites for a number of reasons: with a VPN, all of the traffic from your device is encrypted, whether the site you are visiting has SSL or not. Even if the Wi-Fi access point to which you are connected is malicious, it can't see the traffic. Any party that is in a position to monitor your traffic can't even see the addresses and URLs of the sites with which you are communicating, something they can do with SSL over open Wi-Fi.

Read 14 remaining paragraphs | Comments