Posts by bmorton

Chrome Kills Mixed Content for HTTPS

Posted by on December 6, 2019 in Blog | 0 comments

In a phased approach, Chrome plans to block mixed content on secure websites to improve user security. Most browsers already block some mixed content such as scripts and iframes by default. Chrome is amping it up by gradually taking steps to also block images, audio recordings and videos, according to a recent Google Security blog. Preventing mixed content to load will eventually result in HTTPS websites losing their security indicator downgrading the site to HTTP, which alerts visitors that the site is not secure. Mixed content happens when a website that is secured by HTTPS provides some...

Read More

2019 – Looking Back, Moving Forward

Posted by on January 3, 2019 in Blog | 0 comments

Looking Back at 2018 2018 was an active year for SSL/TLS. We saw the SSL/TLS certificate validity period drop to 825-days and the mass deployment of Certificate Transparency (CT). TLS 1.3 protocol was finally completed and published; and Chrome status bar security indicators changing to remove “secure” and to concentrate on “not secure.” The CA/Browser Forum has been reformed, the London Protocol was announced and the nearly full distrust of Symantec SSL completed. Here are some details on some of the 2018 happenings in the SSL/TLS ecosystem. Vulnerabilities The new vulnerabilities exposed...

Read More

Chrome Will Show Not Secure for all HTTP Sites Starting July 2018

Posted by on February 15, 2018 in Blog | 0 comments

Through 2017 and into 2018, we have seen the use of HTTPS grow substantially. Last Fall Google announced the following status: Over 68% of Chrome traffic on both Android and Windows is now protected Over 78% of Chrome traffic on both Chrome OS and Mac is now protected 81 of the top 100 sites on the web use HTTPS by default Google helped to drive this growth by implementing the “Secure” and “Not secure” status in Chrome’s status bar. “Secure” was provided for HTTPS sites. “Not secure” was implemented progressively, first resulting for HTTP pages requiring a password or credit card number....

Read More

2018 – Looking Back, Moving Forward

Posted by on January 6, 2018 in Blog | 0 comments

Looking Back at 2017 2017 saw the end of SHA-1 in public trust SSL/TLS certificates and the start of Certification Authority Authorization (CAA) allowing domain owners to authorize their CA. A “Not secure” browser indication was propagated to push more websites to support HTTPS. There was also a change in the certification authority (CA) ownership with DigiCert acquiring Symantec’s SSL and related PKI business and Francisco Partners buying Comodo’s CA. Vulnerabilities Google and CWI announced SHAttered, an attack on the SHA-1 cryptographic hash function. The attack was demonstrated by...

Read More

Certificate Transparency Deadline Moved to April 2018

Posted by on May 3, 2017 in Blog | 0 comments

Google just announced they will not be enforcing certificate transparency (CT) logging for all new TLS certificates until April 2018. In a previous blog post, we advised that Google provided a new policy, which required new TLS certificates to be published to the CT logs in order for the domain to be trusted by Chrome. The reason for the delay was not clear, but Google needs to consider the following: Overall CT policy discussions with the major stakeholders are underway, but we are still far away from a conclusion. Other browsers appear to be supporting CT, but have yet to determine their...

Read More