The Daily Swig Web security digest

‘A secure web is here to stay’

James Walker | 09 February 2018 at 13:07

Top infosec trends in the social media spotlight this week…

Life is about to get more difficult for man-in-the-middle attackers, following Google’s announcement that, beginning in July 2018, Chrome will (finally) mark all HTTP sites as insecure:

Web browsers have long been nudging site admins in the direction of HTTPS encryption. Google itself has been gradually marking some HTTP sites as insecure since last January.

Although the Mountain View tech giant said the push towards HTTPS has been “incredible” over the past 12 months, 20% of the Alexa Top 100 sites continue to use the protocol’s unencrypted predecessor.

It’s hoped that Google’s latest announcement will sound the death knell for HTTP, as the last wave of admins migrate to HTTPS in an effort to avoid besmirching their site’s reputation.

A quick straw poll on Twitter indicates wholehearted support for Google’s actions. And those who still question the need for HTTPS on static web pages will no doubt join the masses once they realize the knock-on benefits:

In legal news, the infosec community watched with interest as the UK’s Lord Chief Justice announced that alleged British hacker Lauri Love should not be extradited to the US to face trial:

Love is alleged to have stolen vast amounts of data from numerous US agencies, including the Federal Reserve, the US Army, the Department of Defense, Nasa, and the FBI, in a spate of online attacks.

The defendant’s lawyer, Edward Fitzgerald QC, told the Court of Appeal that Love was not seeking immunity from justice, but said if he was sent to the US there was a significant risk he would not be fit to be tried.

Fellow extradition-avoider Julian Assange heaped praise on the decision:

Elsewhere, Mick Mulvaney, head of the Consumer Financial Protection Bureau (CFPB), came under fire this week, amid reports that regulators have put the brakes on the Equifax data breach probe:

According to Reuters news agency, Mulvaney, who replaced CFPB director Richard Cordray in November, has failed to order any subpoenas against Equifax or sought sworn testimony from its executives – routine steps when launching a full-scale probe.

The issue has not escaped the attention of New York State Attorney Eric Schneiderman, who said his office will continue to push for answers:

Finally, Liam Byrne, the UK’s Shadow Digital Minister, braved the masses during an Ask Me Anything session on Reddit yesterday:

Given Redditors’ proclivity to jump on any guest perceived to be providing canned answers (Rampart, anyone?), the fallout from Byrne’s vague statements such as “backdoors are bad news” was perhaps to be expected.

And while the politician did make some interesting points surrounding the need for a Digital Bill of Rights and learning from other countries’ cybersecurity policies, these comments were lost in a sea of (largely unanswered) questions:

Summarizing the session, one user affirmed the idea that (aside from Barack Obama, whose insightful Q&A remains the top-rated AMA of all time) politicians and Reddit generally do not mix.

“He ran away within an hour,” they said. “It’s a bit of a shit-show really. And half the real questions weren’t even attempted.”

Ouch.