Remember when we warned in February Apple will crack down on long-life HTTPS certs?

Found on The Register on Saturday, 04 July 2020
Browse Internet

From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS certificates that are valid for more than 398 days, plus or minus some caveats.

"Connections to TLS servers violating these new requirements will fail," Apple warned in its official note. "This might cause network and app failures and prevent websites from loading."

Mozilla and other tech giants previously lobbied the CA/Browser Forum – a collective of certificate issuers and browser makers – for shorter cert lifetimes. After those proposals were shot down in a vote, Apple went ahead anyway with a one-year-max policy and bypassed the industry forum, a move backed by the Chromium team.

Long lived certificates are mostly EV certificates. So if these websites decide to switch to DV certificates like Let's Encrypt, they actually lower the bar. In the end, lifetime decisions should be left to the webmaster.

YouTube TV jumps 30% in price effective immediately

Found on Ars Technica on Thursday, 02 July 2020
Browse Internet

Brand-new customers can expect to pay $65/mo for the service from here on out, while existing customers will see the price jump from $50 to $65 on their July bill.

The other family of streaming and TV services to see a price hike today comes from AT&T, whose AT&T TV (a streaming-only product with rates and plans that resemble standard cable contracts) and DirecTV (a standard satellite-TV product) are each seeing their new-customer rates jump.

These price spikes come less than three months after AT&T disclosed a massive 890,000 drop in premium TV service subscribers.

How many hundreds of dollars are consumers supposed to pay each month, now that everybody seems to roll out their own streaming service?

India bans TikTok, WeChat and dozens more Chinese apps

Found on BBC News on Wednesday, 01 July 2020
Browse Internet

India's Ministry of Information Technology said it was banning the 59 Chinese apps after receiving "many complaints from various sources" about apps that were "stealing and surreptitiously transmitting users' data in an unauthorised manner".

"The compilation of these data, its mining and profiling by elements hostile to national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India, is a matter of very deep and immediate concern which requires emergency measures," the ministry said.

China massively collects each and every bit of information, dubbed "thousand grains of sand".

Google says it will keep less browser history and location data by default

Found on NBC News on Monday, 29 June 2020
Browse Internet

There will be no automatic change for existing accounts and people who already have location history turned on in their Google settings, but the company plans to inform existing users of the option to set up auto-delete after three to 18 months, he said. People also have the option to turn the setting off.

The change comes after growing scrutiny of the amount of data that tech companies such as Google collect and retain. Personal data helps to fuel Google’s lucrative advertising business by allowing marketers to better target their ads.

Or, they could just keep no data by default.

Comcast, Mozilla strike privacy deal to encrypt DNS lookups in Firefox

Found on Ars Technica on Thursday, 25 June 2020
Browse Internet

Comcast is partnering with Mozilla to deploy encrypted DNS lookups on the Firefox browser, the companies announced today. Comcast's version of DNS over HTTPS (DoH) will be turned on by default for Firefox users on Comcast's broadband network, but people will be able to switch to other options like Cloudflare and NextDNS.

Firefox CTO Eric Rescorla said that "bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences," and that Mozilla hopes today's news "sets a precedent for further cooperation between browsers and ISPs."

So DoH is getting forced down the throat of everybody to protect their privacy, because traditional DNS offered by your ISP lets them snoop on you, and now Comcast joins TRR, but of course now it won't snoop on you anymore. Really now? DoH has proven it's failure.

Facebook accused of trying to bypass GDPR, slurp domain owners' personal Whois info

Found on The Register on Wednesday, 24 June 2020
Browse Internet

Earlier this month, the CEO of domain registrar Namecheap Richard Kirkendall warned “Facebook is fighting for the blanket right to access your information,” and detailed efforts behind the scenes at DNS overseer ICANN to force through Facebook’s interpretation of privacy laws to slurp data on domain holders.

Facebook has been particularly aggressive, filing tens of thousands of requests for data on domains that are often only tangentially related to its trademarks and insisting its rights are being infringed. When those requests have been rebuffed, Facebook has then sued the companies that people used to register the names, claiming trademark infringement and demanding $100,000 in compensation.

But so far at least, the antisocial network – whose entire business is built on grabbing, storing and monetizing this kind of data – is determined to keep pushing its claims, even if it delays the creation of a new system for everyone else.

Hopefully the big registrars won't give in. Facebook is collecting way too much data and anybody who believes the whois information will not be merged into the databases with (shadow) profiles also believes in unicorns.

To evade detection, hackers are requiring targets to complete CAPTCHAs

Found on Ars Technica on Friday, 19 June 2020
Browse Internet

Microsoft recently spotted an attack group distributing a malicious Excel document on a site requiring users to complete a CAPTCHA, most likely in an attempt to thwart automated detection by good guys.

Periodically changing up attack routines is one way attackers stay ahead of defenders, creating a never-ending back-and-forth process that requires constant vigilance for defenders to stay on top of. It’s likely the attack group will change course again in the coming months.

Captchas are bad enough already. If someone mails you anything that brings up a captcha, ignore it. Even if it is legit.

Google is messing with the address bar again—new experiment hides URL path

Found on Ars Technica on Tuesday, 16 June 2020
Browse Internet

As spotted by Android Police, new flags in the developer versions of the popular browser now want to hide the URL path. So for an article like this one, instead of "https://arstechnica.com/gadgets/2020/06/google-is-messing-with-the-address-bar-again-new-experiment-hides-url-path/," the address bar would show "arstechnica.com."

It's unknown what Google's plans are for the experiment, but hiding more URL information would line up with Chrome's previous actions. For years the Chrome team has wanted to kill the URL bar, arguing that it's a confusing way to express Web identity. While Google hasn't outright killed the bar yet, Chrome has made numerous changes to try to "simplify" the URL bar. Currently, Chrome hides URL protocol if it is HTTP or HTTPS.

Can we please stop dumbing down users? For decades now, seeing the URL has confused nobody, but now Google thinks it is too complex. The full URL is an important information, and messing with that is flat out a stupid idea.

Whatsapp blamed own users for failure to keep phone number repo off Google searches

Found on The Register on Monday, 15 June 2020
Browse Internet

Athul Jayaram, a self-described “full time bug bounty hunter”, published a blog post earlier this week highlighting that a large number of Whatsapp users’ mobile numbers could easily be found by searching Google for the domain “wa.me”.

Whatsapp has suffered from security and privacy problems in the recent past – some big, some less so, and some downright scary. Facebook, its owner, makes a big deal out of its security features including end-to-end encryption. Technical security is no good if you’re going to let the world’s biggest search engine, run by the world’s biggest advertising technology company, hoover up your users’ phone numbers by exposing them in plaintext on one of your websites.

A good question is if this is a GDPR violation.

Facebook Pitched New Tool Allowing Employers to Suppress Words Like “Unionize”

Found on The Intercept on Sunday, 14 June 2020
Browse Internet

The presentation discussed the “benefits” of “content control.” And it offered one example of a topic employers might find it useful to blacklist: the word “unionize.”

The suggestion that Facebook is actively building tools designed to suppress labor organizing quickly caused a stir at the Menlo Park, California-based company. Facebook employees sparked a flurry of posts denouncing the feature, with several commenting in disbelief that the company would overtly pitch “unionize” as a topic to be blacklisted.

It's painful to watch how slow people start to realize how bad Facebook really is.