HTTP-over-QUIC to be renamed HTTP/3

Found on ZD Net on Tuesday, 13 November 2018
Browse Internet

Google wants QUIC to slowly replace both TCP and UDP as the new protocol of choice for moving binary data across the Internet, and for good reasons, as test have proven that QUIC is both faster and more secure because of its encrypted-by-default implementation (current HTTP-over-QUIC protocol draft uses the newly released TLS 1.3 protocol).

QUIC was proposed as a draft standard at the IETF in 2015, and HTTP-over-QUIC, a re-write of HTTP on top of QUIC instead of TCP, was proposed a year later, in July 2016.

That would requite every server, client, firewall, router and whatever else to be upgraded or replaced. Seeing how fast IPv6 is catching on, this won't happen anytime soon.

This incredibly simple privacy app helps protect your phone from snoops with one click

Found on Fast Company on Sunday, 11 November 2018
Browse Internet

The new app, from Cloudflare, is called–the name of the internet server it uses. Cloudflare’s main business is as a content delivery network that optimizes the speed of websites using it, as well as shielding them from cyberattacks.

Cloudflare’s DNS service is also really fast, so it could speed up your browsing, especially to sites and web services that run on Cloudflare’s network.

If your current DNS is so slow that you really notice a speedup, your current provider is incompetent. It's not really protecting you either, because the traffic still goes through your ISP like before. In exchange however, you tell CloudFlare every single request you are making, so (in theory of course) they could build a complete map of your browing habits. Should they ever decide to go into the business of selling browing histories, or monitoring and tracking, that service will be a goldmine.

Private messages from 81,000 hacked Facebook accounts for sale

Found on BBC News on Friday, 02 November 2018
Browse Internet

The perpetrators told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell, although there are reasons to be sceptical about that figure.

The breach first came to light in September, when a post from a user nicknamed FBSaler appeared on an English-language internet forum.

The embattled network has had a terrible year for data security and questions will be asked about whether it is proactive enough in responding to situations like this that affect large numbers of people.

It doesn't really make much of a difference if some Russians sell your private data, or if Facebook does it.

Google won't let you sign in if you disabled JavaScript in your browser

Found on ZD Net on Thursday, 01 November 2018
Browse Internet

The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected.

Further, Google also launched reCAPTCHA v3 this week, a new version of its reCAPTCHA technology, which uses JavaScript to compile "risk scores" on a per-user basis. If JavaScript is turned off, this effectively negates reCAPTCHA's capabilities, hence, the reason to prevent users who intentionally disable JavaScript in their browser.

It's well known that turning off Javascript has often very positive effects such as less tracking, faster loading times and less annoying ads. Some websites break with JS off, but that usually means they webmasters aren't worth a cent; and websites which want to force you to use JS, well, sure they can try, but it's easier to just move on to another site. freezes up as techies race to fix dead data storage gear

Found on The Register on Monday, 22 October 2018
Browse Internet

From about 4pm US West Coast time on Sunday (2300 UTC), the website has been stuttering and spluttering. Specifically, the site is still up and serving pages – it's just intermittently serving out-of-date files, and ignoring submitted Gists, bug reports, pushes, and posts.

Right now, we're seeing scores of complaints about the site being down on Twitter – including quite a few upset coders in Japan, where at time of writing is late Monday morning. Nice start to the week.

If you store your project online, "in the cloud", your project is not important. Learn from it.

You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone's web privacy

Found on The Register on Friday, 19 October 2018
Browse Internet

The privacy risks associated with web tracking, however, persist, and now it appears there's yet another mechanism for following people online. Blame researchers from the University of Hamburg in Germany for the latest expansion of the privacy attack surface.

They note that Facebook and Google, due to their behavioral ad businesses, specify longer session resumption ticket lifetimes than most. Facebook's lifetime hint setting of 48 hours is higher than 99.99 per cent of all session ticket hints found. Google's 28 hour value exceeds 97.13 per cent of Alexa's top million websites.

Facebook and Google track you. Facebook in the most aggressive way. Clearly they have learned absolutely nothing from the privacy scandals they went through and just keep on doing business like before.

Web browsers sharpen knives for TLS 1.0, 1.1, tell protocols to dig their own graves for 2019

Found on The Register on Tuesday, 16 October 2018
Browse Internet

The Internet Engineering Task Force has been considering when to hold the funeral of TLS 1.0, which will be 20 years old in January 2019, as well as a burial for TLS 1.1, since June this year. Its Internet-Draft on the matter is expected to formalize the 'net standards body's “die die die” recommendation later this year. When the draft progresses to standard status, the IETF will no longer fix new protocol vulnerabilities in TLS 1.0 and 1.1.

That's going to be similar to the adoption of IPv6 probably.

Internet operator challenges network tapping by German spy agency

Found on Reuters on Monday, 15 October 2018
Browse Internet

DE-CIX said it received orders from the Federal Intelligence Service (BND) to allow it to access data at its internet exchange in Frankfurt. The BND has in recent years received a mirror image of the traffic as part of its counter-terrorism and cyber-security efforts.

In Germany, the right to privacy of correspondence, posts and telecommunications is protected by Art. 10 of the constitution. This is restricted by a law that allows federal and state spy agencies to tap such communications, subject to review by a control commission on which lawmakers sit.

Pretty sad that you're more protected from being spied on if you send just a letter.

Facebook: Up to 90 million addicts' accounts slurped by hackers, no thanks to crappy code

Found on The Register on Friday, 28 September 2018
Browse Internet

Facebook confessed today that buggy code potentially exposed all of its users' accounts to hackers over the past 14 months. It reckons miscreants snooped on least 50 million people's private profiles, and perhaps as much as 90 million.

In effect, any Facebook user account was wide open to being hacked, although the Silicon Valley goliath estimated that "only" 50 million accounts were, in the words of a spokesperson, "directly affected." A further 40 million had their accounts "looked up."

Facebook spotted the hole after it noted a suspicious "spike" in user activity on Tuesday. The attack was "fairly large scale," it admitted, and when it investigated the cause, it discovered hackers were using the site's API to automate the process of grabbing users' profile information

So, harvesting the data was not noticed as long as attackers kept the volume low. The next bug will be exploited at a slower rate; just like spammers who do not try to stuff millions of spams into a hacked account for sending anymore, but keep outgoing mail at a low rate to avoid detection and use the hacked account for a longer time.

Millennials more likely to fall for scams than baby boomers

Found on Washington Examiner on Wednesday, 26 September 2018
Browse Internet

The Better Business Bureau reports that 69 percent of scam victims are under the age of 45. Young adults heading off to college are especially gullible, the group says.

This statistic is incredibly shocking, as many assume internet scams prey on the elderly. However, new technology and evolving scam methods put everyone at risk. BBB says that 78 percent of scam victims hold a college or graduate degree.

It's always fun to see how millennials claim to be the best there is when at the same times the reality shows that they aren't at all.