Google.com gets safer with HTTP Strict Transport Security (HSTS)

 

For any site you visit nowadays, HTTPS should be offered by default. I don't care about the content of the site -- there is no reason to go HTTP only in 2016. Security matters, folks.
 
Google.com -- one of the world's most popular domain names -- is aiming to get even safer by implementing HSTS. The search giant has recently enabled this technology for the benefit of its users, and it should start paying security dividends immediately.
 
"We've taken another step to strengthen how we use encryption for data in transit by implementing HTTP Strict Transport Security -- HSTS for short -- on the www.google.com domain. HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites", says Jay Brown, Sr. Technical Program Manager Security.
 
Brown also shares, "encrypting data in transit helps keep our users and their data secure. We’re excited to be implementing HSTS and will continue to extend it to more domains and Google products in the coming months".
 
If you are wondering why Google is slow to roll out HSTS across the board for all products, it isn't as easy as just flipping a switch. Actually, in testing last year, implementation on the search-giant's famed 'Santa Tracker' rendered it temporarily broken -- almost ruining the much-celebrated app during Christmas. Since this is such a significant change, Google is smart to be a bit gun-shy.
 
Does Google's continued focus on safety and security increase your confidence regarding its products? Tell me in the comments.
 
Photo Credit: Joel O'Brien/Shutterstock
 
~ Brian Fagioli

Read More

Yahoo finally enables HTTPS encryption for email by default

Summary: Yahoo webmail users will get a significant security benefit with the company enabling encryption by default. 
 
From today, Yahoo will begin encrypting all email connections by default, offering its users the same additional security that Google rolled out for Gmail in 2010.

 

Meeting the January 8 deadline it announced last October, Yahoo has enabled Secure Sockets Layer (SSL) — denoted by 'HTTPS' in browsers' URL bar — encryption by default for its roughly 200 million Yahoo Mail users.
 
The change means that Yahoo Mail users no longer need to manually configure their accounts to enable SSL encryption for mail, which encrypts communications between the browser and Yahoo's web servers and is meant to ensure to the user the site they're communicating with really is what it claims to be.
 
"Anytime you use Yahoo Mail — whether it's on the web, mobile web, mobile apps, or via IMAP, POP or SMTP — it is 100 percent encrypted by default and protected with 2,048 bit certificates," Jeff Bonforte, Yahoo SVP of communication products, wrote in a company blog post.
 
Yahoo initially outlined plans to enable HTTPS by default, but later confirmed it would implement it with 2048-bit certificates, which is the minimum others, led by Google and Microsoft, have moved towards. So, while HTTPS by default is good news for Yahoo users, it's also come to Yahoo quite late compared to other webmail providers.
 
Google enabled SSL by default for Gmail in 2010, SSL by default in search (for signed-in users) in 2011 and now makes all searches SSL by default. Also, in November it completed its upgrade of all SSL certificates to 2048-bit RSA, with the longer key lengths making it harder to crack SSL connections.
 
Yahoo's plans to encrypt mail by default came after the first leaks from Edward Snowden, revealing the US National Security Agency (NSA) spy programs that targeted major US internet companies.
 
The NSA has also prompted a bigger response from Yahoo, which since pledged to encrypt all data moving from the internet to its servers and all data moving between its datacentres, with the latter being a response to revelations of the NSA's 'Muscular' program, which exploited unencrypted links between datacentres of Yahoo and Google.
 
~ Liam Tung 

Read More