How To: Encrypted Sites May Not Be Safe to Visit Using Chrome's Default Settings

How To: Encrypted Sites May Not Be Safe to Visit Using Chrome's Default Settings
As you may have already heard, the worst bug in OpenSSL history went public yesterday, dubbed Heartbleed. While we can go deeper into the technical details of it later, the short version is that OpenSSL, the library used to encrypt much of the web running on Linux and Apache has been vulnerable for up to two years.The vulnerability reveals the contents of memory on any server running an unpatched version of OpenSSL, 64KB at a time. This effectively means that with enough polling, one could reconstruct the private keys to SSL certificates used on affected servers, plain-text passwords, emails, usernames, and anything else that might be floating around in memory on an affected server.While a few big sites and service providers received early notice of the bug and were able to patch their systems before news went public, the rest of the web running OpenSSL has been scrambling to patch their systems (which requires a reboot... for those of you who need to patch your own systems to 1.0.1g).While we can't say for sure if the private SSL keys of affected sites have been compromised, as the bug has been in the wild for 2 years, we have to assume they are. As such, many sites are issuing new private keys for their SSL certificates, and revoking the old ones to make sure any compromised keys can't be used going forward.
So What Does All This Have to Do with Chrome?When an SSL certificate is revoked, your browser won't trust it—but that only works if your browser knows that the certificate has been revoked. Chrome's default settings do not automatically check to see if certificates have been revoked. As such, a compromised SSL certificate could be set up on a spoofed website, and Chrome would show the green lock indicating it's secured.

How to Fix Your Chrome SettingsSimply enable the check for server certificate revocation. To do this:Click the Chrome "menu" button in the upper right. Click Settings. Scroll down and click "Show advanced settings...". Scroll down to the HTTP/SSL headline and check the box labeled "Check for server certificate revocation". That's it. You can now browse the web knowing that any revoked certificates will no longer be trusted.
But What About All the Unpatched Websites?There are still many encrypted sites out there that are unpatched as of yet. To make sure your login credentials don't end up floating around in memory, ready to be picked off, refrain from logging into any HTTPS websites until they've patched their servers.You can check to see if a domain is vulnerable using this website set up by Filippo Valsorda.It will show red if vulnerable. If you get a timeout, or it shows green, then you can rest easy knowing the server is not using one of the vulnerable versions of OpenSSL, and is safe to log in to.



Skip navigation Sign in. Search
Open links with gestures using LinkSwipe - appslova.com


News: Air Guitar + Kinect Hack = Pure Awesomeness Friday Fresh: Hack Angry Birds & More News: The Revolution of the Hacked Kinect, Part 1: Teaching Robots & the Blind to See News: Geomagic and Cubify Make 3D-Printing Yourself Easy with Kinect-to-3D


Not every country gets the same TV shows and movies on Netflix, and there are definitely differences between the American version of Netflix and other regions, such as Canada (where I live). So, it's not surprise that people are looking to "unlock" that content. With the popularity of my "How to
How to watch US Netflix and other regions - WatchTVAbroad.com


How to Make a Clothespin Gun. Making a simple, ordinary household clothespin into a miniature weapon is easy, quick and fun. With the help of just a few supplies, you can create a gun that launches toothpicks or matchsticks with
How to Make a Mini Gun - (Clothespin Pistol) - video dailymotion


Awesome tips to increase traffic traffic on the website. I was looking for some effective tips of link building. I started off with new SEO project and I was a little confused about where to start. Dealing with dead links of wikipedia and finding authoritative sites I found the best. I hope it will work for me. Thanks,
$610 17 Min Free Traffic
AD
ultimatetrafficmonster.com
Report Ad
Ultimate Traffic Monster is finally live! (use discount code utm123)


Method 4: Run Firefox Portable on a USB Stick. But let's say you can't install extensions on the web browser provided by your school. In this case, you'll have to use a portable browser that installs on a USB stick and runs without interference from the school computer, which will allow you to route all internet traffic through a proxy address.


Google Google Earth Pro used to cost a staggering $400 a year, but in case you haven't heard, the intuitive mapping program is now free. Google announced the change back in 2015, but the company
Google Earth Pro Is Now Available For Free - Forbes


Facebook's newly rolled-out 3D photos are accessible in the News Feed and on Facebook VR, and allow you to use your mouse or finger to move around the image to see more dimension. Credit: Facebook
Facebook Launches 3D Photos Feature That Uses Portrait Mode


This procedure covers one commonly used method for removing surface mount Gull Wing components. Note The goal when removing any component is to remove the component as quickly as possible. Minimum Skill Level - Advanced Recommended for technicians with soldering and component rework skills and exposure to most repair/rework procedures, but
Component Removal, Surface Mount Gull Wing Components, C

How to Remove Folder Labels (iOS 7) - No Jailbreak « iOS

How to use Google's Gboard keyboard on iOS on iPhone, iPad

0 comments:

Post a Comment