New update to fix TLS security hole in Firefox

HTTP/2 is coming, some time soon, and one of the things it offers is a feature called HTTP Alternative Services, abbreviated to Alt-Svc. At the moment, if you want to redirect vistors to your website somewhere else, you send a special sort of HTTP reply to tell them to do just that.

We tell your browser to try again, connecting instead via HTTPS, the secure version of HTTP. We use HTTPS because you get encryption, which means no-one sitting nearby in the coffee shop can see what you're reading.

We use HTTPS because you get authentication, which means you can be pretty certain that the security advice you're getting came from us, and not some shabby imposter who wants to use our good name to talk you into bad practices.

You'd either have to use HTTP and hope your victims wouldn't notice the lack of a secure connection, or use HTTPS and hope they wouldn't notice the certificate warnings telling them that you probably weren't the lawful owner and operator of the yourbank.

Some users would probably end up getting tricked anyway, but well-informed users ought to spot the ruse at once, and remove themselves from harm's way.

Even though HTTP/2 isn't yet finalised, and very few legitimate servers actually use it in real life, it is already supported by popular web servers such as Apache and Nginx, and by Microsoft's IIS in Windows 10 Preview.
New update to fix TLS security hole in Firefox New update to fix TLS security hole in Firefox Reviewed by Kanthala Raghu on April 08, 2015 Rating: 5

No comments:

Powered by Blogger.