A secure web is here to stay.

For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.

Developers have been transitioning their sites to HTTPS and making the web safer for everyone. Progress last year was incredible, and it’s continued since then:

• Over 68% of Chrome traffic on both Android and Windows is now protected
• Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
• 81 of the top 100 sites on the web use HTTPS by default

Contact us today to make your visitors comfortable by securing your website.

Chrome is dedicated to making it as easy as possible to set up HTTPS. Mixed content audits are now available to help developers migrate their sites to HTTPS in the latest Node CLI version of Lighthouse, an automated tool for improving web pages. The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version.

Lighthouse is an automated developer tool for improving web pages.

Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP. Developers, check out our set-up guides to get started.

Someone on Reddit described how he was the victim of a very sophisticated social engineering attack. Wow, this is crafty. This is the story:

“I have different passwords for every website I log into, 2-factor authentication when possible; I thought I knew all the scams and could spot them a mile away. This one still got me.

I was meeting a friend at a bar. Two drinks in I got a call from someone identified by my phone as Wells Fargo. I’m fully aware this could be spoofed, but it did not raise alarm bells yet. I was at a bar I did not frequent and have gotten calls from my bank before on suspicious charges that were legit, so I answered expecting this to be the case.

The person I spoke with said they were with Wells Fargo and they’ve identified fraudulent charges on my account but they need to verify my identity before they can discuss details. They said they sent me a text message (via the cell number they just called, which is my first clue this is phishing). They asked me to read back to them the 6-digit number just texted me to verify my ID.

Being two drinks in, slightly expecting what this was about, I had zero alarm bells going off. My bad, this was stupid of me. I read the number to them. They suggested it timed out and I needed to read another number they texted to me. Minimal time had passed, a mild spidy sense was tingling, but I still was not concerned enough to ask questions and read them a second 6-digit code.

This person then read off 5 recent charges on my account, 4 of which I recognized as legit and a 5th that was a $1000 charge to a credit card I did not own. I immediately identified this as a fraudulent charge and they said: “no prob dude, we’ll freeze your card and send you a new one”. They even gave me the last 4 on the card it was coming from. I was appeased enough to continue (sadly).

Finally, they said they sent me one final 6-digit code to confirm that they were crediting my account back with the $1000 fraudulent charge. I just needed to read off the final code they texted to me. At this point, things seem weird to me but they got me at a good time. I was 2 drinks in, was interrupted from hanging with a close friend I hadn’t seen in months and was outside trying desperately to avoid the loud noise inside the bar but still dealing with traffic noise outside. I just wanted to be done with this. I read them the final code and they thanked me and hung up.

At this point, I see why my phone had been vibrating constantly through this call. I had 4 emails from Wells Fargo. 1) Your username has been reset, 2) your password has been reset, 3) Welcome to Zelle! an awesome $$$ forwarding service, 4) You’ve just forwarded $1000!!!!!

I called Wells Fargo via the number on the back of my card. After being on hold for 45 min trying to get the fraud department, I start to tell my story only to have the call drop (I’m pretty sure they hung up on me). I called back and was on hold for 1 hour 20 min (my account has been compromised >2 hours by this time) to get a second person. He told me this was a scam they’ve been dealing with for 3 months and I needed to go into a branch with 2 forms of ID to deal with it. There was nothing he could do tonight.

TL;DR: Dude spoofed Wells Fargo when calling me on my cell, requested a reset of my username, password, and approval for $1000 transfer. I stupidly read off the confirmation numbers I received via text to him, he entered them into Wells Fargo website to approve all these requests. Wells Fargo has known their customers have been getting scammed for 3 months and didn’t bother to warn anyone. I now have to go into a branch, hang my head and tell my shameful story to a person and beg for access to my account because someone else has control of it all night tonight.”

Good lesson to be learned: Never, ever give any kind of confidential data to someone WHO CALLS YOU. Always call back to the number on the back of your card.

If your Windows PC seems buggier than usual after the recent round of Spectre patches, you might want to download this.

By Mark Hachman  Senior Editor, PCWorld

If you’ve noticed any unexpected reboots or PC instability as a result of the recent Spectre patches, there’s a solution: Microsoft has issued an emergency Windows patch that rolls back the recent Spectre mitigations.

Confused? It’s a bit complicated. After the intial Spectre and Meltdown vulnerabilites were disclosed, both Intel and Microsoft hustled out patches to mitigate the problem. Unfortunately, Intel’s latest microcode updates—and the BIOS updates from PC makers based upon them—were themselves buggy, causing instability, reboots, and data loss in some PCs.

Microsoft’s latest patch (KB4078130) allows people with affected systems to download the patch via the Microsoft Update Catalog, which disables the mitigations for the “Spectre variant 2.”

Note that the patch notes specifically state that you should run this patch “if you are running an impacted device” (emphasis ours). In other words, if your system is working normally, don’t bother downloading this patch. This is what Microsoft calls an “out of band” patch, and it doesn’t appear that it will be made available via Windows Update, either.

Why should you consider it? Intel has warned previously that the faulty patch can sometimes cause data loss and corruption, and Microsoft is saying the same: “Our own experience is that system instability can in some circumstances cause data loss or corruption,” the patch notes state.

There’s another wrinkle, though. As part of the patch, Microsoft is allowing users to edit the Windows registry to toggle the mitigations on or off. (Instructions are here.) It’s possible to toggle Microsoft’s patch off, and then, when Intel solves its own patching problem, re-enable it. That scenario is actually what Microsoft recommends—again, only if you’ve noticed system instability and want to take action against it.

Toggling the mitigations on and off is also a feature of the latest InSpectre utility.

As Bleeping Computer noted, system makers such as Dell and HP also advise rolling back their own BIOS patches to an earlier version, which they’re redeployed. It’s all horrendously confusing for consumers and IT organizations alike. Fortunately, at least, there haven’t been any public cases of these vulnerabilities being exploited, Microsoft says.

What should you do? There’s no one-size-fits-all answer to this question. But we can tell you what we’re doing: if a PC is working as expected, we’re leaving it patched and in place. If you’re backing up your data (to Remote Backup Services or an external drive) chances are your most crucial data will be saved in case your system goes down unexpectedly. Obviously, install Microsoft’s emergency Windows patch if you’re running into system issues. There’s no perfect solution—if you’re more paranoid than we are, feel free to deploy the patch even if your PC hasn’t hiccuped.