Security Alerts & News
by Tymoteusz A. Góral

History
#767 Announcing Certbot: EFF's client for Let's Encrypt
EFF is proud to introduce Certbot, a powerful tool to help websites encrypt their traffic. Certbot is the next iteration of the Let's Encrypt Client; it obtains TLS/SSL certificates and can automatically configure HTTPS encryption on your server. It's still in beta for now, but we plan to release Certbot 1.0 later this year.

As you may know, Let’s Encrypt is a certificate authority, co-founded by EFF, Mozilla, and researchers from the University of Michigan. With the help from many others, Let’s Encrypt is now one of the world’s largest certificate authorities, used by millions of people around the world to enable HTTPS on their website.

Certbot communicates with the Let’s Encrypt CA through a protocol called ACME. While there are many ACME clients available to choose from, Certbot continues to be the most popular choice for organizations and developers that run their own webservers.
#766 Malware-laced porn apps behind wave of Android lockscreen attacks
Incidents of Android lockscreen malware masquerading as porn apps are a growing concern to security analysts who are forecasting an uptick in attacks. Once infected, Android users bitten by this malware appear to be locked out of their device and are forced to undergo a complex extraction of the app to win back control of their phone or tablet.

The warning comes from Dell SonicWALL Threats Research Team that said this yet-to-be-named variant of lockscreen malware is immature, but potent.

“We have found over a 100 different apps that contain this malware and suspect that the authors behind the apps are gearing up for a much larger more deadly assault,” said Alex Dubrovsky, director of software engineering and threat research at Dell.
#765 Google devs planing Flash's demise with new "HTML5 by default" Chrome setting
In a Google Groups thread named "Intent to implement: HTML5 by Default," the Google developers announced initial plans to implement a new feature in the Chromium core that will disable the playback of Flash content by default, and use HTML5 instead, if available.

The feature is scheduled to ship with Chromium builds in Q4 2016, according to the current timeline.

"If a site offers an HTML5 experience, this change will make that the primary experience," Anthony LaForge, Technical Program Manager at Google explained. "We will continue to ship Flash Player with Chrome, and if a site truly requires Flash, a prompt will appear at the top of the page when the user first visits that site, giving them the option of allowing it to run for that site."

The Chromium team will basically implement a permanent "Ask to activate" feature for all websites running Flash content, similar to what Firefox has been optionally providing its users for some time now.

"This change reflects the maturity of HTML5 and its ability to deliver an excellent user experience," LaForge also noted. "While Flash historically has been critical for rich media on the web, today in many cases HTML5 provides a more integrated media experience with faster load times and lower power consumption."
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12