First, the good news. Starting with the mid-April release of Google’s Chrome 90 web browser, Chrome will default to trying to load the version of a website that’s been secured with a Transport Layer Security (TLS). These are the sites that show a closed lock in the Chrome Omnibox, what most of us know as the Chrome address (URL) bar. The bad news is that just because a site is secured by HTTPS doesn’t mean it’s trustworthy. 

ZDNet Recommends

A few years ago, WordFence, a well-regarded WordPress security company, found that SSL certificates are being issued by certificate authorities (CA) to phishing sites pretending to be other sites. Because the certificates are valid, even though they’re operating under false premises, Chrome reports these sites as being secure. True, the data sent along that connection is secure, but safe? I think not! Of course, CAs shouldn’t issue bogus security certificates. Unfortunately, it happens. A perfect example of “Why we can’t have nice things,” it’s been revealed that Let’s Encrypt, the free, open, and automated CA, had been used to create thousands of SSL certificates for phishing sites illegally using “PayPal” as part of their name. It’s not just PayPal. Google, Microsoft, and Apple have also had their names taken in vain by phishers. It’s also not just that the CA process can be abused. Paul Walsh, founder and CEO of the zero-trust security company, MetaCert and co-founder of the World Wide Web Consortium (W3C) URL Classification Standard, sees many other problems with our naïve belief that HTTPS alone is enough to secure our internet connections. True, Walsh tweeted, “When DNS-based security services were first introduced, most of the web wasn’t encrypted, and threat actors didn’t use trusted domains like Google, Microsoft, GitHub, et al. So they were effective in the past, but less effective today.” When the leading free CA, Let’s Encrypt, began in 2015, less than a fifth of websites were secured by HTTPS. Today, 82.2% of sites are covered. That was then. This is now. And there are other problems.First, Walsh believes that what Google is doing is “great in theory, but their execution sucks. I think it’s unethical for a single company that represents a single stakeholder to railroad what they think is the right thing for every website creator and every person that uses the web.” Walsh isn’t the only one that feels that way, while many people think of this as a small, but real, step forward in web security, others think, “Forcing https on people’s throats is a stupid idea.”

Besides, as Walsh observed in his analysis of website security, “the basic [URL] padlock is designed to tell users when their connection to a website is encrypted. A padlock doesn’t represent anything related to trust or identity. Browser designers didn’t do a good job with the design of their UI. They should have made website identity more obvious — such as a separate icon on the toolbar — making it completely separate to the padlock.”In other words, you can be “safely” secured to a site that’s pretending to be the real Amazon, eBay, or PayPal. That’s a fail.Also: What is phishing? Everything you need to know to protect yourself from scam emails and moreThis happens not just because of the fake sites with real HTTPS certificates. Walsh points out that Modlishka attacks create a reverse-proxy between you and the website you want to visit. It looks like you’re connected to the real thing because you get authentic content from the legitimate website but the reverse-proxy is silently redirecting all your traffic to and from the Modlishka server. Thus, your “credentials and sensitive information such as a password or crypto wallet address entered by the user are automatically passed on to the threat actor. The reverse proxy also asks users for 2FA tokens when prompted by the website. Attackers can then collect these 2FA tokens in real-time, to access the victims’ accounts.”Ouch.Besides that, Walsh is not at all convinced that free and easy HTTPS certificates is a good thing at all. Walsh wrote, “The volume of cyberattacks that use automatically issued free DV certificates has weakened the Trusted Computing Base (TCB) of the internet in my opinion. And free DV certificates are an existential threat to the safety and wellbeing of society.”The answer? According to Walsh, CAs should: Tighten up their identity verification processes.Reduce the cost, time, and effort of acquiring identity verification.Browser vendors should design a meaningful icon for identity verification for the browser toolbar — away from the padlock.Browser vendors should improve the user experience so websites’ real identity is intuitive.Then, and only then, will the web be well on its way to being truly secure. Related Stories: More

Yuichiro Chino/Getty Images China has released a new draft regulation that it says is necessary to ensure the safe development of generative artificial intelligence (AI) technologies, such as ChatGPT.  While it supports the innovative use of AI algorithms to improve user experience and access to information, the growth of such applications can lead to abuse. […] More

Floriana/Getty Images In October 2023, former president Joe Biden signed an executive order that included several measures for regulating AI. On his first day in office, President Trump overturned it, replacing it a few days later with his own order on AI in the US. This week, some government agencies that enforce AI regulation were […] More

Kyle Kucharski/ZDNETGoogle Chrome users who want to stay safe and secure will want to update their browser to the latest version. That’s because it contains a fix for a critical vulnerability that could cause Chrome to crash or even infect your system or device with malware.On Wednesday, Google released Chrome version 134.0.6998.117/.118 for Windows and Mac and 134.0.6998.117 for Linux. Rolling out over the next few days and weeks, this version offers several security fixes. But the patch for the critical vulnerability is the most important one.Also: I’ve tried nearly every browser out there and these are my top 6 (none are Chrome)As described in the NIST vulnerability database, CVE-2025-2476 points to “Use after free in Lens in Google Chrome prior to 134.0.6998.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.” And what does that mean in layman’s terms? Let’s break it down.”Use after free” is a type of memory corruption in which a program continues to use a block of memory even after it’s been freed. Lens in Google Chrome refers to the Google Lens tool that can search for and identify items you spot through your phone’s camera.”Heap corruption” means that someone could exploit data stored in the block of memory. And “a crafted HTML page” — in this instance — is a web page custom-designed for malicious purposes. Put them together, and any previous version of Chrome is susceptible to web pages created by attackers that would take advantage of corrupted memory to infect your PC with malware.Here’s a clever way to visualize this type of flaw. More

Freewell Pro Card Reader <!–> ZDNET’s key takeaways It handles every commonly used storage card currently in use It can handle data transfer speeds up to 10Gbps, so moving big files is effortless The card reader also doubles as a storage card holder, keeping cards that are not currently in use safe. –> There are […] More