The web got a little bit safer this week after Google switched on HTTPS for all of its blogspot domains.
First trialed last September, the change means everyone can now access a blogspot page over an encrypted channel, Google revealed in a blog post.
It added the following:
“We’re also adding a new setting called HTTPS Redirect that allows you to opt-in to redirect HTTP requests to HTTPS. While all blogspot blogs will have an HTTPS version enabled, if you turn on this new setting, all visitors will be redirected to the HTTPS version of your blog at https://.blogspot.com even if they go to http://.blogspot.com. If you choose to turn off this setting, visitors will have two options for viewing your blog: the unencrypted version at http://.blogspot.com or the encrypted version at https://.blogspot.com.”
However, Google warned that mixed content – sometimes caused by “incompatible templates, gadgets, or post content” – might cause a blog not to work in HTTPS.
The tech giant said it recently released a mixed content warning tool for just such occasions, giving users the ability to spot and fix these issues.
The move is part of Google’s HTTPS Everywhere initiative, launched in 2014, which is working towards the goal of ensuring all communications are secure by default.
HTTPS has not had an easy ride of late, thanks to free certification tools which have been abused by hackers.
In January it emerged that one such tool, Let’s Encrypt, was used to help hide malicious traffic from network security filters.
Trend Micro noted that it was being used in active malvertising attacks leading users to sites hosting the Angler exploit kit (EK).
“Cases like this one where an attacker is able to create subdomains under a legitimate domain name demonstrate a problem,” Trend Micro fraud researcher, John Chen, claimed at the time.
SOURCE: Phil Muncaster