Internet services provider Cloudflare has announced that it has successfully protected one of its clients from one of the most powerful DDoS (Distributed-Denial-of-Service) attacks in history. According to the services provider, an undisclosed cryptocurrency platform was targeted by a botnet comprising around 6,000 "zombie" computers distributed throughout 112 different countries. The botnet ultimately generated a collective 15.3 million requests per second. While that's still shy of the largest recorded metric - set at 17.2 million requests per second - the fact that the DDoS attack occurred through HTTPS likely pushed its complexity above the record-setting attack, due to the higher computational workload of secure HTTP. The attack lasted 15 seconds.

DDoS attacks aim to flood a network with requests and data packets in a bid to overload and paralyze it. The attack also showcases the ingenuity of bad actors, as the originated from cloud-based ISPs, as attackers leverage more complex and capable networking hardware than what's usually offered by last-mile ISPs. According to Cloudflare, the botnet seems to have mostly compromised systems with Java-based applications that were still open to the recently-discovered CVE-2022-21449 vulnerability.

Google has been one of the more vocal advocates of a HTTPS-based web, and the company is mounting an offensive of sorts that aims to push web page managers to adopt the more secure protocol. Starting July of this year, with Chrome 68, the Google web browser will start marking all non-HTTPs websites as "Not secure", thus warning users of heightened security risks. From the way Google is doing this, it seems the company hopes users that see the "Not secure" badge on web pages will start gradually choosing other options for their web surfing habits - HTTPS-enabled options, ideally - and thus force page managers to upgrade their security to stem the leaving user base.

Google has some interesting bullet points as it pertains to the adoption of HTTPS; they say that over 68% of Chrome traffic on both Android and Windows is now protected; over 78% of Chrome traffic on both Chrome OS and Mac is now protected; and that 81 of the top 100 sites on the web use HTTPS by default (which this editor would personally expect to be closer to 100 out of 100, but there are just some websites that really can't be moved). In the blog post announcing the change, Google engineers also bring attention to the company's Lighthouse utility, which automagically scans web pages for non-HTTPS elements, highlighting them, and noting those that can easily and painlessly be converted to their secure, HTTPS equivalent - which in some cases, might even enable more powerful tools.

Researchers have recently discovered a critical flaw that affects all WPA2 protected Wi-Fi devices. This can't be remedied solely by user intervention, or password changes, or even by the usage of HTTPS website; this is a flaw with the core of WPA's protection scheme, and means that an attacker could intercept every single traffic data point that your device sends over Wi-Fi, including passwords, credit card details, images - the whole treasure trove. Adding insult to injury, it's even possible for attackers using this method to inject malware into your devices. The new attack method - dubbed KRACK for Key Reinstallation Attack - basically forces your device's encryption code to default to a known, plain-text all-zero decryption key, which is trivial for hackers to reuse.

Adding to the paranoia, this is basically a device and software-agnostic attack - it's effective against devices running Android, Linux, and OpenBSD, and to a lesser extent macOS and Windows, as well as MediaTek Linksys, and other types of devices. HTTPS isn't the best solution either, simply because some website's implementation of it isn't the best, and there are scripts (such as SSLScript) that can force a website to downgrade its connection to a simple HTTP link - which can then be infiltrated by the attacker.

As part of Google's push towards a safer, HTTPS-encrypted web, the Chrome browser will begin marking any HTTP site as non-secure when a user browses in incognito mode. Incognito is the Chrome browser's enhanced privacy mode, which goes a long way in explaining why Google sees non-HTTPS sites as a non-secure place to visit. Save some network metadata, encrypted HTTPS connections keep the contents of the communications between the user and a web server hidden from outside parties - in normal circumstances, that is. The company is already marking HTTP web-pages that accept credit card details as not-secure, and starting October this year, the browser will do the same on every HTTP site in which the user has to input data, and for every HTTP page browsed in Incognito mode.

Interestingly, Google has advanced that traffic to pages it has marked "Not Secure" has dropped by 23%, which goes to show that such policies do impact a user's decision on whether or not to establish such a connection. In addition, Google started scrambling its search engine algorithm so as to feature HTTPS sites more prominently than sites that don't. This means that websites that see diminishing visitors should be more inclined towards a adopting the more secure, encrypted HTTPS. And in an era where every scrap of our information is deemed worthy of at least being stored and resold, I find it commendable that Google thinks every piece of information should be secured, instead of just our payment information - which even that isn't always secure.