Pittsburgh Tech Guy

An uptick in cyberattacks and greater awareness about government surveillance have prompted calls for tighter security on the Internet, and a big part of that is encrypting  the traffic that flows to and from websites. Google, Facebook and Microsoft are among the many companies that have been pushing for wider use of SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption, though it can be tricky and expensive to implement. Here are the basics of what you need to know.

What is SSL/TLS?

It's a protocol originally developed in part by Netscape in the 1990s, to ensure the authenticity of websites and allow data to be exchanged securely with end users. It creates an encrypted connection using public key cryptography, typically indicated by "https" and a padlock appearing in the URL window of a browser.

Why is it important?

Data exchanged using only the basic http:// setting can be intercepted by hackers. Data can be collected or tampered with, creating privacy and security risks for users. Nearly all reputable banks and e-commerce sites use SSL/TLS these days, but many smaller websites still do not.

Is it hard to set up?

SSL/TLS is known to be finicky and difficult to implement, especially for very large websites. Organizations known as Certification Authorities (CAs) sell different types of digital certificates used for authenticating websites. Depending on the type of certificate, CAs will verify that the entity requesting one is legitimate, to guard against fraudulent sites. But the certificates can be expensive, and critics say the cost and complexity are off-putting. Certificates also expire, and it's important that IT admins know when they have to be renewed.

Are there any weaknesses?

In short, many. Cybersecurity experts have devised numerous attacks over the years that compromised SSL/TLS connections. Also, software vulnerabilities such as Heartbleed have been found in OpenSSL, a widely used SSL application. CAs have occasionally been hacked, with attackers creating certificates for websites that are used for phishing. In a 2011, cryptographer Moxie Marlinspike outlined the many weaknesses in the CA system and the complexities of finding a replacement. "It's amazing that SSL has endured for as long as it has in contrast to a number of other protocols from the same vintage," Marlinspike wrote. More than 600 CAs issue or sell SSL/TLS certificates; some of the larger players include Verisign and Comodo. 

What's being done about the problems?

A project called Let's Encrypt, launched last year, issues free, domain-validated digital certificates as part of a movement to spur wider use of encryption on the Web. Bugs in SSL/TLS are patched when new attacks are discovered, but there's not really a viable replacement for the whole system at this point. Changing it would require agreement from the whole industry, and that's unlikely anytime soon. For now, protecting private SSL/TLS keys is probably the most important task, and a variety of hardware security modules on the market can securely manage those digital keys.

Microsoft today retreated from an earlier retirement date for Windows 7 and 8.1 support on newer hardware, saying that it would now support those OSes on PCs running Intel's Skylake silicon until July 2018.

The decision is a partial rollback of a January announcement that Microsoft called a "clarification" of its support policy. Under the January plan, Microsoft would have ended support for Windows 7 and Windows 8.1 on July 17, 2017, if the operating systems were powering machines equipped with its now-current Skylake processor family.

10 questions to ask analytics vendors (before you buy)

Analytics purchase decisions are littered with opportunities for missteps. These 10 questions will help

Read Now

At the time, Microsoft credited the decision to Windows 7's age and the hassle that Microsoft and OEMs would have to go through to ensure the 2009 operating system runs on Intel's latest architecture.

"As partners make customizations to legacy device drivers, services, and firmware settings, customers are likely to see regressions with Windows 7 ongoing servicing," Terry Myerson, Microsoft's top Windows and devices executive, said in a Jan. 15 blog post.

Myerson's solution: Shorten support for Windows 7 and Windows 8.1 on the newest PCs by at least 30 months, and decree that, going forward, next-generation processors would require the "latest Windows platform at that time for support." In other words, Windows 10.

The move was the first time Microsoft had mandated a broad restriction on what edition of Windows customers could run on which hardware. Some analysts saw it as yet another tactic in Microsoft's strategy to coerce customers into adopting Windows 10.

On Friday, Microsoft backpedaled.

Support for Windows 7 and 8.1 on certain Skylake PCs will now continue until July 17, 2018, a one-year extension from the original deadline. After that date, Microsoft and its computer-making partners will not guarantee that they will revise device drivers to support those editions of Windows on newer hardware.

The Redmond, Wash. company also retreated from another component of the earlier support policy: Windows 7 and Windows 8.1 Skylake PCs will receive all critical security updates through their respective January 2020 and January 2023 retirement dates. Two months ago, Microsoft had been much more vague about what it would patch after the done-with-support date, saying only that it would address "the most critical ... security updates."

The new criteria will almost certainly mean that all vulnerabilities rated "critical," one of the four labels Microsoft assigns to flaws, will be patched.

Support for Windows 7 and 8.1 on Skylake PCs is predicated on the customer owning a system on this list of eligible hardware.

Microsoft acknowledged that its change of mind had been driven by complaints from the firm's most important customers.

You’ve heard of Christmas in July. Well how about spring cleaning in January? Microsoft is kicking off 2016 with arguably its most significant Patch Tuesday in months. As of today, Microsoft bids goodbye to all but one version of Internet Explorer and a Windows release it would rather forget.

The biggest item on the chopping block is Windows 8. Not Windows 8.1—that sweeping update is still supported—but the original, non-Start button version of Windows 8. After Tuesday’s updates, Microsoft will cease support for the 3 year, 2 month, and 17-day old operating system. That means Windows 8 is going the way of Windows XP; no more security updates, no bug fixes, nothing.

Users still on Windows 8 will have to upgrade to Windows 8.1 or make the jump to Windows 10. Both are free upgrades for Windows 8 users at this writing. That may be problematic for some if you have an oddball PC that is no longer supported by a manufacturer and thus missing drivers for a smooth experience. Other than that small minority of users, everyone else should dump Windows 8 as soon as possible.

If you’re going from Windows 8 to Windows 8.1, remember that the upgrade happens via the Windows Store and not Windows Update.

The story behind the story: Windows 8 was supposed to be a revolutionary OS that had two different interfaces, built to run on both PCs and tablets. The idea was inherently flawed and ultimately failed. Microsoft tried to improve the situation by adding features PC users wanted in Windows 8.1, but it really wasn’t until Windows 10 that Microsoft’s vision of a single OS running everywhere came to satisfying fruition.

There can be only one.

Windows 8 is going to have some company in the dustbin of history. Microsoft plans to discontinue almost all support for Internet Explorer 8, 9, and 10. This issue only affects Windows 7 users who haven’t upgraded to IE11, and Windows 8 users who must upgrade to Windows 8.1 or 10 to get the latest version of IE.

Everyone else—Windows 8.1 and Windows 10 users—already have IE11 as it came built into their systems. In fact, Windows 10 users are barely affected since the built-in browser of choice for Microsoft’s latest OS is the new Edge browser.

If you’re a Windows 7 user with automatic updates enabled then you should have IE11 already. To check which version you’re running, open Internet Explorer click the Settings cog in the upper right corner, and select About Internet Explorer. A pop-up window will appear with all the details you need.

If you can’t be bothered to check don’t sweat it. A patch rolling out today for Windows 7 will detect the version of IE you have and then continue to bug you until you upgrade.

The only exception to the end of IE versions 8 through 10 will be Windows Vista, which will continue to get support for Internet Explorer 9. IE9 was the last version of the browser built for the OS. But that support won’t run for much longer. Microsoft will end support for Vista in April 2017, which means the OS will cease receiving security updates all together—just like Windows 8 and XP.

Microsoft’s latest round of security patches start rolling out Tuesday but may take a few days before they land on your system.

The web can't move away from Adobe's Flash Player fast enough. Though efforts have been made to leave Flash behind, it's still a prominent part of the web. It's also still prone to what seems like an endless discovery of security holes. To that end, Adobe has released another update for its Flash Player, one that patches up no less than 23 security holes.

The update addresses vulnerabilities labeled as critical, one of which Adobe said it's aware is being actively exploited in the wild in limited, targeted attacks. Left unpatched, the vulnerabilities could potentially allow an attacker to control of an affected system.

Anyone running Adobe Flash Player version 20.0.0.306 or earlier should apply the update right way. That includes not only Windows users, but also Mac OS X, Linux, and Chrome OS users as well. If you're not sure which version you have installed, you can check on Adobe's website.

This is the latest in a string of security threats discovered in Flash Player. The web at large is making a concerted effort to move away from Flash—Google is banning Flash-based ads by 2017, YouTube already punted Flash in favor of HTML5, and and Twitch had begun phasing out Flash Player for HTML back in 2015, to name just a few examples.

In 2015, McAfee noted a 317 percent increase in new Adobe Flash malware in the first quarter of the year. More recently, McAfee said (PDF) that "application vulnerabilities are an ongoing problem for software developers and their customers," and that "Adobe Flash is perhaps the most frequently attacked product."

Show of hands: Who feels like it’s too inconvenient to fully shut down your computer at night?

Sure, you might save some energy or battery life with a full shutdown, and the system might appreciate having a fresh start in the morning. But who wants to wait around for Windows to boot from scratch?

Windows 10 has an answer to this dilemma with Fast Startup. Much like Fast Boot in Windows 8, Fast Startup creates a master file during shutdown that stores certain system files such as the Windows kernel and device drivers. Upon startup, the system loads those files back into RAM. The result is a shutdown process that closes all applications, files, and user accounts, but doesn’t require a complete reboot.

What sort of savings can you clean from Fast Startup? In my personal experience on an SSD-based desktop, enabling this feature shaves about five seconds from the startup process, making an already speedy boot process that much faster, but of course your mileage may vary. The benefits should be even more pronounced on systems that use a mechanical hard drive rather than an SSD.

If you bought a PC with Windows 10 pre-loaded, Fast Startup is likely enabled by default, and the same may be true with upgrades from Windows 8. But users who are upgrading from Windows 7 may have to enable this feature through Control Panel. Here’s how to do it:

First, head to Power Options in the Windows 10 control panel. The easiest way to get there is to open a search, type “power,” then select Power Options under the “Best Match” search results.

Select “Choose what the power buttons do” from the left sidebar.

If the settings on the bottom of this menu are greyed out, click “Change settings that are currently unavailable” near the top of the screen.

Finally, check the “Turn on fast startup (recommended)” box near the bottom of the screen. Don’t forget to click “Save changes” when you’re done.

Why wouldn’t you enable Fast Startup? HowToGeek has a helpful explainer on some of the downsides for power users—for instance, it can mess with dual-boot systems because of how it locks down the Windows hard disk—though most normal users shouldn’t run into any show-stopping issues.