Plus Mozilla's rollout of DNS over HTTPS has begun, a big milestone for Let's Encrypt, and more.

Links:

• Firefox continues push to bring DNS over HTTPS by default for US users - The Mozilla Blog
• The Facts: Mozilla’s DNS over HTTPs (DoH)
• Security/DOH-resolver-policy - MozillaWiki
• HTTPS for all: Let’s Encrypt reaches one billion certificates issued | Ars Technica
• Let’s Encrypt Has Issued a Billion Certificates - Let’s Encrypt - Free SSL/TLS Certificates
• Let’s Encrypt: A History - The Morning Paper
• Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months • The Register
• Ballot SC22: Reduce Certificate Lifetimes
• Google Chrome’s fear of Microsoft Edge is revealing its bad side
• Microsoft shares a roadmap for the new Microsoft Edge
• Microsoft Edge: Top Feedback Summary for March 4
• Download Microsoft Edge Insider Channels
• Flaw in billions of Wi-Fi devices left communications open to eavesdropping | Ars Technica
• kr00k: A serious vulnerability deep inside Wi-Fi encryption
• Kr00k Paper
• Technical Details of Why Cloudflare Chose AMD EPYC for Gen X Servers
• An EPYC trip to Rome: AMD is Cloudflare’s 10th-generation Edge server CPU
• Cloudflare’s Gen X: Servers for an Accelerated Future
• Impact of Cache Locality
• Gen X Performance Tuning
• Securing Memory at EPYC Scale
• Intel promises Full Memory Encryption in upcoming CPUs | Ars Technica

Plus the latest Intel speculative execution vulnerability, and Microsoft's troubled history with certificate renewal.

Links:

• Oregon company makes top bid for Microsoft check - CNET
• Microsoft’s failures to renew: Teams, Hotmail, and Hotmail.co.uk | Ars Technica
• Microsoft Teams goes down after Microsoft forgot to renew a certificate - The Verge
• Browser review: Microsoft’s new “Edgium” Chromium-based Edge | Ars Technica
• Linus Torvalds pulled WireGuard VPN into the 5.6 kernel source tree | Ars Technica
• Ubuntu 20.04 LTS Adds WireGuard Support - Phoronix
• Multipath TCP Support Is Working Its Upstream - First Bits Landing With Linux 5.6 - Phoronix
• MultiPath TCP - Linux Kernel implementation
• Upstreaming multipath TCP
• LPC2019 - Multipath TCP Upstreaming - YouTube
• LPC2019 - Multipath TCP Upstreaming - Slides
• LPC2019 - Multipath TCP Upstreaming - Paper
• Using MultiPath TCP to enhance home networks
• Linux 5.6 Crypto Getting AVX/AVX2/AVX-512 Optimized Poly1305
• Poly1305
• CacheOut
• CacheOut Paper
• Intel Responds to ZombieLoad and CacheOut Attacks | Tom's Hardware
• New CacheOut Attack Targets Intel CPUs, Leaks Data From VMs And Secure Enclave

Plus when to use WARP, the secrets of Startpage, and the latest Ryzen release.

Links:

• Why big ISPs aren’t happy about Google’s plans for encrypted DNS
• Chromium Blog: Experimenting with same-provider DNS-over-HTTPS upgrade
• How to enable DNS-over-HTTPS (DoH) in Google Chrome
• What’s next in making Encrypted DNS-over-HTTPS the Default - Future Releases
• WARP is here
• The Technical Challenges of Building Cloudflare WARP
• mmproxy - Creative Linux routing to preserve client IP addresses in L7 proxies
• HTTP/3: the past, the present, and the future
• Cloudflare, Google Chrome, and Firefox add HTTP/3 support | ZDNet
• QUIC Implementations
• Startpage.com - The world's most private search engine
• Google extends support lifespan for seven Lenovo Chromebooks to 2025
• Google’s Quantum Supremacy Announcement Shouldn't Be a Surprise
• Scott’s Supreme Quantum Supremacy FAQ
• AMD Ryzen Pro 3000 series desktop CPUs will offer full RAM encryption | Ars Technica

Plus Apple's blaring bluetooth beacons and Facebook's worrying plans for WhatsApp.

Links:

• Apple bleee. Everyone knows What Happens on Your iPhone – hexway — If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number
• Facebook Plans on Backdooring WhatsApp - Schneier on Security — In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.
• Signal — Privacy that fits in your pocket.
• xkcd: Security — Turns out it's a $5 wrench, even better!
• Jim Salter on Twitter — I wonder why #privacy wonks aren't talking about browser fingerprinting more frequently? Privacy Badger, Ghostery, etc don't do a damn thing to prevent or mitigate Canvas / WebGL #fingerprinting.
• Browser Fingerprinting: What Is It and What Should You Do About It? - PixelPrivacy — Browser fingerprinting is a powerful method that websites use to collect information about your browser type and version, as well as your operating system, active plugins, timezone, language, screen resolution and various other active settings.
• Canvas Fingerprinting - BrowserLeaks.com — The technique is based on the fact that the same canvas image may be rendered differently in different computers. This happens for several reasons. At the image format level – web browsers uses different image processing engines, image export options, compression level, the final images may got different checksum even if they are pixel-identical. At the system level – operating systems have different fonts, they use different algorithms and settings for anti-aliasing and sub-pixel rendering.
• WebGL Browser Report - WebGL Fingerprinting - WebGL 2 Test - BrowserLeaks.com — WebGL Browser Report checks WebGL support in your web browser, produce WebGL Device Fingerprinting, and shows the other WebGL and GPU capabilities more or less related web browser identity.
• AmIUnique — Device fingerprinting or browser fingerprinting is the systematic collection of information about a remote device, for identification purposes. Client-side scripting languages allow the development of procedures to collect very rich fingerprints: browser and operating system type and version, screen resolution, architecture type, lists of fonts, plugins, microphone, camera, etc.
• Panopticlick — Panopticlick will analyze how well your browser and add-ons protect you against online tracking techniques. We’ll also see if your system is uniquely configured—and thus identifiable—even if you are using privacy-protective software. However, we only do so with your explicit consent, through the TEST ME button below.
• How private is your browser’s Private mode? Research into porn suggests “not very” | Ars Technica — This leaves browser fingerprinting as a method to tie your profiles together—and unfortunately, Incognito mode doesn't appear to help.
• Privacy Tools - Encryption Against Global Mass Surveillance — You are being watched. Private and state-sponsored organizations are monitoring and recording your online activities. privacytools.io provides services, tools and knowledge to protect your privacy against global mass surveillance.
• ‘Fingerprinting’ to Track Us Online Is on the Rise. Here’s What to Do. - The New York Times — Fingerprinting involves looking at the many characteristics of your mobile device or computer, like the screen resolution, operating system and model, and triangulating this information to pinpoint and follow you as you browse the web and use apps. Once enough device characteristics are known, the theory goes, the data can be assembled into a profile that helps identify you the way a fingerprint would.
• Digital 'Fingerprinting' Is The Next Generation Tracking Technology | The Takeaway | WNYC Studios — This growing technology is almost invisible, making it impossible for users to opt-out of the tracking system. As it becomes more popular, tech companies are developing new ways to try and protect consumers from this form of tracking. But is it going to work?
• New Warning Issued Over Google's Chrome Ad-Blocking Plans — The plans, dubbed Manifest V3, represent a major transformation to Chrome extensions including a revamp of the permissions system. As a result, modern ad blockers such as uBlock Origin—which uses Chrome’s webRequest API to block ads before they’re downloaded–won’t work.
• Comment on Chrome extension manifest v3 proposal by gorhill — The blocking ability of the webRequest API is still deprecated, and Google Chrome's limited matching algorithm will be the only one possible, and with limits dictated by Google employees. It's annoying that they keep saying "the webRequest API is not deprecated" as if developers have been worried about this -- and as if they want to drown the real issue in a fabricated one nobody made.
• CanvasBlocker
• Ghostery
• Disconnect

Plus Firefox zero days targeting Coinbase, the latest update on Rowhammer, and a few more reasons it's a great time to be a ZFS user.

Links:

• SACK Panic Security Bulletin — Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The vulnerabilities specifically relate to the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.
• Ubuntu SACK Panic Guidance — You should update your kernel to the versions specified below in the Updates section and reboot. Alternatively, Canonical Livepatch updates will be available to mitigate these two issues without the need to reboot.
• Red Hat SACK Panic Advisory — Red Hat customers running affected versions of these Red Hat products are strongly recommended to update them as soon as errata are available. Customers are urged to apply the available updates immediately and enable the mitigations as they feel appropriate.   
• RFC 2018 - TCP Selective Acknowledgment Options — TCP may experience poor performance when multiple packets are lost from one window of data. With the limited information available from cumulative acknowledgments, a TCP sender can only learn about a single lost packet per round trip time. An aggressive sender could choose to retransmit packets early, but such retransmitted segments may have already been successfully received. A Selective Acknowledgment (SACK) mechanism, combined with a selective repeat retransmission policy, can help to overcome these limitations.
• Ping of Death — In a nutshell, it is possible to crash, reboot or otherwise kill a large number of systems by sending a ping of a certain size from a remote machine.
• Firefox zero-day was used in attack against Coinbase employees, not its users | ZDNet — A recent Firefox zero-day that has made headlines across the tech news world this week was actually used in attacks against Coinbase employees, and not the company's users.
• Mozilla fixes second Firefox zero-day exploited in the wild | ZDNet — Mozilla has released a second security update this week to patch a second zero-day that was being exploited in the wild to attack Coinbase employees and other cryptocurrency organizations.
• RAMBleed — RAMBleed is a side-channel attack that enables an attacker to read out physical memory belonging to other processes. The implications of violating arbitrary privilege boundaries are numerous, and vary in severity based on the other software running on the target machine. As an example, in our paper we demonstrate an attack against OpenSSH in which we use RAMBleed to leak a 2048 bit RSA key.
• Digging into the new features in OpenZFS post-Linux migration | Ars Technica — One of the most important new features in 0.8 is Native ZFS Encryption. Until now, ZFS users have relied on OS-provided encrypted filesystem layers either above or below ZFS. While this approach does work, it presented difficulties.
• Allan Jude on Twitter — Once the FreeBSDs are upstreamed, everything is changing to 'OpenZFS', including the github organization currently know as 'zfsonlinux'.
• ZFS on Linux Releases
• Linux Academy is hiring!
• Mozilla teases $5-per-month ad-free news subscription — Mozilla has started teasing an ad-free news subscription service, which, for $5 per month, would offer ad-free browsing, audio readouts, and cross-platform syncing of news articles from a number of websites.