Google Online Security Blog: 2013

Further improving digital certificate security

7 décembre 2013

Posted by Adam Langley, Security Engineerintermediate certificate authorityCertificate Transparency[Update December 12: We have decided that the ANSSI certificate authority will be limited to the following top-level domains in a future version of Chrome: .fr .gp (Guadeloupe) .gf (Guyane) .mq (Martinique) .re (Réunion) .yt (Mayotte) .pm (Saint-Pierre et Miquelon) .bl (Saint Barthélemy) .mf (Saint Martin) .wf (Wallis et Futuna) .pf (Polynésie française) .nc (Nouvelle Calédonie) .tf (Terres australes et antarctiques françaises)]

Internet-wide efforts to fight email phishing are working

6 décembre 2013

Posted by Elie Bursztein, anti-abuse research lead and Vijay Eranti, Gmail anti-abuse technical lead
Editor's Note: This post was updated on February 9th, 2016. Adoption numbers reflect state of authentication as of this date.

86.8% of the emails we received are signed according to the (DKIM) standard (up from 76.9% in 2013). Over two million domains (weekly active) have adopted this standard (up from 0.5 millions 2013).

95.3% of incoming emails we receive come from SMTP servers that are authenticated using the SPF standard (up from 89.1% in 2013). Over 7.8 million domains (weekly active) have adopted the SPF standard (up from 3.5 million domains in 2013).

85% of incoming emails we receive are protected by both the DKIM and SPF standards (up from 74.7% in 2013).

Over 162,000 domains have deployed domain-wide policies that allow us to reject hundreds of millions of unauthenticated emails every week via the DMARC standard (up from 80,000 in 2013).

Join the fight against email spam DKIMSPFDMARC

Even more patch rewards!

18 novembre 2013

Posted by Michal Zalewski, Google Security TeamAbout a month ago, we kicked off our Patch Reward Program. The goal is very simple: to recognize and reward proactive security improvements to third-party open-source projects that are vital to the health of the entire Internet.We started with a fairly conservative scope, but said we would expand the program soon. Today, we are adding the following to the list of projects that are eligible for rewards:

All the open-source components of Android: Android Open Source Project

Widely used web servers: Apache httpd, lighttpd, nginx

Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot

Virtual private networking: OpenVPN

Network time: University of Delaware NTPD

Additional core libraries: Mozilla NSS, libxml2

Toolchain security improvements for GCC, binutils, and llvm

For more information about eligibility, reward amounts, and the submission process, please visit this page. Happy patching!

Out with the old: Stronger certificates with Google Internet Authority G2

18 novembre 2013

Posted by Dan Dulay, Security Engineernotedforward secrecyGoogle Internet Authority G2

A roster of TLS cipher suites weaknesses

14 novembre 2013

Posted by Adam Langley, Software Engineerlist of cipher suitesECDHE: the key agreement mechanism. RSA: the authentication mechanism. AES_128_CBC: the cipher. SHA: the message authentication primitive. RC412345AES-CBC BEASTdescribedLucky13AES-GCM ChaCha20-Poly1305 Summary

Don’t mess with my browser!

31 octobre 2013

In some ways, it's safer than ever to be online — especially if you use Chrome. With continued security research and seamless automatic updates, your browsing experience is always getting better and more secure. But recently you may have noticed something seems amiss. Online criminals have been increasing their use of malicious software that can silently hijack your browser settings. This has become a top issue in the Chrome help forums; we're listening and are here to help.
Bad guys trick you into installing and running this kind of software by bundling it with something you might want, like a free screensaver, a video plugin or—ironically—a supposed security update. These malicious programs disguise themselves so you won’t know they’re there and they may change your homepage or inject ads into the sites you browse. Worse, they block your ability to change your settings back and make themselves hard to uninstall, keeping you trapped in an undesired state.

We're taking steps to help, including adding a "reset browser settings" button in the last Chrome update, which lets you easily return your Chrome to a factory-fresh state. You can find this in the “Advanced Settings” section of Chrome settings.

In the current Canary build of Chrome, we’ll automatically block downloads of malware that we detect. If you see this message in the download tray at the bottom of your screen, you can click “Dismiss” knowing Chrome is working to keep you safe.

This is in addition to the 10,000 new websites we flag per day with Safe Browsing, which also detects and blocks malicious downloads, to keep more than 1 billion web users safe across multiple browsers that use this technology. Keeping you secure is a top priority, which is why we’re working on additional means to stop malicious software installs as well.

Update: 11/1/13: Updated to mention that Safe Browsing already detects and blocks malware.

Linus Upson, Vice President

reCAPTCHA just got easier (but only if you’re human)

25 octobre 2013

Posted by Vinay Shet, Product Manager, reCAPTCHACAPTCHA

A new and easier numeric CAPTCHA

Going beyond vulnerability rewards

9 octobre 2013

Posted by Michal Zalewski, Google Security TeamWe all benefit from the amazing volunteer work done by the open source community. That’s why we keep asking ourselves how to take the model pioneered with our Vulnerability Reward Program - and employ it to improve the security of key third-party software critical to the health of the entire Internet.We thought about simply kicking off an OSS bug-hunting program, but this approach can easily backfire. In addition to valid reports, bug bounties invite a significant volume of spurious traffic - enough to completely overwhelm a small community of volunteers. On top of this, fixing a problem often requires more effort than finding it.So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR - we want to help!We intend to roll out the program gradually, based on the quality of the received submissions and the feedback from the developer community. For the initial run, we decided to limit the scope to the following projects:

Core infrastructure network services: OpenSSH, BIND, ISC DHCP

Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib

Open-source foundations of Google Chrome: Chromium, Blink

Other high-impact libraries: OpenSSL, zlib

Security-critical, commonly used components of the Linux kernel (including KVM)

Widely used web servers: Apache httpd, lighttpd, nginx

Popular SMTP services: Sendmail, Postfix, Exim

Toolchain security improvements for GCC, binutils, and llvm

Virtual private networking: OpenVPN

How to participate?Before participating, please read the official rules posted on this page; the document provides additional information about eligibility, rewards, and other important stuff.Please submit your patches directly to the maintainers of the individual projects. Once your patch is accepted and merged into the repository, please follow the submission process outlined here. If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,133.7. Happy patching!

Security rewards at Google: Two MEEELLION Dollars Later

12 août 2013

Posted by Chris Evans and Adam Mein, Masters of CoinChromiumGoogle Webleading standards for response timeChromium VRPPwniumGoogle Web VRPpreviously announced bonusesproviding a patchhow to report a security bug wellhow we determine higher reward eligibilityincreases under the Google Web program

Transparency Report: Making the web a safer place

25 juin 2013

Posted by Lucas Ballard, Software Engineer[Cross-posted from the Official Google Blog]Safe Browsing programTransparency Report

this pageGoogle Webmaster ToolsSafe Browsing Alerts for Network Administrators

Iranian phishing on the rise as elections approach

12 juin 2013

Posted by Eric Grosse, VP Security Engineering[Update June 13: This post is available in Farsi on the Google Persian Blog.]

targeted users within Iranstate-sponsored attackssuspicious activitytake extra steps to protect your accountenabling 2-step verification

Increased rewards for Google’s Web Vulnerability Reward Program

6 juin 2013

Posted by Adam Mein and Michal Zalewski, Security Teamintroducingsupport a school projectupdated rules

Cross-site scripting (XSS) bugs on https://accounts.google.com now receive a reward of $7,500 (previously $3,133.7). Rewards for XSS bugs in other highly sensitive services such as Gmail and Google Wallet have been bumped up to $5,000 (previously $1,337), with normal Google properties increasing to $3,133.70 (previously $500).

The top reward for significant authentication bypasses / information leaks is now $7,500 (previously $5,000).

let us know

Disclosure timeline for vulnerabilities under active attack

29 mai 2013

Posted by Chris Evans and Drew Hintz, Security EngineersXML parsing vulnerabilitiesuniversal cross-site scripting bugstargeted web application attacksrecommendation

Changes to our SSL Certificates

23 mai 2013

Posted by Stephen McHenry, Director of Information Security Engineeringmust

Perform normal validation of the certificate chain;

Include a properly extensive set of root certificates contained. We have an example set which should be sufficient for connecting to Google in our FAQ. (Note: the contents of this list may change over time, so clients should have a way to update themselves as changes occur);

Support Subject Alternative Names (SANs).

shouldhttps://googlemail.com

Matching the leaf certificate exactly (e.g. by hashing it)

Matching any other certificate (e.g. Root or Intermediate signing certificate) exactly

Hard-coding the expected Root certificate, especially in firmware. This is sometimes done based on assumptions like the following:

The Root Certificate of our chain will not change on short notice.
Google will always use Thawte as its Root CA.
Google will always use Equifax as its Root CA.
Google will always use one of a small number of Root CAs.
The certificate will always contain exactly the expected hostname in the Common Name field and therefore clients do not need to worry about SANs.
The certificate will always contain exactly the expected hostname in a SAN and therefore clients don't need to worry about wildcards.

this documentFAQ

The results are in: Hardcode, the secure coding contest for App Engine

10 mai 2013

Posted by Eduardo Vela Nava, Security TeamannouncedSummer of CodeCode-in

Team 0xC0DEBA5EVienna University of Technology, Austria (SGD $20,000)Team GridlockLoyola School, Jamshedpur, India (SGD $15,000)Team CeciliaSecUniversity of California, Santa Barbara, California, USA (SGD $10,000)Team AppDaptorThe Hong Kong Polytechnic University, Hong Kong (SGD $5,000)Team DesiCodersBirla Institute of Technology & Science, Pilani, India (SGD $5,000)Team Saviors of Middle EarthWalt Whitman High School, Maryland, USA

New warnings about potentially malicious binaries

17 avril 2013

Posted by Moheeb Abu Rajab, Security Teamdisable silent extension installation by defaultmalicious download warningsChrome’s central management settingsChrome Web Storeinline installationother deployment options

Google Public DNS Now Supports DNSSEC Validation

19 mars 2013

Posted by Yunhong Gu, Team Lead, Google Public DNSlaunchedDomain Name System Security ExtensionsDNS cache poisoninghttps://developers.google.com/speed/public-dnsFAQSecurity4033403440355155UpdateMarch 21UpdateMay 6

Videos and articles for hacked site recovery

12 mars 2013

Posted by Maile Ohye, Developer Programs Tech LeadHelp for hacked sites

“Help for hacked sites” overview: How and why a site is hackedOver 25% of sites that are hacked may remain compromisedsurvey of more than 600 webmasters of hacked sites

StopBadware and Commtouch’s 2012 survey results for “What action did you take/are you taking to fix the compromised site?”Hackers’ tactics are difficult for site owners to detect

Both pages are the same, but the page on the right highlights the “hidden text”—in this case, white text on a white background. As explained in Step 5: Assess the damage (hacked with spam), hackers employ these types of tricks to avoid human detection.Server configurationHelp for hacked sites

Lucas Ballard covers the malware infection type Server configuration.Reminder to keep your site secure

Be vigilant about keeping software updated

Understand the security practices of all applications, plugins, third-party software, etc., before you install them on your server

Remove unnecessary or unused software

Enforce creation of strong passwords

Keep all devices used to log in to your web server secure (updated operating system and browser)

Make regular, automated backups

An update on our war against account hijackers

19 février 2013

Posted by Mike Hearn, Google Security Engineer Spammers’ new trick—hijacking accounts

Legitimate accounts blocked for sending spam: Our security systems have dramatically reduced the number of Google Accounts used to send spam over the past few years

How Google Security helps protect your account

Help protect your accountstrong, unique passworduse 2-step verificationupdating the recovery options

Calling student coders: Hardcode, the secure coding contest for App Engine

10 janvier 2013

Posted by Parisa Tabriz, Security TeamSyScanthere

Enhancing digital certificate security

3 janvier 2013

Posted by Adam Langley, Software Engineerintermediate certificate authority

Security Blog