Security Blog
The latest news and insights from Google on security and safety on the Internet
That’s not the download you’re looking for...
14. August 2014
Cross-posted on the
Chrome Blog
You should be able to use the web safely, without fear that malware could take control of your computer, or that you could be tricked into giving up personal information in a phishing scam.
That’s why we’ve invested so much in tools that protect you online. Our
Safe Browsing
service protects you from malicious websites and warns you about malicious downloads in Chrome. We’re currently showing more than three million download warnings per week—and because we make this technology available for other browsers to use, we can help keep 1.1 billion people safe.
Starting next week, we’ll be expanding Safe Browsing protection against additional kinds of deceptive software: programs disguised as a helpful download that actually make unexpected changes to your computer—for instance, switching your homepage or other browser settings to ones you don’t want.
We’ll show a warning in Chrome whenever an attempt is made to trick you into downloading and installing such software. (If you still wish to proceed despite the warning, you can access it from your Downloads list.)
As always, be careful and make sure you trust the source when downloading software. Check out
these tips
to learn how you can stay safe on the web.
Posted by Moheeb Abu Rajab, Staff Engineer, Google Security
Protecting Gmail in a global world
12. August 2014
Last week
we announced support
for non-Latin characters in Gmail—think δοκιμή and 测试 and みんな—as a first step towards more global email. We’re really excited about these new capabilities. We also want to ensure they aren’t abused by spammers or scammers trying to send misleading or harmful messages.
Scammers can exploit the fact that
ဝ
,
૦
, and
ο
look nearly identical to the letter
o
, and by mixing and matching them, they can hoodwink unsuspecting victims.* Can you imagine the risk of clicking “Sh
ဝ
ppingSite” vs. “ShoppingSite” or “MyBank” vs. “MyB
ɑ
nk”?
To stay one step ahead of spammers, the Unicode community has identified suspicious combinations of letters that could be misleading, and Gmail will now begin rejecting email with such combinations. We’re using an open standard—the
Unicode Consortium
’
s “Highly Restricted” specification
—which we believe strikes a healthy balance between legitimate uses of these new domains and those likely to be abused.
We’re rolling out the
changes
today, and hope that others across the industry will follow suit. Together, we can help ensure that international domains continue to flourish, allowing both users and businesses to have a
tête-à-tête
in the language of their choosing.
Posted by Mark Risher, Spam & Abuse Team
*For those playing at home, that's a Myanmar letter Wa (U+101D), a Gujarati digit zero (U+AE6) and a Greek small letter omicron (U+03BF), followed by the ASCII letter 'o'.
HTTPS as a ranking signal
7. August 2014
Cross-posted from the
Webmaster Central Blog
Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like
strong HTTPS encryption by default
. That means that people using Search, Gmail and Drive, for example, automatically have a secure connection to Google.
Beyond our own stuff, we’re also working to make the Internet safer more broadly. A big part of that is making sure that websites people access from Google are secure. For instance, we have created resources to help webmasters
prevent and fix security breaches
on their sites.
We want to go even further. At
Google I/O
a few months ago, we called for “
HTTPS everywhere
” on the web.
We’ve also seen more and more webmasters adopting
HTTPS
(also known as HTTP over
TLS
, or Transport Layer Security), on their website, which is encouraging.
For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as
high-quality content
—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.
In the coming weeks, we’ll publish detailed best practices (we’ll add a link to it from here) to make TLS adoption easier, and to avoid common mistakes. Here are some basic tips to get started:
Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
Use 2048-bit key certificates
Use relative URLs for resources that reside on the same secure domain
Use protocol relative URLs for all other domains
Check out our
Site move article
for more guidelines on how to change your website’s address
Don’t block your HTTPS site from crawling using robots.txt
Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag
If your website is already serving on HTTPS, you can test its security level and configuration with the
Qualys Lab tool
. If you are concerned about TLS and your site’s performance, have a look at
Is TLS fast yet?
. And of course, if you have any questions or concerns, please feel free to post in our
Webmaster Help Forums
.
We hope to see more websites using HTTPS in the future. Let’s all make the web more secure!
Posted by
Zineb Ait Bahajji
and
Gary Illyes
, Webmaster Trends Analysts
Labels
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2023
Sept.
Aug.
Juli
Juni
Mai
Apr.
März
Feb.
Jan.
2022
Dez.
Nov.
Okt.
Sept.
Aug.
Juli
Juni
Mai
Apr.
März
Feb.
Jan.
2021
Dez.
Nov.
Okt.
Sept.
Aug.
Juli
Juni
Mai
Apr.
März
Feb.
Jan.
2020
Dez.
Nov.
Okt.
Sept.
Aug.
Juli
Juni
Mai
Apr.
März
Feb.
Jan.
2019
Dez.
Nov.
Okt.
Sept.
Aug.
Juli
Juni
Mai
Apr.
März
Feb.
Jan.
2018
Dez.
Nov.
Okt.
Sept.
Aug.
Juli
Juni
Mai
Apr.
März
Feb.
Jan.
2017
Dez.
Nov.
Okt.
Sept.
Juli
Juni
Mai
Apr.
März
Feb.
Jan.
2016
Dez.
Nov.
Okt.
Sept.
Aug.
Juli
Juni
Mai
Apr.
März
Feb.
Jan.
2015
Dez.
Nov.
Okt.
Sept.
Aug.
Juli
Juni
Mai
Apr.
März
Feb.
Jan.
2014
Dez.
Nov.
Okt.
Sept.
Aug.
Juli
Juni
Apr.
März
Feb.
Jan.
2013
Dez.
Nov.
Okt.
Aug.
Juni
Mai
Apr.
März
Feb.
Jan.
2012
Dez.
Sept.
Aug.
Juni
Mai
Apr.
März
Feb.
Jan.
2011
Dez.
Nov.
Okt.
Sept.
Aug.
Juli
Juni
Mai
Apr.
März
Feb.
2010
Nov.
Okt.
Sept.
Aug.
Juli
Mai
Apr.
März
2009
Nov.
Okt.
Aug.
Juli
Juni
März
2008
Dez.
Nov.
Okt.
Aug.
Juli
Mai
Feb.
2007
Nov.
Okt.
Sept.
Juli
Juni
Mai
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
Follow