Tag Archives: google

Vulnerabilidad FREAK puede dejar las comunicaciones cifradas expuestas a ataques

Una falla reportada recientemente permite a los atacantes forzar las conexiones seguras a usar un método de cifrado más débil y quebrantable.

Read More

FREAK vulnerability can leave encrypted communications open to attack

A recently reported flaw lets attackers force secure connections to use a weaker, breakable form of encryption.Read More

Google’s SHA-1 Deprecation Plan for Chrome

      No Comments on Google’s SHA-1 Deprecation Plan for Chrome

The latest news in the SSL and web browser industries is Google’s plans to deprecate SHA-1 in a unique way on upcoming releases of Chrome starting with version 39. Considerably different from Microsoft’s plans that were announced in November 2013, Google plans on placing visual marks or placing a block within the browser; all based on the version of the browser, date of use and certificate’s expiration date.

Here is what you need to know first:

  1. SHA-1 is still safe to use but critics say its long-term ability to stand up to collision attacks is questionable.
  2. SHA-2 is the next hashing algorithm to be used.  If your end-entity or intermediate certificates are SHA-1, it might be a good idea to exchange them now.
  3. This issue faces all Certification Authorities, not just Symantec.
  4. All SHA-1 end-entity certificates and SHA-2 end-entity certificates chaining up to a SHA-1 intermediate are affected. SHA-1 root certificates are not affected by either Microsoft’s or Google’s SHA-1 deprecation plan.
  5. Google is using three terms that you may want to familiarize yourself with:
    1. secure, but with minor errors,
    2. neutral, lacking security, and
    3. affirmatively insecure.
  6. Symantec offers free replacements for affected Symantec SSL certificates.

What we expect to see with future Chrome releases:

Chrome 39 (Beta release: 26 September 2014, tentative production release: November 2014):

  1. Any SHA-1 SSL certificate, on a page, that expires on or after 1 January 2017 will be treated as “secure, but with minor errors”.  The lock within the address bar of the browser will have a yellow arrow over the lock as in this example provided by Google:

google-blog-1.png

 

Chrome 40 (Beta release: 7 November 2014, tentative production release: post-holiday season):

  1. Pages secured with a SHA-1 certificate expiring between 1 June 2016 and 31 December 2016 inclusive will experience the same treatment as described above.
  2. Additionally, pages secured with a SHA-1 certificate expiring after 1 January 2017 will be treated as “neutral, lacking security”.  The lock in the address bar will be replaced by a blank page icon as in this example provided by Google:

google-blog-2.png

 

Chrome 41 (Q1-Q2 2015):

  1. Sites secured with a SHA-1 certificate with validity dates terminating between 1 January 2016 and 31 December 2016 inclusive will be treated as “Secure, but with minor errors.”
  2. Sites secured with a SHA-1 certificate expiring on or after 1 January 2017 will be treated as “affirmatively insecure”.  The lock will have a red “X” over it with the letters “HTTPS” crossed out with a red font as in this example provided by Google.

google-blog-3.png

 

Here is a matrix to help you understand the dates:

 

Sample Expiration Dates

Chrome Version (Beta dates)

SHA-1

(Dec 31 2015)

 

SHA-1

(Jan 1 – May 31  2016)

SHA-1

(Jun 1 – Dec 31 2016)

SHA-1

(Jan 1 2017 and beyond )

Recommended:

SHA-2

Chrome 39

(Sept. 2014)

google-blog-4.png

google-blog-4.png

google-blog-4.png

google-blog-5.png

google-blog-4.png

Chrome 40

(Nov. 2014)

google-blog-4.png

google-blog-4.png

google-blog-5.png

google-blog-6.png

google-blog-4.png

Chrome 41

(Q1 2015)

google-blog-4.png

google-blog-5.png

google-blog-5.png

google-blog-7.png

google-blog-4.png

Moral of the story: Move to SHA-2, especially if your SSL certificate expires after December 2015.

 

What you need to do.

  1. Use our SSL Toolbox to see if your certificates are affected.  SHA-1 SSL certificates expiring before 2016 are NOT affected and can be replaced with a SHA-2 certificate at renewal time if you wish.
  2. If your Symantec certificates are affected you can replace them at no additional charge for a SHA-2 certificate, or a SHA-1 certificate with a validity that does not go past 2015.  Check with your vendor if they have a free replacement program like Symantec.
  3. Install your new certificates.
  4. Test your installation using the SSL Toolbox.
  5. Security Best Practice:  Revoke any certificates that were replaced in step #2.

For more in-depth information, instructions, and assistance please refer to our knowledge center article on this subject.  For a list of SHA-2 supported and unsupported applications review this list from the CA Security Council.

Read our SHA-2 webpage for the tools, steps to take, and a list of FAQs that can be generally applicable across all browsers.

Security and privacy settings across your Google accounts

Google is the most popular Internet search provider worldwide. The name itself has even become a verb: We don’t look online anymore, we Google everything. Moreover, we use plenty of Google products not even realizing how connected they are. Gmail, YouTube, Translator, Google Drive, Photos (the former Picassa), Play, as well as Google+. The integration of Google […]

Security and privacy settings across your Google accounts

Google is the most popular Internet search provider worldwide. The name itself has even become a verb: We don’t look online anymore, we Google everything. Moreover, we use plenty of Google products not even realizing how connected they are. Gmail, YouTube, Translator, Google Drive, Photos (the former Picassa), Play, as well as Google+. The integration of Google […]

Privacy Fears Spawn New Generation of Low Profile Social Networks

mobile_device_social_anon.png

Is the era of oversharing over? Recent revelations about state-sponsored surveillance and mega-breaches engineered by cybercrime gangs have put the issue of privacy in the spotlight. After more than a decade where people appeared to be sharing more and more details about themselves online, there is some evidence that a backlash is now underway. Certainly the founders of a number of new social networking services seem to think so and they have made privacy one of the main selling points of their offerings.

One effort at building a more anonymous social network is Secret. Its creators decided to move in the opposite direction to most social networks and minimize the personal information its users share. Available as either an iOS or Android app, it doesn’t use real names or profile photos. Users instead anonymously share text and images. Their posts are shared with other friends who are also on Secret, but users are not told which of their friends authored the post. They can choose to share those posts with their own friends and, if a post goes two degrees beyond its author, it is shared publicly and marked with its broad location (e.g. California).

Secret goes to some length to reassure its users of their privacy. For example, it markets itself with the fact that customer data is stored on Google servers – the same servers used in Gmail – and all communications are encrypted with TLS. Message data is encrypted before being written to its servers and keys are stored in an off-site keystore service that rotates keys. When the app connects a user with someone they know from their contacts book, it doesn’t send phone numbers or email addresses to Secret’s servers. Contact details are locally hashed with a shared salt and the server then compares them against other hashed values.

Secret’s arrival is a sign that social media moguls have spotted which way the wind is blowing. The app was developed by online publishing platform Medium, which was founded by Evan Williams and Biz Stone. Williams was a co-founder of blogging platform pioneer Pyra Labs (and credited with coining the phrase “blogger”) and was later a co-founder of Twitter.

The latest service to launch is Cloaq, which goes far beyond Secret in the level of anonymity it offers its users. Users don’t have to provide any personal information when they sign up, such as their name, email address or phone number. Instead, they choose their own password and Cloaq assigns them a user ID. The company is handing out accounts in batches, e.g. @alpha1 through to @alpha999 and so on.  The downside of having such an anonymous service is that anyone who does forget their user ID or password has no way of retrieving it.

In addition to new social media ventures, established operators have also begun to perceive a market for private services. For example, Twitter chief executive Dick Costolo recently said that the company is exploring the option of introducing a “whisper mode” that will allow its users to move conversations into the private sphere. While the company already has a private direct messaging feature, Costolo indicated that the whisper mode would allow for a smoother transition between public and private conversations. Additionally, he indicated that the feature could enable private conversations between more than two people.

Revelations about surveillance have also prompted some of the main online service providers to beef up their privacy measures. For example, Google has now moved to a default encrypted HTTPS connection whenever a user of its email service Gmail logs on. Furthermore, the company said that it was encrypting all traffic on its data center network, meaning that Gmail data will also be encrypted if it moves between Google servers. The move is intended to allay privacy fears following revelations about state-sponsored surveillance of traffic between data centers.

Google isn’t the only company moving to enhance customer privacy. Yahoo has followed suit, switching on HTTPS as a default on Yahoo mail and encrypting traffic between its data centers. Microsoft too has responded to privacy concerns. Likening the threat posed by surveillance to that presented by malware, the company is encrypting content moving between itself and its customers, in addition to encrypting data center traffic.

Whether a permanent shift towards greater anonymity is underway remains to be seen. However it is clear that the entire industry, from start-ups to the major players, has recognized that it is, for now, a key concern for consumers.

Cover Yourself: Google Leaves Your Passwords Exposed

We would like to assume that passwords saved in our web browser are stored in a secured virtual lock box, helping us to surf the web with increased speed and easily log into our favorite sites without sacrificing safety. Unfortunately, this might not be the case on Google Chrome, as it was recently brought to Read more…

Double the Security, Double the Fun: Protect Your Social Passwords with Two-Step Verification

It’s not all fun and games when it comes to your favorite social media sites. Many of the top sites such as Facebook and Twitter are used for entertainment and leisure, but they also store vital information identity thieves would love to get their hands on and disrupt your online life. For instance, personal login information Read more…

#useAVAST winners share recommendations with friends

Our first “#useAVAST” Hashtag challenge is over and it’s time to announce the results. As always, YOU have proven what an engaged and creative community AVAST has. We’ve seen plenty of Facebook and Google+ posts and Tweets with your personal recommendations. It has convinced us that we should be giving you this opportunity more often, […]