Google Data » Google Security PR

Google Data » Google Security PR https://googledata.org Everything Google: News, Products, Services, Content, Culture Thu, 19 Mar 2015 22:49:02 +0000 en-US hourly 1 http://wordpress.org/?v=3.7.5 Safe Browsing and Google Analytics: Keeping More Users Safe, Together https://googledata.org/google-online-security/safe-browsing-and-google-analytics-keeping-more-users-safe-together/?utm_source=rss&utm_medium=rss&utm_campaign=safe-browsing-and-google-analytics-keeping-more-users-safe-together https://googledata.org/google-online-security/safe-browsing-and-google-analytics-keeping-more-users-safe-together/#comments Thu, 26 Feb 2015 18:23:00 +0000 https://googledata.org/?guid=18ae48338b70cff6228f7d1e4888203a Posted by Stephan Somogyi, Product Manager, Security and Privacy

[Cross-posted on the Google Analytics Blog]

If you run a web site, you may already be familiar with Google Webmaster Tools and how it lets you know if Safe Browsing finds something problematic on your site. For example, we’ll notify you if your site is delivering malware, which is usually a sign that it’s been hacked. We’re extending our Safe Browsing protections to automatically display notifications to all Google Analytics users via familiar Google Analytics Notifications.

Google Safe Browsing has been protecting people across the Internet for over eight years and we're always looking for ways to extend that protection even further. Notifications like these help webmasters like you act quickly to respond to any issues. Fast response helps keep your site—and your visitors—safe.]]> https://googledata.org/google-online-security/safe-browsing-and-google-analytics-keeping-more-users-safe-together/feed/ 0 Pwnium V: the never-ending* Pwnium https://googledata.org/google-online-security/pwnium-v-the-never-ending-pwnium/?utm_source=rss&utm_medium=rss&utm_campaign=pwnium-v-the-never-ending-pwnium https://googledata.org/google-online-security/pwnium-v-the-never-ending-pwnium/#comments Tue, 24 Feb 2015 18:58:00 +0000 https://googledata.org/?guid=107dc0e835c75825854dec1e2f3f6105 Posted by Tim Willis, Hacker Philanthropist, Chrome Security Team

[Cross-posted from the Chromium Blog]

Around this time each year we announce the rules, details and maximum cash amounts we’re putting up for our Pwnium competition. For the last few years we put a huge pile of cash on the table (last year it was e million) and gave researchers one day during CanSecWest to present their exploits. We’ve received some great entries over the years, but it’s time for something bigger.

Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers.

For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million*.

We’re making this change for a few reasons:

Removing barriers to entry: At Pwnium competitions, a security researcher would need to have a bug chain in March, pre-register, have a physical presence at the competition location and hopefully get a good timeslot. Under the new scheme, security researchers can submit their bugs year-round through the Chrome Vulnerability Reward Program (VRP) whenever they find them.
Removing the incentive for bug hoarding: If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.
Our researchers want this: On top of all of these reasons, we asked our handful of participants if they wanted an option to report all year. They did, so we’re delivering.

Logistically, we’ll be adding Pwnium-style bug chains on Chrome OS to the Chrome VRP. This will increase our top reward to $50,000, which will be on offer all year-round. Check out our FAQ for more information.

Happy hunting!

*Our lawyercats wouldn’t let me say “never-ending” or “infinity million” without adding that “this is an experimental and discretionary rewards program and Google may cancel or modify the program at any time.” Check out the reward eligibility requirements on the Chrome VRP page.]]> Posted by Tim Willis, Hacker Philanthropist, Chrome Security Team

[Cross-posted from the Chromium Blog]

Around this time each year we announce the rules, details and maximum cash amounts we’re putting up for our Pwnium competition. For the last few years we put a huge pile of cash on the table (last year it was e million) and gave researchers one day during CanSecWest to present their exploits. We’ve received some great entries over the years, but it’s time for something bigger.

Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers.

For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million*.

We’re making this change for a few reasons:

Removing barriers to entry: At Pwnium competitions, a security researcher would need to have a bug chain in March, pre-register, have a physical presence at the competition location and hopefully get a good timeslot. Under the new scheme, security researchers can submit their bugs year-round through the Chrome Vulnerability Reward Program (VRP) whenever they find them.
Removing the incentive for bug hoarding: If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.
Our researchers want this: On top of all of these reasons, we asked our handful of participants if they wanted an option to report all year. They did, so we’re delivering.

Logistically, we’ll be adding Pwnium-style bug chains on Chrome OS to the Chrome VRP. This will increase our top reward to $50,000, which will be on offer all year-round. Check out our FAQ for more information.

Happy hunting!

*Our lawyercats wouldn’t let me say “never-ending” or “infinity million” without adding that “this is an experimental and discretionary rewards program and Google may cancel or modify the program at any time.” Check out the reward eligibility requirements on the Chrome VRP page.]]> https://googledata.org/google-online-security/pwnium-v-the-never-ending-pwnium/feed/ 0 More Protection from Unwanted Software https://googledata.org/google-online-security/more-protection-from-unwanted-software/?utm_source=rss&utm_medium=rss&utm_campaign=more-protection-from-unwanted-software https://googledata.org/google-online-security/more-protection-from-unwanted-software/#comments Mon, 23 Feb 2015 20:31:00 +0000 https://googledata.org/?guid=fe5d5a14fc29d344fa8ee541ea599f8a Posted by Lucas Ballard, Software Engineer

SafeBrowsing helps keep you safe online and includes protection against unwanted software that makes undesirable changes to your computer or interferes with your online experience.

We recently expanded our efforts in Chrome, Search, and ads to keep you even safer from sites where these nefarious downloads are available.

Chrome: Now, in addition to showing warnings before you download unwanted software, Chrome will show you a new warning, like the one below, before you visit a site that encourages downloads of unwanted software.

Search: Google Search now incorporates signals that identify such deceptive sites. This change reduces the chances you’ll visit these sites via our search results.
Ads: We recently began to disable Google ads that lead to sites with unwanted software.

If you’re a site owner, we recommend that you register your site with Google Webmaster Tools. This will help you stay informed when we find something on your site that leads people to download unwanted software, and will provide you with helpful tips to resolve such issues.

We’re constantly working to keep people safe across the web. Read more about Safe Browsing technology and our work to protect users here.

]]> Posted by Lucas Ballard, Software Engineer

SafeBrowsing helps keep you safe online and includes protection against unwanted software that makes undesirable changes to your computer or interferes with your online experience.

We recently expanded our efforts in Chrome, Search, and ads to keep you even safer from sites where these nefarious downloads are available.

Chrome: Now, in addition to showing warnings before you download unwanted software, Chrome will show you a new warning, like the one below, before you visit a site that encourages downloads of unwanted software.

Search: Google Search now incorporates signals that identify such deceptive sites. This change reduces the chances you’ll visit these sites via our search results.
Ads: We recently began to disable Google ads that lead to sites with unwanted software.

We’re constantly working to keep people safe across the web. Read more about Safe Browsing technology and our work to protect users here.

]]> https://googledata.org/google-online-security/more-protection-from-unwanted-software/feed/ 0 Using Google Cloud Platform for Security Scanning https://googledata.org/google-online-security/using-google-cloud-platform-for-security-scanning/?utm_source=rss&utm_medium=rss&utm_campaign=using-google-cloud-platform-for-security-scanning https://googledata.org/google-online-security/using-google-cloud-platform-for-security-scanning/#comments Thu, 19 Feb 2015 17:00:00 +0000 https://googledata.org/?guid=f879ab53491f168c59ff744148360eb1 Posted by Rob Mann, Security Engineering Manager

[Cross-posted from the Google Cloud Platform Blog]

Deploying a new build is a thrill, but every release should be scanned for security vulnerabilities. And while web application security scanners have existed for years, they’re not always well-suited for Google App Engine developers. They’re often difficult to set up, prone to over-reporting issues (false positives)—which can be time-consuming to filter and triage—and built for security professionals, not developers.

Today, we’re releasing Google Cloud Security Scanner in beta. If you’re using App Engine, you can easily scan your application for two very common vulnerabilities: cross-site scripting (XSS) and mixed content.

While designing Cloud Security Scanner we had three goals:

Make the tool easy to set up and use
Detect the most common issues App Engine developers face with minimal false positives
Support scanning rich, JavaScript-heavy web applications

To try it for yourself, select Compute > App Engine > Security scans in the Google Developers Console to run your first scan, or learn more here.

So How Does It Work?

Crawling and testing modern HTML5, JavaScript-heavy applications with rich multi-step user interfaces is considerably more challenging than scanning a basic HTML page. There are two general approaches to this problem:

Parse the HTML and emulate a browser. This is fast, however, it comes at the cost of missing site actions that require a full DOM or complex JavaScript operations.
Use a real browser. This approach avoids the parser coverage gap and most closely simulates the site experience. However, it can be slow due to event firing, dynamic execution, and time needed for the DOM to settle.

Cloud Security Scanner addresses the weaknesses of both approaches by using a multi-stage pipeline. First, the scanner makes a high speed pass, crawling, and parsing the HTML. It then executes a slow and thorough full-page render to find the more complex sections of your site.

While faster than a real browser crawl, this process is still too slow. So we scale horizontally. Using Google Compute Engine, we dynamically create a botnet of hundreds of virtual Chrome workers to scan your site. Don’t worry, each scan is limited to 20 requests per second or lower.

Then we attack your site (again, don’t worry)! When testing for XSS, we use a completely benign payload that relies on Chrome DevTools to execute the debugger. Once the debugger fires, we know we have JavaScript code execution, so false positives are (almost) non-existent. While this approach comes at the cost of missing some bugs due to application specifics, we think that most developers will appreciate a low effort, low noise experience when checking for security issues—we know Google developers do!

As with all dynamic vulnerability scanners, a clean scan does not necessarily mean you’re security bug free. We still recommend a manual security review by your friendly web app security professional.

Ready to get started? Learn more here. Cloud Security Scanner is currently in beta with many more features to come, and we’d love to hear your feedback. Simply click the “Feedback” button directly within the tool.

]]> Posted by Rob Mann, Security Engineering Manager

[Cross-posted from the Google Cloud Platform Blog]

Deploying a new build is a thrill, but every release should be scanned for security vulnerabilities. And while web application security scanners have existed for years, they’re not always well-suited for Google App Engine developers. They’re often difficult to set up, prone to over-reporting issues (false positives)—which can be time-consuming to filter and triage—and built for security professionals, not developers.

Today, we’re releasing Google Cloud Security Scanner in beta. If you’re using App Engine, you can easily scan your application for two very common vulnerabilities: cross-site scripting (XSS) and mixed content.

While designing Cloud Security Scanner we had three goals:

Make the tool easy to set up and use
Detect the most common issues App Engine developers face with minimal false positives
Support scanning rich, JavaScript-heavy web applications

To try it for yourself, select Compute > App Engine > Security scans in the Google Developers Console to run your first scan, or learn more here.

So How Does It Work?

Parse the HTML and emulate a browser. This is fast, however, it comes at the cost of missing site actions that require a full DOM or complex JavaScript operations.
Use a real browser. This approach avoids the parser coverage gap and most closely simulates the site experience. However, it can be slow due to event firing, dynamic execution, and time needed for the DOM to settle.

]]> https://googledata.org/google-online-security/using-google-cloud-platform-for-security-scanning/feed/ 0 Security Reward Programs: Year in Review, Year in Preview https://googledata.org/google-online-security/security-reward-programs-year-in-review-year-in-preview/?utm_source=rss&utm_medium=rss&utm_campaign=security-reward-programs-year-in-review-year-in-preview https://googledata.org/google-online-security/security-reward-programs-year-in-review-year-in-preview/#comments Fri, 30 Jan 2015 18:05:00 +0000 https://googledata.org/?guid=f651ba7ff16ab9ab9a802726340485d3 Posted by Eduardo Vela Nava, Security Engineer

Since 2010, our Security Reward Programs have been a cornerstone of our relationship with the security research community. These programs have been successful because of two core beliefs:

Security researchers should be rewarded for helping us protect Google's users.
Researchers help us understand how to make Google safer by discovering, disclosing, and helping fix vulnerabilities at a scale that’s difficult to replicate by any other means.

We’re grateful for the terrific work these researchers do to help keep users safe. And so, we wanted to take a look back at 2014 to celebrate their contributions to Google, and in turn, our contributions back to them.

Looking back on 2014

Our Security Reward Programs continue to grow at a rapid clip. We’ve now paid more than $4,000,000 in rewards to security researchers since 2010 across all of our reward programs, and we’re looking forward to more great years to come.

In 2014:

We paid researchers more than $1,500,000.
Our largest single reward was $150,000. The researcher then joined us for an internship.
We rewarded more than 200 different researchers.
We rewarded more than 500 bugs. For Chrome, more than half of all rewarded reports for 2014 were in developer and beta versions. We were able to squash bugs before they could reach our main user population.

The top three contributors to the VRP program in 2014 during a recent visit to Google Zurich: Adrian (Romania), Tomasz (Poland / UK), Nikolai (Ukraine)

What’s new for 2015

We are announcing two additions to our programs today.

First, researchers' efforts through these programs, combined with our own internal security work, make it increasingly difficult to find bugs. Of course, that's good news, but it can also be discouraging when researchers invest their time and struggle to find issues. With this in mind, today we're rolling out a new, experimental program: Vulnerability Research Grants. These are up-front awards that we will provide to researchers before they ever submit a bug.

Here’s how the program works:

We'll publish different types of vulnerabilities, products and services for which we want to support research beyond our normal vulnerability rewards.
We'll award grants immediately before research begins, with no strings attached. Researchers then pursue the research they applied for, as usual.
There will be various tiers of grants, with a maximum of $3,133.70 USD.
On top of the grant, researchers are still eligible for regular rewards for the bugs they discover.

Security researchers should be rewarded for helping us protect Google's users.
Researchers help us understand how to make Google safer by discovering, disclosing, and helping fix vulnerabilities at a scale that’s difficult to replicate by any other means.

We paid researchers more than $1,500,000.
Our largest single reward was $150,000. The researcher then joined us for an internship.
We rewarded more than 200 different researchers.
We rewarded more than 500 bugs. For Chrome, more than half of all rewarded reports for 2014 were in developer and beta versions. We were able to squash bugs before they could reach our main user population.

The top three contributors to the VRP program in 2014 during a recent visit to Google Zurich: Adrian (Romania), Tomasz (Poland / UK), Nikolai (Ukraine)

We'll publish different types of vulnerabilities, products and services for which we want to support research beyond our normal vulnerability rewards.
We'll award grants immediately before research begins, with no strings attached. Researchers then pursue the research they applied for, as usual.
There will be various tiers of grants, with a maximum of $3,133.70 USD.
On top of the grant, researchers are still eligible for regular rewards for the bugs they discover.

To learn more about the current grants, and review your eligibility, have a look at our rules page.

Second, also starting today, all mobile applications officially developed by Google on Google Play and iTunes will now be within the scope of the Vulnerability Reward Program.

We’re looking forward to continuing our close partnership with the security community and rewarding them for their time and efforts in 2015!]]> https://googledata.org/google-online-security/security-reward-programs-year-in-review-year-in-preview/feed/ 0 An Update to End-To-End https://googledata.org/google-online-security/an-update-to-end-to-end/?utm_source=rss&utm_medium=rss&utm_campaign=an-update-to-end-to-end https://googledata.org/google-online-security/an-update-to-end-to-end/#comments Tue, 16 Dec 2014 19:49:00 +0000 https://googledata.org/?guid=474ff4d514953ebe33460ed6db3f667d Posted by Stephan Somogyi, Product Manager, Security and Privacy

In June, we announced and launched End-To-End, a tool for those who need even more security for their communications than what we already provide. Today, we’re launching an updated version of our extension — still in alpha — that includes a number of changes:

We’re migrating End-To-End to GitHub. We’ve always believed strongly that End-To-End must be an open source project, and we think that using GitHub will allow us to work together even better with the community.
We’ve included several contributions from Yahoo Inc. Alex Stamos, Yahoo’s Chief Security Officer, announced at BlackHat 2014 in August that his team would be participating in our End-To-End project; we’re very happy to release the first fruits of this collaboration.
We’ve added more documentation. The project wiki now contains additional information about End-To-End, both for developers as well as security researchers interested in understanding better how we think about End-To-End’s security model.

We’re migrating End-To-End to GitHub. We’ve always believed strongly that End-To-End must be an open source project, and we think that using GitHub will allow us to work together even better with the community.
We’ve included several contributions from Yahoo Inc. Alex Stamos, Yahoo’s Chief Security Officer, announced at BlackHat 2014 in August that his team would be participating in our End-To-End project; we’re very happy to release the first fruits of this collaboration.
We’ve added more documentation. The project wiki now contains additional information about End-To-End, both for developers as well as security researchers interested in understanding better how we think about End-To-End’s security model.

We’re very thankful to all those who submitted bugs against the first alpha release. Two of those bugs earned a financial reward through our Vulnerability Rewards Program. One area where we didn’t receive many bug reports was in End-To-End’s new crypto library. On the contrary: we heard from several other projects who want to use our library, and we’re looking forward to working with them.

One thing hasn’t changed for this release: we aren’t yet making End-To-End available in the Chrome Web Store. We don’t feel it’s as usable as it needs to be. Indeed, those looking through the source code will see references to our key server, and it should come as no surprise that we’re working on one. Key distribution and management is one of the hardest usability problems with cryptography-related products, and we won’t release End-To-End in non-alpha form until we have a solution we’re content with.

We’re excited to continue working on these challenging and rewarding problems, and we look forward to delivering a more fully fledged End-to-End next year.]]> https://googledata.org/google-online-security/an-update-to-end-to-end/feed/ 0 Reject the Unexpected – Content Security Policy in Gmail https://googledata.org/google-online-security/reject-the-unexpected-content-security-policy-in-gmail-2/?utm_source=rss&utm_medium=rss&utm_campaign=reject-the-unexpected-content-security-policy-in-gmail-2 https://googledata.org/google-online-security/reject-the-unexpected-content-security-policy-in-gmail-2/#comments Tue, 16 Dec 2014 19:12:00 +0000 https://googledata.org/?guid=700f791cff38be5eadb1cf590f00c28e Posted by Danesh Irani, Software Engineer, Gmail Security

(Cross-posted from the Gmail Blog)

We know that the safety and reliability of your Gmail is super important to you, which is why we’re always working on security improvements like serving images through secure proxy servers, and requiring HTTPS. Today, Gmail on the desktop is becoming more secure with support for Content Security Policy (CSP). CSP helps provide a layer of defense against a common class of security vulnerabilities known as cross-site scripting (XSS).

There are many great extensions for Gmail. Unfortunately, there are also some extensions that behave badly, loading code which interferes with your Gmail session, or which compromises your email’s security. Gmail’s CSP helps protect you, by making it more difficult to load unsafe code into Gmail.

Most popular (and well-behaved) extensions have already been updated to work with the CSP standard, but if you happen to have any trouble with an extension, try installing its latest version from your browser’s web store (for example, the Chrome Web Store for Chrome users).

CSP is just another example of how Gmail can help make your email experience safer. For advice and tools that help keep you safe across the web, you can always visit the Google Security Center.

This post was updated on December 18th to add a description of the XSS defense benefit of CSP, and to more precisely define the interaction with extensions.]]> Posted by Danesh Irani, Software Engineer, Gmail Security

(Cross-posted from the Gmail Blog)

We know that the safety and reliability of your Gmail is super important to you, which is why we’re always working on security improvements like serving images through secure proxy servers, and requiring HTTPS. Today, Gmail on the desktop is becoming more secure with support for Content Security Policy (CSP). CSP helps provide a layer of defense against a common class of security vulnerabilities known as cross-site scripting (XSS).

There are many great extensions for Gmail. Unfortunately, there are also some extensions that behave badly, loading code which interferes with your Gmail session, or which compromises your email’s security. Gmail’s CSP helps protect you, by making it more difficult to load unsafe code into Gmail.

Most popular (and well-behaved) extensions have already been updated to work with the CSP standard, but if you happen to have any trouble with an extension, try installing its latest version from your browser’s web store (for example, the Chrome Web Store for Chrome users).

CSP is just another example of how Gmail can help make your email experience safer. For advice and tools that help keep you safe across the web, you can always visit the Google Security Center.

This post was updated on December 18th to add a description of the XSS defense benefit of CSP, and to more precisely define the interaction with extensions.]]> https://googledata.org/google-online-security/reject-the-unexpected-content-security-policy-in-gmail-2/feed/ 0 Are you a robot? Introducing “No CAPTCHA reCAPTCHA” https://googledata.org/google-online-security/are-you-a-robot-introducing-no-captcha-recaptcha/?utm_source=rss&utm_medium=rss&utm_campaign=are-you-a-robot-introducing-no-captcha-recaptcha https://googledata.org/google-online-security/are-you-a-robot-introducing-no-captcha-recaptcha/#comments Wed, 03 Dec 2014 14:00:00 +0000 https://googledata.org/?guid=e0ac914a5b799c5c1db21f9728212ee3 Posted by Vinay Shet, Product Manager, reCAPTCHA

reCAPTCHA protects the websites you love from spam and abuse. So, when you go online—say, for some last-minute holiday shopping—you won't be competing with robots and abusive scripts to access sites. For years, we’ve prompted users to confirm they aren’t robots by asking them to read distorted text and type it into a box, like this:

But, we figured it would be easier to just directly ask our users whether or not they are robots—so, we did! We’ve begun rolling out a new API that radically simplifies the reCAPTCHA experience. We’re calling it the “No CAPTCHA reCAPTCHA” and this is how it looks:

On websites using this new API, a significant number of users will be able to securely and easily verify they’re human without actually having to solve a CAPTCHA. Instead, with just a single click, they’ll confirm they are not a robot.

A brief history of CAPTCHAs

While the new reCAPTCHA API may sound simple, there is a high degree of sophistication behind that modest checkbox. CAPTCHAs have long relied on the inability of robots to solve distorted text. However, our research recently showed that today’s Artificial Intelligence technology can solve even the most difficult variant of distorted text at 99.8% accuracy. Thus distorted text, on its own, is no longer a dependable test.

To counter this, last year we developed an Advanced Risk Analysis backend for reCAPTCHA that actively considers a user’s entire engagement with the CAPTCHA—before, during, and after—to determine whether that user is a human. This enables us to rely less on typing distorted text and, in turn, offer a better experience for users. We talked about this in our Valentine’s Day post earlier this year.

The new API is the next step in this steady evolution. Now, humans can just check the box and in most cases, they’re through the challenge.

Are you sure you’re not a robot?

However, CAPTCHAs aren't going away just yet. In cases when the risk analysis engine can't confidently predict whether a user is a human or an abusive agent, it will prompt a CAPTCHA to elicit more cues, increasing the number of security checkpoints to confirm the user is valid.

Making reCAPTCHAs mobile-friendly

This new API also lets us experiment with new types of challenges that are easier for us humans to use, particularly on mobile devices. In the example below, you can see a CAPTCHA based on a classic Computer Vision problem of image labeling. In this version of the CAPTCHA challenge, you’re asked to select all of the images that correspond with the clue. It's much easier to tap photos of cats or turkeys than to tediously type a line of distorted text on your phone.

Adopting the new API on your site

As more websites adopt the new API, more people will see "No CAPTCHA reCAPTCHAs". Early adopters, like Snapchat, WordPress, Humble Bundle, and several others are already seeing great results with this new API. For example, in the last week, more than 60% of WordPress’ traffic and more than 80% of Humble Bundle’s traffic on reCAPTCHA encountered the No CAPTCHA experience—users got to these sites faster. To adopt the new reCAPTCHA for your website, visit our site to learn more.

Humans, we'll continue our work to keep the Internet safe and easy to use. Abusive bots and scripts, it’ll only get worse—sorry we’re (still) not sorry.]]> Posted by Vinay Shet, Product Manager, reCAPTCHA

reCAPTCHA protects the websites you love from spam and abuse. So, when you go online—say, for some last-minute holiday shopping—you won't be competing with robots and abusive scripts to access sites. For years, we’ve prompted users to confirm they aren’t robots by asking them to read distorted text and type it into a box, like this:

Adopting the new API on your site

As more websites adopt the new API, more people will see "No CAPTCHA reCAPTCHAs". Early adopters, like Snapchat, WordPress, Humble Bundle, and several others are already seeing great results with this new API. For example, in the last week, more than 60% of WordPress’ traffic and more than 80% of Humble Bundle’s traffic on reCAPTCHA encountered the No CAPTCHA experience—users got to these sites faster. To adopt the new reCAPTCHA for your website, visit our site to learn more.

Humans, we'll continue our work to keep the Internet safe and easy to use. Abusive bots and scripts, it’ll only get worse—sorry we’re (still) not sorry.]]> https://googledata.org/google-online-security/are-you-a-robot-introducing-no-captcha-recaptcha/feed/ 0 HTTPS as a ranking signal https://googledata.org/google-online-security/https-as-a-ranking-signal/?utm_source=rss&utm_medium=rss&utm_campaign=https-as-a-ranking-signal https://googledata.org/google-online-security/https-as-a-ranking-signal/#comments Thu, 07 Aug 2014 05:25:00 +0000 https://googledata.org/?guid=ded90a30059bf6cf2e8ccbece574d157 Cross-posted from the Webmaster Central Blog

Security is a top priority for Google. We invest a lot in making sure that our services use industry-leading security, like strong HTTPS encryption by default. That means that people using Search, Gmail and Drive, for example, automatically have a secure connection to Google.

Beyond our own stuff, we’re also working to make the Internet safer more broadly. A big part of that is making sure that websites people access from Google are secure. For instance, we have created resources to help webmasters prevent and fix security breaches on their sites.

We want to go even further. At Google I/O a few months ago, we called for “HTTPS everywhere” on the web.

We’ve also seen more and more webmasters adopting HTTPS (also known as HTTP over TLS, or Transport Layer Security), on their website, which is encouraging.

For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

In the coming weeks, we’ll publish detailed best practices (we’ll add a link to it from here) to make TLS adoption easier, and to avoid common mistakes. Here are some basic tips to get started:

Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
Use 2048-bit key certificates
Use relative URLs for resources that reside on the same secure domain
Use protocol relative URLs for all other domains
Check out our Site move article for more guidelines on how to change your website’s address
Don’t block your HTTPS site from crawling using robots.txt
Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag

If your website is already serving on HTTPS, you can test its security level and configuration with the Qualys Lab tool. If you are concerned about TLS and your site’s performance, have a look at Is TLS fast yet?. And of course, if you have any questions or concerns, please feel free to post in our Webmaster Help Forums.

We hope to see more websites using HTTPS in the future. Let’s all make the web more secure!

Posted by Zineb Ait Bahajji and Gary Illyes, Webmaster Trends Analysts

]]> Cross-posted from the Webmaster Central Blog

We want to go even further. At Google I/O a few months ago, we called for “HTTPS everywhere” on the web.

We’ve also seen more and more webmasters adopting HTTPS (also known as HTTP over TLS, or Transport Layer Security), on their website, which is encouraging.

In the coming weeks, we’ll publish detailed best practices (we’ll add a link to it from here) to make TLS adoption easier, and to avoid common mistakes. Here are some basic tips to get started:

Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
Use 2048-bit key certificates
Use relative URLs for resources that reside on the same secure domain
Use protocol relative URLs for all other domains
Check out our Site move article for more guidelines on how to change your website’s address
Don’t block your HTTPS site from crawling using robots.txt
Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag

We hope to see more websites using HTTPS in the future. Let’s all make the web more secure!

Posted by Zineb Ait Bahajji and Gary Illyes, Webmaster Trends Analysts

]]> https://googledata.org/google-online-security/https-as-a-ranking-signal/feed/ 0 Announcing Project Zero https://googledata.org/google-online-security/announcing-project-zero/?utm_source=rss&utm_medium=rss&utm_campaign=announcing-project-zero https://googledata.org/google-online-security/announcing-project-zero/#comments Tue, 15 Jul 2014 12:30:00 +0000 https://googledata.org/?guid=7b2cd452b96b98bf3245b5358e17becb Posted by Chris Evans, Researcher Herder

Security is a top priority for Google. We've invested a lot in making our products secure, including strong SSL encryption by default for Search, Gmail and Drive, as well as encrypting data moving between our data centers. Beyond securing our own products, interested Googlers also spend some of their time on research that makes the Internet safer, leading to the discovery of bugs like Heartbleed.

The success of that part-time research has led us to create a new, well-staffed team called Project Zero.

You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.

Project Zero is our contribution, to start the ball rolling. Our objective is to significantly reduce the number of people harmed by targeted attacks. We're hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.

We're not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. We'll use standard approaches such as locating and reporting large numbers of vulnerabilities. In addition, we'll be conducting new research into mitigations, exploitation, program analysis—and anything else that our researchers decide is a worthwhile investment.

We commit to doing our work transparently. Every bug we discover will be filed in an external database. We will only report bugs to the software's vendor—and no third parties. Once the bug report becomes public (typically once a patch is available), you'll be able to monitor vendor time-to-fix performance, see any discussion about exploitability, and view historical exploits and crash traces. We also commit to sending bug reports to vendors in as close to real-time as possible, and to working with them to get fixes to users in a reasonable time.

We're hiring. We believe that most security researchers do what they do because they love what they do. What we offer that we think is new is a place to do what you love—but in the open and without distraction. We'll also be looking at ways to involve the wider community, such as extensions of our popular reward initiatives and guest blog posts. As we find things that are particularly interesting, we'll discuss them on our blog, which we hope you'll follow.

]]> Posted by Chris Evans, Researcher Herder

The success of that part-time research has led us to create a new, well-staffed team called Project Zero.

]]> https://googledata.org/google-online-security/announcing-project-zero/feed/ 0 Maintaining digital certificate security https://googledata.org/google-online-security/maintaining-digital-certificate-security/?utm_source=rss&utm_medium=rss&utm_campaign=maintaining-digital-certificate-security https://googledata.org/google-online-security/maintaining-digital-certificate-security/#comments Tue, 08 Jul 2014 17:00:00 +0000 https://googledata.org/?guid=51f90d2c8c0302050a3c84c16a5a9f9c Posted by Adam Langley, Security Engineer

On Wednesday, July 2, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by the National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).

The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn’t include these certificates.

We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.

We promptly alerted NIC, India CCA and Microsoft about the incident, and we blocked the misissued certificates in Chrome with a CRLSet push.

On July 3, India CCA informed us that they revoked all the NIC intermediate certificates, and another CRLSet push was performed to include that revocation.

Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.

At this time, India CCA is still investigating this incident. This event also highlights, again, that our Certificate Transparency project is critical for protecting the security of certificates in the future.

Update Jul 9: India CCA informed us of the results of their investigation on July 8. They reported that NIC’s issuance process was compromised and that only four certificates were misissued; the first on June 25. The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown.

The intermediate CA certificates held by NIC were revoked on July 3, as noted above. But a root CA is responsible for all certificates issued under its authority. In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users:

gov.in
nic.in
ac.in
rbi.org.in
bankofindia.co.in
ncode.in
tcs.co.in

]]> Posted by Adam Langley, Security Engineer

Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.

gov.in
nic.in
ac.in
rbi.org.in
bankofindia.co.in
ncode.in
tcs.co.in

]]> https://googledata.org/google-online-security/maintaining-digital-certificate-security/feed/ 0 Google Drive update to protect to shared links https://googledata.org/google-online-security/google-drive-update-to-protect-to-shared-links/?utm_source=rss&utm_medium=rss&utm_campaign=google-drive-update-to-protect-to-shared-links https://googledata.org/google-online-security/google-drive-update-to-protect-to-shared-links/#comments Fri, 27 Jun 2014 21:06:00 +0000 https://googledata.org/?guid=cdcdeb52c08d0cd1ea3f904dcbe4fd9f Posted by Kevin Stadmeyer, Technical Program Manager

At Google, ensuring the security of our users is a top priority, and we are constantly assessing how we can make our services even more secure. We recently received a report via our Vulnerability Reward Program of a security issue affecting a small subset of file types in Google Drive and have since made an update to address it.

This issue is only relevant if all of the following apply:

The file was uploaded to Google Drive
The file was not converted to Docs, Sheets, or Slides (i.e. remained in its original format such as .pdf, .docx, etc.)
The owner changed sharing settings so that the document was available to “Anyone with the link”
The file contained hyperlinks to third-party HTTPS websites in its content

In this specific instance, if a user clicked on the embedded hyperlink, the administrator of that third-party site could potentially receive header information that may have allowed him or her to see the URL of the original document that linked to his or her site.

Today’s update to Drive takes extra precaution by ensuring that newly shared documents with hyperlinks to third-party HTTPS websites will not inadvertently relay the original document’s URL.

While any documents shared going forward are no longer impacted by this issue, if one of your previously shared documents meets all four of the criteria above, you can generate a new sharing link with the following steps:

Create a copy of the document, via File > "Make a copy..."
Share the copy of the document with particular people or via a new shareable link, via the “Share” button
Delete the original document

]]> Posted by Kevin Stadmeyer, Technical Program Manager

The file was uploaded to Google Drive
The file was not converted to Docs, Sheets, or Slides (i.e. remained in its original format such as .pdf, .docx, etc.)
The owner changed sharing settings so that the document was available to “Anyone with the link”
The file contained hyperlinks to third-party HTTPS websites in its content

Create a copy of the document, via File > "Make a copy..."
Share the copy of the document with particular people or via a new shareable link, via the “Share” button
Delete the original document

]]> https://googledata.org/google-online-security/google-drive-update-to-protect-to-shared-links/feed/ 0 See what your apps & extensions have been up to https://googledata.org/google-online-security/see-what-your-apps-extensions-have-been-up-to/?utm_source=rss&utm_medium=rss&utm_campaign=see-what-your-apps-extensions-have-been-up-to https://googledata.org/google-online-security/see-what-your-apps-extensions-have-been-up-to/#comments Tue, 10 Jun 2014 18:31:00 +0000 https://googledata.org/?guid=fb9ecfe2b7acc1aa0ed9a4597f1f0be9
Cross-posted from the Chromium Blog

Extensions are a great way to enhance the browsing experience. However, some extensions ask for broad permissions that allow access to sensitive data such as browser cookies or history. Last year, we introduced the Chrome Apps & Extensions Developer Tool, which provides an improved developer experience for debugging apps and extensions. The newest version of the tool, available today, lets power users audit any app or extension and get visibility into the precise actions that it's performing.

Once you’ve installed the Chrome Apps & Extensions Developer Tool, it will start locally auditing your extensions and apps as you use them. For each app or extension, you can see historical activity over the past few days as well as real-time activity by clicking the “Behavior” link. The tool highlights activities that involve your information, such as reading website cookies or modifying web sites, in a privacy section. You can also search for URLs to see if an extension has modified any matching pages. If you’re debugging an app or extension, you can use the “Realtime” tab to watch the stream of API calls as an extension or app runs. This can help you track down glitches or identify unnecessary API calls.

Whether you’re a Chrome power user or a developer testing an extension, the Chrome Apps & Extensions Developer Tool can give you the information you need to understand how apps and extensions affect your browsing.

Posted by Adrienne Porter Felt, Software Engineer and Extension Tinkerer

]]>
Cross-posted from the Chromium Blog

]]> https://googledata.org/google-online-security/see-what-your-apps-extensions-have-been-up-to/feed/ 0 Making end-to-end encryption easier to use https://googledata.org/google-online-security/making-end-to-end-encryption-easier-to-use/?utm_source=rss&utm_medium=rss&utm_campaign=making-end-to-end-encryption-easier-to-use https://googledata.org/google-online-security/making-end-to-end-encryption-easier-to-use/#comments Tue, 03 Jun 2014 19:56:00 +0000 https://googledata.org/?guid=574a27d365f89145f035f257806b1834 posted by Stephan Somogyi, Product Manager, Security and Privacy

Your security online has always been a top priority for us, and we’re constantly working to make sure your data is safe. For example, Gmail supported HTTPS when it first launched and now always uses an encrypted connection when you check or send email in your browser. We warn people in Gmail and Chrome when we have reason to believe they’re being targeted by bad actors. We also alert you to malware and phishing when we find it.

Today, we’re adding to that list the alpha version of a new tool. It’s called End-to-End and it’s a Chrome extension intended for users who need additional security beyond what we already provide.

“End-to-end” encryption means data leaving your browser will be encrypted until the message’s intended recipient decrypts it, and that similarly encrypted messages sent to you will remain that way until you decrypt them in your browser.

While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools.

However, you won’t find the End-to-End extension in the Chrome Web Store quite yet; we’re just sharing the code today so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it. (And we mean it: our Vulnerability Reward Program offers financial awards for finding security bugs in Google code, including End-to-End.)

Once we feel that the extension is ready for primetime, we’ll make it available in the Chrome Web Store, and anyone will be able to use it to send and receive end-to-end encrypted emails through their existing web-based email provider.

We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection. But we hope that the End-to-End extension will make it quicker and easier for people to get that extra layer of security should they need it.

You can find more technical details describing how we've architected and implemented End-to-End here.]]> https://googledata.org/google-online-security/making-end-to-end-encryption-easier-to-use/feed/ 0 Speeding up and strengthening HTTPS connections for Chrome on Android https://googledata.org/google-online-security/speeding-up-and-strengthening-https-connections-for-chrome-on-android/?utm_source=rss&utm_medium=rss&utm_campaign=speeding-up-and-strengthening-https-connections-for-chrome-on-android https://googledata.org/google-online-security/speeding-up-and-strengthening-https-connections-for-chrome-on-android/#comments Thu, 24 Apr 2014 19:00:00 +0000 https://googledata.org/?guid=0cb112ad0979c317a6958f7393554c09 Posted by Elie Bursztein, Anti-Abuse Research Lead

Earlier this year, we deployed a new TLS cipher suite in Chrome that operates three times faster than AES-GCM on devices that don’t have AES hardware acceleration, including most Android phones, wearable devices such as Google Glass and older computers. This improves user experience, reducing latency and saving battery life by cutting down the amount of time spent encrypting and decrypting data.

To make this happen, Adam Langley, Wan-Teh Chang, Ben Laurie and I began implementing new algorithms -- ChaCha 20 for symmetric encryption and Poly1305 for authentication -- in OpenSSL and NSS in March 2013. It was a complex effort that required implementing a new abstraction layer in OpenSSL in order to support the Authenticated Encryption with Associated Data (AEAD) encryption mode properly. AEAD enables encryption and authentication to happen concurrently, making it easier to use and optimize than older, commonly-used modes such as CBC. Moreover, recent attacks against RC4 and CBC also prompted us to make this change.

The benefits of this new cipher suite include:

Better security: ChaCha20 is immune to padding-oracle attacks, such as the Lucky13, which affect CBC mode as used in TLS. By design, ChaCha20 is also immune to timing attacks. Check out a detailed description of TLS ciphersuites weaknesses in our earlier post.
Better performance: ChaCha20 and Poly1305 are very fast on mobile and wearable devices, as their designs are able to leverage common CPU instructions, including ARM vector instructions. Poly1305 also saves network bandwidth, since its output is only 16 bytes compared to HMAC-SHA1, which is 20 bytes. This represents a 16% reduction of the TLS network overhead incurred when using older ciphersuites such as RC4-SHA or AES-SHA. The expected acceleration compared to AES-GCM for various platforms is summarized in the chart below.

As of February 2014, almost all HTTPS connections made from Chrome browsers on Android devices to Google properties have used this new cipher suite. We plan to make it available as part of the Android platform in a future release. If you’d like to verify which cipher suite Chrome is currently using, on an Android device or on desktop, just click on the padlock in the URL bar and look at the connection tab. If Chrome is using ChaCha20-Poly1305 you will see the following information:

Better security: ChaCha20 is immune to padding-oracle attacks, such as the Lucky13, which affect CBC mode as used in TLS. By design, ChaCha20 is also immune to timing attacks. Check out a detailed description of TLS ciphersuites weaknesses in our earlier post.
Better performance: ChaCha20 and Poly1305 are very fast on mobile and wearable devices, as their designs are able to leverage common CPU instructions, including ARM vector instructions. Poly1305 also saves network bandwidth, since its output is only 16 bytes compared to HMAC-SHA1, which is 20 bytes. This represents a 16% reduction of the TLS network overhead incurred when using older ciphersuites such as RC4-SHA or AES-SHA. The expected acceleration compared to AES-GCM for various platforms is summarized in the chart below.

ChaCha20 and Poly1305 were designed by Prof. Dan Bernstein from the University of Illinois at Chicago. The simple and efficient design of these algorithms combined with the extensive vetting they received from the scientific community make us confident that these algorithms will bring the security and speed needed to secure mobile communication. Moreover, selecting algorithms that are free for everyone to use is also in line with our commitment to openness and transparency.

We would like to thank the people who made this possible: Dan Bernstein who invented and implemented both ChaCha/20 and Poly1305, Andrew Moon for his open-source implementation of Poly1305, Ted Krovetz for his open-source implementation of ChaCha20 and Peter Schwabe for his implementation work. We hope there will be even greater adoption of this cipher suite, and look forward to seeing other websites deprecate AES-SHA1 and RC4-SHA1 in favor of AES-GCM and ChaCha20-Poly1305 since they offer safer and faster alternatives. IETF draft standards for this cipher suite are available here and here.]]> https://googledata.org/google-online-security/speeding-up-and-strengthening-https-connections-for-chrome-on-android/feed/ 0 New Security Measures Will Affect Older (non-OAuth 2.0) Applications https://googledata.org/google-online-security/new-security-measures-will-affect-older-non-oauth-2-0-applications/?utm_source=rss&utm_medium=rss&utm_campaign=new-security-measures-will-affect-older-non-oauth-2-0-applications https://googledata.org/google-online-security/new-security-measures-will-affect-older-non-oauth-2-0-applications/#comments Wed, 23 Apr 2014 17:00:00 +0000 https://googledata.org/?guid=9a1c078a3d0a4deca4fd528f840b1d13 Posted by Antonio Fuentes, Product Manager, Google Identity Team

There is nothing more important than making sure our users and their information stay safe online. Doing that means providing security features at the user-level like 2-Step Verification and recovery options, and also involves a lot of work behind the scenes, both at Google and with developers like you. We've already implemented developer tools including Google Sign-In and support for OAuth 2.0 in Google APIs and IMAP, SMTP and XMPP, and we’re always looking to raise the bar.

That's why, beginning in the second half of 2014, we'll start gradually increasing the security checks performed when users log in to Google. These additional checks will ensure that only the intended user has access to their account, whether through a browser, device or application. These changes will affect any application that sends a username and/or password to Google.

To better protect your users, we recommend you upgrade all of your applications to OAuth 2.0. If you choose not to do so, your users will be required to take extra steps in order to keep accessing your applications.

The standard Internet protocols we support all work with OAuth 2.0, as do most of our APIs. We leverage the work done by the IETF on OAuth 2.0 integration with IMAP, SMTP, POP, XMPP, CalDAV, and CardDAV.

In summary, if your application currently uses plain passwords to authenticate to Google, we strongly encourage you to minimize user disruption by switching to OAuth 2.0.]]> Posted by Antonio Fuentes, Product Manager, Google Identity Team

There is nothing more important than making sure our users and their information stay safe online. Doing that means providing security features at the user-level like 2-Step Verification and recovery options, and also involves a lot of work behind the scenes, both at Google and with developers like you. We've already implemented developer tools including Google Sign-In and support for OAuth 2.0 in Google APIs and IMAP, SMTP and XMPP, and we’re always looking to raise the bar.

That's why, beginning in the second half of 2014, we'll start gradually increasing the security checks performed when users log in to Google. These additional checks will ensure that only the intended user has access to their account, whether through a browser, device or application. These changes will affect any application that sends a username and/or password to Google.

To better protect your users, we recommend you upgrade all of your applications to OAuth 2.0. If you choose not to do so, your users will be required to take extra steps in order to keep accessing your applications.

The standard Internet protocols we support all work with OAuth 2.0, as do most of our APIs. We leverage the work done by the IETF on OAuth 2.0 integration with IMAP, SMTP, POP, XMPP, CalDAV, and CardDAV.

In summary, if your application currently uses plain passwords to authenticate to Google, we strongly encourage you to minimize user disruption by switching to OAuth 2.0. ]]> https://googledata.org/google-online-security/new-security-measures-will-affect-older-non-oauth-2-0-applications/feed/ 0 Street View and reCAPTCHA technology just got smarter https://googledata.org/google-online-security/street-view-and-recaptcha-technology-just-got-smarter/?utm_source=rss&utm_medium=rss&utm_campaign=street-view-and-recaptcha-technology-just-got-smarter https://googledata.org/google-online-security/street-view-and-recaptcha-technology-just-got-smarter/#comments Wed, 16 Apr 2014 15:31:00 +0000 https://googledata.org/?guid=0ca41990d01c32d39daf002394009261 Posted by Vinay Shet, Product Manager, reCAPTCHA

Have you ever wondered how Google Maps knows the exact location of your neighborhood coffee shop? Or of the hotel you’re staying at next month? Translating a street address to an exact location on a map is harder than it seems. To take on this challenge and make Google Maps even more useful, we’ve been working on a new system to help locate addresses even more accurately, using some of the technology from the Street View and reCAPTCHA teams.

This technology finds and reads street numbers in Street View, and correlates those numbers with existing addresses to pinpoint their exact location on Google Maps. We’ve described these findings in a scientific paper at the International Conference on Learning Representations (ICLR). In this paper, we show that this system is able to accurately detect and read difficult numbers in Street View with 90% accuracy.

Street View numbers correctly identified by the algorithm

These findings have surprising implications for spam and abuse protection on the Internet as well. For more than a decade, CAPTCHAs have used visual puzzles in the form of distorted text to help webmasters prevent automated software from engaging in abusive activities on their sites. Turns out that this new algorithm can also be used to read CAPTCHA puzzles—we found that it can decipher the hardest distorted text puzzles from reCAPTCHA with over 99% accuracy. This shows that the act of typing in the answer to a distorted image should not be the only factor when it comes to determining a human versus a machine.

Fortunately, Google’s reCAPTCHA has taken this into consideration, and reCAPTCHA is more secure today than ever before. Last year, we announced that we’ve significantly reduced our dependence on text distortions as the main differentiator between human and machine, and instead perform advanced risk analysis. This has also allowed us to simplify both our text CAPTCHAs as well as our audio CAPTCHAs, so that getting through this security measure is easy for humans, but still keeps websites protected.

CAPTCHA images correctly solved by the algorithm

Street View numbers correctly identified by the algorithm

CAPTCHA images correctly solved by the algorithm

Thanks to this research, we know that relying on distorted text alone isn’t enough. However, it’s important to note that simply identifying the text in CAPTCHA puzzles correctly doesn’t mean that reCAPTCHA itself is broken or ineffective. On the contrary, these findings have helped us build additional safeguards against bad actors in reCAPTCHA.

As the Street View and reCAPTCHA teams continue to work closely together, both will continue to improve, making Maps more precise and useful and reCAPTCHA safer and more effective. For more information, check out the reCAPTCHA site and the scientific paper from ICLR 2014.]]> https://googledata.org/google-online-security/street-view-and-recaptcha-technology-just-got-smarter/feed/ 0 Google’s Public DNS intercepted in Turkey https://googledata.org/google-online-security/googles-public-dns-intercepted-in-turkey/?utm_source=rss&utm_medium=rss&utm_campaign=googles-public-dns-intercepted-in-turkey https://googledata.org/google-online-security/googles-public-dns-intercepted-in-turkey/#comments Sat, 29 Mar 2014 23:45:00 +0000 https://googledata.org/?guid=e71dcd038fcf18272858034893231885 Posted by Steven Carstensen, Software Engineer

We have received several credible reports and confirmed with our own research that Google’s Domain Name System (DNS) service has been intercepted by most Turkish ISPs (Internet Service Providers).

A DNS server tells your computer the address of a server it’s looking for, in the same way that you might look up a phone number in a phone book. Google operates DNS servers because we believe that you should be able to quickly and securely make your way to whatever host you’re looking for, be it YouTube, Twitter, or any other.

But imagine if someone had changed out your phone book with another one, which looks pretty much the same as before, except that the listings for a few people showed the wrong phone number. That’s essentially what’s happened: Turkish ISPs have set up servers that masquerade as Google’s DNS service.]]> Posted by Steven Carstensen, Software Engineer

We have received several credible reports and confirmed with our own research that Google’s Domain Name System (DNS) service has been intercepted by most Turkish ISPs (Internet Service Providers).

A DNS server tells your computer the address of a server it’s looking for, in the same way that you might look up a phone number in a phone book. Google operates DNS servers because we believe that you should be able to quickly and securely make your way to whatever host you’re looking for, be it YouTube, Twitter, or any other.

But imagine if someone had changed out your phone book with another one, which looks pretty much the same as before, except that the listings for a few people showed the wrong phone number. That’s essentially what’s happened: Turkish ISPs have set up servers that masquerade as Google’s DNS service. ]]> https://googledata.org/google-online-security/googles-public-dns-intercepted-in-turkey/feed/ 0 If you could tell a user three things to do to stay safe online, what would they be? https://googledata.org/google-online-security/if-you-could-tell-a-user-three-things-to-do-to-stay-safe-online-what-would-they-be/?utm_source=rss&utm_medium=rss&utm_campaign=if-you-could-tell-a-user-three-things-to-do-to-stay-safe-online-what-would-they-be https://googledata.org/google-online-security/if-you-could-tell-a-user-three-things-to-do-to-stay-safe-online-what-would-they-be/#comments Wed, 26 Mar 2014 18:32:00 +0000 https://googledata.org/?guid=82619be9837e8f9d8fd4b6732a1b9dab Posted by Rob Reeder, User Experience Research Team

At Google, we’re constantly trying to improve security for our users. Besides the many technical security features we build, our efforts include educating users with advice about what they can do to stay safe online. Our Safety Center is a great example of this. But we’re always trying to do better and have been looking for ways to improve how we provide security advice to users.

That’s why we’ve started a research project to try to pare down existing security advice to a small set of things we can realistically expect our users to do to stay safe online. As part of this project, we are currently running a survey of security experts to see what advice they think is most important.

If you work in security, we’d really appreciate your input. Please take our survey here: goo.gl/F4fJ59.

With your input we can draw on our collective expertise to get closer to an optimal set of advice that users can realistically follow, and thus, be safer online. Thanks!]]> Posted by Rob Reeder, User Experience Research Team

At Google, we’re constantly trying to improve security for our users. Besides the many technical security features we build, our efforts include educating users with advice about what they can do to stay safe online. Our Safety Center is a great example of this. But we’re always trying to do better and have been looking for ways to improve how we provide security advice to users.

That’s why we’ve started a research project to try to pare down existing security advice to a small set of things we can realistically expect our users to do to stay safe online. As part of this project, we are currently running a survey of security experts to see what advice they think is most important.

If you work in security, we’d really appreciate your input. Please take our survey here: goo.gl/F4fJ59.

With your input we can draw on our collective expertise to get closer to an optimal set of advice that users can realistically follow, and thus, be safer online. Thanks! ]]> https://googledata.org/google-online-security/if-you-could-tell-a-user-three-things-to-do-to-stay-safe-online-what-would-they-be/feed/ 0 Staying at the forefront of email security and reliability: HTTPS-only and 99.978 percent availability https://googledata.org/google-online-security/staying-at-the-forefront-of-email-security-and-reliability-https-only-and-99-978-percent-availability/?utm_source=rss&utm_medium=rss&utm_campaign=staying-at-the-forefront-of-email-security-and-reliability-https-only-and-99-978-percent-availability https://googledata.org/google-online-security/staying-at-the-forefront-of-email-security-and-reliability-https-only-and-99-978-percent-availability/#comments Thu, 20 Mar 2014 16:52:00 +0000 https://googledata.org/?guid=e91e1935683757e00bf72841366a93fe Posted by Nicolas Lidzborski, Gmail Security Engineering Lead

Cross-posted on the Official Google Blog and Gmail Blog

Your email is important to you, and making sure it stays safe and always available is important to us. As you go about your day reading, writing, and checking messages, there are tons of security measures running behind the scenes to keep your email safe, secure, and there whenever you need it.

Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made HTTPS the default. Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you're using public WiFi or logging in from your computer, phone or tablet.

In addition, every single email message you send or receive—100 percent of them—is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers—something we made a top priority after last summer’s revelations.

Of course, being able to access your email is just as important as keeping it safe and secure. In 2013, Gmail was available 99.978 percent of the time, which averages to less than two hours of disruption for a user for the entire year. Our engineering experts look after Google's services 24x7 and if a problem ever arises, they're on the case immediately. We keep you informed by posting updates on the Apps Status Dashboard until the issue is fixed, and we always conduct a full analysis on the problem to prevent it from happening again.

Our commitment to the security and reliability of your email is absolute, and we’re constantly working on ways to improve. You can learn about additional ways to keep yourself safe online, like creating strong passwords and enabling 2-step verification, by visiting the Security Center: https://www.google.com/help/security.]]> Posted by Nicolas Lidzborski, Gmail Security Engineering Lead

Cross-posted on the Official Google Blog and Gmail Blog

Your email is important to you, and making sure it stays safe and always available is important to us. As you go about your day reading, writing, and checking messages, there are tons of security measures running behind the scenes to keep your email safe, secure, and there whenever you need it.

Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmail has supported HTTPS since the day it launched, and in 2010 we made HTTPS the default. Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you're using public WiFi or logging in from your computer, phone or tablet.

In addition, every single email message you send or receive—100 percent of them—is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers—something we made a top priority after last summer’s revelations.

Of course, being able to access your email is just as important as keeping it safe and secure. In 2013, Gmail was available 99.978 percent of the time, which averages to less than two hours of disruption for a user for the entire year. Our engineering experts look after Google's services 24x7 and if a problem ever arises, they're on the case immediately. We keep you informed by posting updates on the Apps Status Dashboard until the issue is fixed, and we always conduct a full analysis on the problem to prevent it from happening again.

Our commitment to the security and reliability of your email is absolute, and we’re constantly working on ways to improve. You can learn about additional ways to keep yourself safe online, like creating strong passwords and enabling 2-step verification, by visiting the Security Center: https://www.google.com/help/security. ]]> https://googledata.org/google-online-security/staying-at-the-forefront-of-email-security-and-reliability-https-only-and-99-978-percent-availability/feed/ 0 CAPTCHAs that capture your heart https://googledata.org/google-online-security/captchas-that-capture-your-heart/?utm_source=rss&utm_medium=rss&utm_campaign=captchas-that-capture-your-heart https://googledata.org/google-online-security/captchas-that-capture-your-heart/#comments Fri, 14 Feb 2014 14:00:00 +0000 https://googledata.org/?guid=297949791daf6e9945f09d88396efba3 Posted by Vinay Shet, Product Manager, reCAPTCHA

Notice something different about reCAPTCHA today? You guessed it; those tricky puzzles are now warm and fuzzy just in time for Valentine’s Day. Today across the U.S., we're sharing CAPTCHAs that spread the message of love.

Screen shot of CAPTCHAs reading Valentine, love, chocolate, and flowers

Some examples of Valentine's Day CAPTCHAs

But wait. These look really easy. Does this mean that those pesky bots are going to crack these easy CAPTCHAs and abuse our favorite websites? Not so fast.

A few months ago, we announced an improved version of reCAPTCHA that uses advanced risk analysis techniques to distinguish humans from machines. This enabled us to relax the text distortions and show our users CAPTCHAs that adapt to their risk profiles. In other words, with a high likelihood, our valid human users would see CAPTCHAs that they would find easy to solve. Abusive traffic, on the other hand, would get CAPTCHAs designed to stop them in their tracks. It is this same technology that enables us to show these Valentine’s Day CAPTCHAs today without reducing their anti-abuse effectiveness.

But that’s not all. Over the last few months, we’ve been working hard to improve the audio CAPTCHA experience. Our adaptive CAPTCHA technology has, in many cases, allowed us to relax audio distortions and serve significantly easier audio CAPTCHAs. We’ve served over 10 million easy audio CAPTCHAs to users worldwide over the last few weeks and have seen great success rates. We hope to continue enhancing our accessibility option in reCAPTCHA in the months to come. Take a listen to this sample of easy audio CAPTCHA:

Your browser does not support this audio

We’re working hard to improve people’s experience with reCAPTCHA without compromising on the spam and abuse protection you’ve come to trust from us. For today, we hope you enjoy our Valentine’s Day gift to you.]]> Posted by Vinay Shet, Product Manager, reCAPTCHA

Notice something different about reCAPTCHA today? You guessed it; those tricky puzzles are now warm and fuzzy just in time for Valentine’s Day. Today across the U.S., we're sharing CAPTCHAs that spread the message of love.

Some examples of Valentine's Day CAPTCHAs

We’re working hard to improve people’s experience with reCAPTCHA without compromising on the spam and abuse protection you’ve come to trust from us. For today, we hope you enjoy our Valentine’s Day gift to you.]]> https://googledata.org/google-online-security/captchas-that-capture-your-heart/feed/ 0 Security Reward Programs Update https://googledata.org/google-online-security/security-reward-programs-update/?utm_source=rss&utm_medium=rss&utm_campaign=security-reward-programs-update https://googledata.org/google-online-security/security-reward-programs-update/#comments Wed, 05 Feb 2014 00:54:00 +0000 https://googledata.org/?guid=88befb5a105f140faf474a5bdd80e37e Posted by Eduardo Vela Nava and Michal Zalewski, Google Security Team

From investing our time in doing security research to paying for security bugs and patches, we've really enjoyed and benefited from our involvement with the security community over the past few years. To underscore our commitment, we want to announce yet another increase in payments since we started our reward programs.

Starting today, we will broaden the scope of our vulnerability reward program to also include all Chrome apps and extensions developed and branded as "by Google." We think developing Chrome extensions securely is relatively easy (given our security guidelines are followed), but given that extensions like Hangouts and GMail are widely used, we want to make sure efforts to keep them secure are rewarded accordingly.

The rewards for each vulnerability will range from the usual $500 up to $10,000 USD and will depend on the permissions and the data each extension handles. If you find a vulnerability in any Google-developed Chrome Extensions, please contact us at goo.gl/vulnz.

In addition, we decided to substantially increase the reward amounts offered by our Patch Reward Program. The program encourages and honors proactive security improvements made to a range of open-source projects that are critical to the health of the Internet in recognition of the painstaking work that's necessary to make a project resilient to attacks.

Our new reward structure is:

$10,000 for complicated, high-impact improvements that almost certainly prevent major vulnerabilities in the affected code.
$5,000 for moderately complex patches that provide convincing security benefits.
Between $500 and $1,337 for submissions that are very simple or that offer only fairly speculative gains.

We look forward to ongoing collaboration with the broader security community, and we'll continue to invest in these programs to help make the Internet a safer place for everyone.]]> https://googledata.org/google-online-security/security-reward-programs-update/feed/ 0 Keeping YouTube Views Authentic https://googledata.org/google-online-security/keeping-youtube-views-authentic/?utm_source=rss&utm_medium=rss&utm_campaign=keeping-youtube-views-authentic https://googledata.org/google-online-security/keeping-youtube-views-authentic/#comments Tue, 04 Feb 2014 18:38:00 +0000 https://googledata.org/?guid=a6205af264f0deeacf21262d412bce14 Posted by Philipp Pfeiffenberger, Software Engineer

YouTube isn’t just a place for videos, it’s a place for meaningful human interaction. Whether it’s views, likes, or comments, these interactions both represent and inform how creators connect with their audience. That’s why we take the accuracy of these interactions very seriously. When some bad actors try to game the system by artificially inflating view counts, they’re not just misleading fans about the popularity of a video, they’re undermining one of YouTube’s most important and unique qualities.

As part of our long-standing effort to keep YouTube authentic and full of meaningful interactions, we’ve begun periodically auditing the views a video has received. While in the past we would scan views for spam immediately after they occurred, starting today we will periodically validate the video’s view count, removing fraudulent views as new evidence comes to light. We don’t expect this approach to affect more than a minuscule fraction of videos on YouTube, but we believe it’s crucial to improving the accuracy of view counts and maintaining the trust of our fans and creators.

As YouTube creators, we ask you to be extra careful when working with third-party marketing firms; unfortunately some of them will sell you fake views. If you need help promoting your video, please review our posts about working with third party view service providers and increasing YouTube views.]]> Posted by Philipp Pfeiffenberger, Software Engineer

YouTube isn’t just a place for videos, it’s a place for meaningful human interaction. Whether it’s views, likes, or comments, these interactions both represent and inform how creators connect with their audience. That’s why we take the accuracy of these interactions very seriously. When some bad actors try to game the system by artificially inflating view counts, they’re not just misleading fans about the popularity of a video, they’re undermining one of YouTube’s most important and unique qualities.

As part of our long-standing effort to keep YouTube authentic and full of meaningful interactions, we’ve begun periodically auditing the views a video has received. While in the past we would scan views for spam immediately after they occurred, starting today we will periodically validate the video’s view count, removing fraudulent views as new evidence comes to light. We don’t expect this approach to affect more than a minuscule fraction of videos on YouTube, but we believe it’s crucial to improving the accuracy of view counts and maintaining the trust of our fans and creators.

As YouTube creators, we ask you to be extra careful when working with third-party marketing firms; unfortunately some of them will sell you fake views. If you need help promoting your video, please review our posts about working with third party view service providers and increasing YouTube views. ]]> https://googledata.org/google-online-security/keeping-youtube-views-authentic/feed/ 0 FFmpeg and a thousand fixes https://googledata.org/google-online-security/ffmpeg-and-a-thousand-fixes/?utm_source=rss&utm_medium=rss&utm_campaign=ffmpeg-and-a-thousand-fixes https://googledata.org/google-online-security/ffmpeg-and-a-thousand-fixes/#comments Fri, 10 Jan 2014 17:06:00 +0000 https://googledata.org/?guid=0d971f2dce3c51b34e4749883df4e36a Posted by Mateusz Jurczyk and Gynvael Coldwind, Information Security Engineers

At Google, security is a top priority - not only for our own products, but across the entire Internet. That’s why members of the Google Security Team and other Googlers frequently perform audits of software and report the resulting findings to the respective vendors or maintainers, as shown in the official “Vulnerabilities - Application Security” list. We also try to employ the extensive computing power of our data centers in order to solve some of the security challenges by performing large-scale automated testing, commonly known as fuzzing.

One internal fuzzing effort we have been running continuously for the past two years is the testing process of FFmpeg, a large cross-platform solution to record, convert and stream audio and video written in C. It is used in multiple applications and software libraries such as Google Chrome, MPlayer, VLC or xine. We started relatively small by making use of trivial mutation algorithms, some 500 cores and input media samples gathered from readily available sources such as the samples.mplayerhq.hu sample base and FFmpeg FATE regression testing suite. Later on, we grew to more complex and effective mutation methods, 2000 cores and an input corpus supported by sample files improving the overall code coverage.

Following more than two years of work, we are happy to announce that the FFmpeg project has incorporated more than a thousand fixes to bugs (including some security issues) that we have discovered in the project so far:

$ git log | grep Jurczyk | grep -c Coldwind
1120

This event clearly marks an important milestone in our ongoing fuzzing effort.

FFmpeg robustness and security has clearly improved over time. When we started the fuzzing process and had initial results, we contacted the project maintainer - Michael Niedermayer - who submitted the first fix on the 24th of January, 2012 (see commit c77be3a35a0160d6af88056b0899f120f2eef38e). Since then, we have carried out several dozen fuzzing iterations (each typically resulting in less crashes than the previous ones) over the last two years, identifying bugs of a number of different classes:

NULL pointer dereferences,
Invalid pointer arithmetic leading to SIGSEGV due to unmapped memory access,
Out-of-bounds reads and writes to stack, heap and static-based arrays,
Invalid free() calls,
Double free() calls over the same pointer,
Division errors,
Assertion failures,
Use of uninitialized memory.

NULL pointer dereferences,
Invalid pointer arithmetic leading to SIGSEGV due to unmapped memory access,
Out-of-bounds reads and writes to stack, heap and static-based arrays,
Invalid free() calls,
Double free() calls over the same pointer,
Division errors,
Assertion failures,
Use of uninitialized memory.

We have simultaneously worked with the developers of Libav, an independent fork of FFmpeg, in order to have both projects represent an equal, high level of robustness and security posture. Today, Libav is at 413 fixes and the library is slowly but surely catching up with FFmpeg.

We are continuously improving our corpus and fuzzing methods and will continue to work with both FFmpeg and Libav to ensure the highest quality of the software as used by millions of users behind multiple media players. Until we can declare both projects "fuzz clean" we recommend that people refrain from using either of the two projects to process untrusted media files. You can also use privilege separation on your PC or production environment when absolutely required.

Of course, we would not be able to do this without the hard work of all the developers involved in the fixing process. If you are interested in the effort, please keep an eye on the master branches for commits marked as "Found by Mateusz "j00ru" Jurczyk and Gynvael Coldwind" and watch out for new stable versions of the software packages.

For more details, see the “FFmpeg and a thousand fixes” posts at the authors’ personal blogs here or here.]]> https://googledata.org/google-online-security/ffmpeg-and-a-thousand-fixes/feed/ 0 Further improving digital certificate security https://googledata.org/google-online-security/further-improving-digital-certificate-security/?utm_source=rss&utm_medium=rss&utm_campaign=further-improving-digital-certificate-security https://googledata.org/google-online-security/further-improving-digital-certificate-security/#comments Sat, 07 Dec 2013 19:43:00 +0000 https://googledata.org/?guid=def770a429c4240a4442fa2add173aa8 Posted by Adam Langley, Security Engineer

Late on December 3rd, we became aware of unauthorized digital certificates for several Google domains. We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to ANSSI, a French certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.

In response, we updated Chrome’s certificate revocation metadata immediately to block that intermediate CA, and then alerted ANSSI and other browser vendors. Our actions addressed the immediate problem for our users.

ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network. This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers. We updated Chrome’s revocation metadata again to implement this.

This incident represents a serious breach and demonstrates why Certificate Transparency, which we developed in 2011 and have been advocating for since, is so critical.

Since our priority is the security and privacy of our users, we are carefully considering what additional actions may be necessary.

[Update December 12: We have decided that the ANSSI certificate authority will be limited to the following top-level domains in a future version of Chrome:
.fr
.gp (Guadeloupe)
.gf (Guyane)
.mq (Martinique)
.re (Réunion)
.yt (Mayotte)
.pm (Saint-Pierre et Miquelon)
.bl (Saint Barthélemy)
.mf (Saint Martin)
.wf (Wallis et Futuna)
.pf (Polynésie française)
.nc (Nouvelle Calédonie)
.tf (Terres australes et antarctiques françaises)]]]> Posted by Adam Langley, Security Engineer

Late on December 3rd, we became aware of unauthorized digital certificates for several Google domains. We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to ANSSI, a French certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.

In response, we updated Chrome’s certificate revocation metadata immediately to block that intermediate CA, and then alerted ANSSI and other browser vendors. Our actions addressed the immediate problem for our users.

ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network. This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers. We updated Chrome’s revocation metadata again to implement this.

This incident represents a serious breach and demonstrates why Certificate Transparency, which we developed in 2011 and have been advocating for since, is so critical.

Since our priority is the security and privacy of our users, we are carefully considering what additional actions may be necessary.

[Update December 12: We have decided that the ANSSI certificate authority will be limited to the following top-level domains in a future version of Chrome:
.fr
.gp (Guadeloupe)
.gf (Guyane)
.mq (Martinique)
.re (Réunion)
.yt (Mayotte)
.pm (Saint-Pierre et Miquelon)
.bl (Saint Barthélemy)
.mf (Saint Martin)
.wf (Wallis et Futuna)
.pf (Polynésie française)
.nc (Nouvelle Calédonie)
.tf (Terres australes et antarctiques françaises)]]]> https://googledata.org/google-online-security/further-improving-digital-certificate-security/feed/ 0 Internet-wide efforts to fight email phishing are working https://googledata.org/google-online-security/internet-wide-efforts-to-fight-email-phishing-are-working/?utm_source=rss&utm_medium=rss&utm_campaign=internet-wide-efforts-to-fight-email-phishing-are-working https://googledata.org/google-online-security/internet-wide-efforts-to-fight-email-phishing-are-working/#comments Fri, 06 Dec 2013 17:00:00 +0000 https://googledata.org/?guid=5e16bd74184f8937e2960ecf0bda6379 Posted by Elie Bursztein, anti-abuse research lead and Vijay Eranti, Gmail anti-abuse technical lead

Since 2004, industry groups and standards bodies have been working on developing and deploying email authentication standards to prevent email impersonation. At its core, email authentication standardizes how an email’s sending and receiving domains can exchange information to authenticate that the email came from the rightful sender.

Now, nearly a decade later, adoption of these standards is widespread across the industry, dramatically reducing spammers’ ability to impersonate domains that users trust, and making email phishing less effective. 91.4% of non-spam emails sent to Gmail users come from authenticated senders, which helps Gmail filter billions of impersonating email messages a year from entering our users’ inboxes.

More specifically, the 91.4% of the authenticated non-spam emails sent to Gmail users come from senders that have adopted one or more of the following email authentication standards: DKIM (DomainKey Identified Email) or SPF (Sender Policy Framework).

Here are some statistics that illustrate the scale of what we’re seeing:

76.9% of the emails we received are signed according to the (DKIM) standard. Over half a million domains (weekly active) have adopted this standard.
89.1% of incoming email we receive comes from SMTP servers that are authenticated using the SPF standard. Over 3.5 million domains (weekly active) have adopted the SPF standard.
74.7% of incoming email we receive is protected by both the DKIM and SPF standards.
Over 80,000 domains have deployed domain-wide policies that allow us to reject hundreds of millions of unauthenticated emails every week via the DMARC standard.

Join the fight against email spam

As more domains implement authentication, phishers are forced to target domains that are not yet protected. If you own a domain that sends email, the most effective action you can take to help us and prevent spammers from impersonating your domain is to set up DKIM, SPF and DMARC. Check our help pages on DKIM, SPF, DMARC to get started.

When using DKIM, please make sure that your public key is at least 1024 bits, so that attackers can’t crack it and impersonate your domain. The use of weak cryptographic keys -- ones that are 512 bits or less -- is one of the major sources of DKIM configuration errors (21%).

If you own domains that are never used to send email, you can still help prevent abuse. All you need to do is create a DMARC policy that describes your domain as a non-sender. Adding a “reject” policy for these domains ensures that no emails impersonating you will ever reach Gmail users’ inboxes.

While the fight against spammers is far from over, it’s nevertheless encouraging to see that community efforts are paying off. Gmail has been an early adopter of these standards and we remain a strong advocate of email authentication. We hope that publishing these results will inspire more domain owners to adopt the standards that protect them from impersonation and help keep email inboxes safe and clean.]]> Posted by Elie Bursztein, anti-abuse research lead and Vijay Eranti, Gmail anti-abuse technical lead

Since 2004, industry groups and standards bodies have been working on developing and deploying email authentication standards to prevent email impersonation. At its core, email authentication standardizes how an email’s sending and receiving domains can exchange information to authenticate that the email came from the rightful sender.

Now, nearly a decade later, adoption of these standards is widespread across the industry, dramatically reducing spammers’ ability to impersonate domains that users trust, and making email phishing less effective. 91.4% of non-spam emails sent to Gmail users come from authenticated senders, which helps Gmail filter billions of impersonating email messages a year from entering our users’ inboxes.

More specifically, the 91.4% of the authenticated non-spam emails sent to Gmail users come from senders that have adopted one or more of the following email authentication standards: DKIM (DomainKey Identified Email) or SPF (Sender Policy Framework).

Here are some statistics that illustrate the scale of what we’re seeing:

76.9% of the emails we received are signed according to the (DKIM) standard. Over half a million domains (weekly active) have adopted this standard.
89.1% of incoming email we receive comes from SMTP servers that are authenticated using the SPF standard. Over 3.5 million domains (weekly active) have adopted the SPF standard.
74.7% of incoming email we receive is protected by both the DKIM and SPF standards.
Over 80,000 domains have deployed domain-wide policies that allow us to reject hundreds of millions of unauthenticated emails every week via the DMARC standard.