This has had an immediate, positive effect on Gmail security. In the 44 days since we introduced it, the amount of inbound mail sent over an encrypted connection increased by 25%. We’re very encouraged by this progress! Given the relative ease of implementing encryption and its significant benefits for users, we expect to see this progress continue.

However, as our recent research with the University of Michigan and University of Illinois shows, misconfigured or malicious parts of the Internet can still tamper with email encryption. To help ensure TLS encryption works as intended, we’ve teamed-up with a variety of industry partners — including Comcast, Microsoft, and Yahoo!— to submit a draft IETF specification for “SMTP Strict Transport Security.” With this new proposed standard, companies can ensure that mail will only be delivered through encrypted channels, and that any encryption failures should be reported for further analysis, helping shine the spotlight on any malfeasance occurring around the Internet.

Safe Browsing makes Gmail more secure

Since 2007, Safe Browsing has protected users across the web by warning them before they visit dangerous sites known for phishing, malware, and Unwanted Software. Over the years, we’ve brought the protections afforded by Safe Browsing to other Google products as well, including: Chrome, Android, Ads, Google Analytics, and more.

Safe Browsing already protects Gmail users by identifying potentially dangerous links in messages. Starting this week, Gmail users will begin to see warnings if they click these links, further extending this protection to different web browsers and email apps. The full-page warning will look like this:

Enhancing state-sponsored attack warnings

Since 2012, we’ve warned Gmail users when we suspect they’ve been targeted by state-sponsored attackers:
These warnings are rare—fewer than 0.1% of users ever receive them—but they are critically important. The users that receive these warnings are often activists, journalists, and policy-makers taking bold stands around the world.

Today, we’re launching a new, full-page warning with instructions about how these users can stay safe. They may see these new warnings instead of, or in addition to, the existing ones.

The security of our users and their data is paramount. We’ll continue to build new protections, and work closely with the broader email ecosystem to support and improve standards such as TLS, that keep users safe.

Including these in trusted logs is problematic for several reasons, including uncertainties around revocation policies and the possibility of cross-signing attacks being attempted by malicious third-parties.


However, visibility of these CAs’ activities is still useful, so we have created a new CT log for these certificates. This log will not be trusted by Chrome, and will provide a public record of certificates that are not accepted by the existing Google-operated logs.


The new log is accessible at ct.googleapis.com/submariner and is listed on our Known Logs page. It has the same API as the existing logs.


Initially, Submariner includes certificates chaining up to the set of root certificates that Symantec recently announced it had discontinued, as well as a collection of additional roots suggested to us that are pending inclusion in Mozilla.


Once Symantec’s affected certificates are no longer trusted by browsers, we will be withdrawing them from the trusted roots accepted by our existing logs (Aviator, Pilot, and Rocketeer).


Third parties are invited to suggest additional roots for potential inclusion in the new log by email to google-ct-logs@googlegroups.com.


Everyone is welcome to make use of the log to submit certificates and query data. We hope it will prove useful and help to improve web security.

Here is a screenshot demonstrating what using BinDiff to display per-function differences looks like:

At Google, the BinDiff core engine powers a large-scale malware processing pipeline helping to protect both internal and external users. BinDiff provides the underlying comparison results needed to cluster the world's malware into related families with billions of comparisons performed so far.


Ever since zynamics joined Google in 2011, we have been committed to keeping our most valuable tools available to the security research community. We first lowered the price, and today we are taking the next logical step by making it available free of charge.


You can download BinDiff from the zynamics web site. It’s the current version, BinDiff 4.2 for both Linux and Windows. To use it, you also need the commercial Hex-Rays IDA Pro disassembler, 6.8 or later.


Happy BinDiff-ing!


We plan on adding additional Google products over time to increase the scope of this report.


Popular third-party sites

Our report also includes data about the HTTPS connections on many popular sites across the web, beyond Google. We've chosen these sites based on a combination of publicly-available Alexa data and our own Google internal data; we estimate they account for approximately 25% of all web traffic on the Internet.


Certificate Transparency

Websites use certificates to assert to users that they are legitimate, so browsers need to be able to check whether the certificate that you’re being presented is valid and appropriately issued. That is why this report also offers a Certificate Transparency log viewer, providing a web interface for users and site administrators to easily check and see who has issued a certificate for a website. For example, if you use this log viewer and search for google.com with ‘include expired' checked, you'll see the mis-issued google.com certificate from September 2015.


Encryption for everyone

Implementing HTTPS can be difficult—we know from experience! Some common obstacles include: 
  • Older hardware and/or software that doesn’t support modern encryption technologies.
  • Governments and organizations that may block or otherwise degrade HTTPS traffic.
  • Organizations that may not have the desire or technical resources to implement HTTPS.
While there’s no one-size-fits-all solution to these challenges, we’ve put together a resource for webmasters to use as they work through this process. We also support industry-wide efforts, like EFF's ‘Encrypt the Web’ report, that aim to bring more of the web to HTTPS.

Implementing encryption is not easy work. But, as more people spend more of their time on the web, it’s an increasingly essential element of online security. We hope this report will provide a snapshot of our own encryption efforts and will encourage everyone to make HTTPS the default on the web, even faster.

We look forward to seeing some amazing bugs and continuing to work with the security research community.

Happy hacking!

All four base questionnaire templates can be readily extended with company-specific questions. Using the same questionnaire templates across companies may help to scale assessment efforts. Common templates can also minimize the burden on vendor companies, by facilitating the reuse of responses.

The VSAQ Framework comes with a simple client-side-only reference implementation that's suitable for self-assessments, for vendor security programs with a moderate throughput, and for just trying out the framework. For a high-throughput vendor security program, we recommend using the VSAQ Framework with a custom server-side component that fits your needs (the interface is quite simple).

Give VSAQ a try! A demo version of the VSAQ Framework is available here: https://vsaq-demo.withgoogle.com

Excerpt from Security and Privacy Programs Questionnaire

Let us know how VSAQ works for you: contact us. We look forward to getting your feedback and continuing to make vendor reviews scalable — and maybe even fun!
Share on Twitter Share on Facebook