Google Online Security Blog

Security Reward Programs Update

February 4, 2014

Posted by Eduardo Vela Nava and Michal Zalewski, Google Security Teamsecurity researchsecurity bugspatchesvulnerability reward programby Googlesecurity guidelinesHangoutsGMail$500$10,000goo.gl/vulnzPatch Reward Program

$10,000 for complicated, high-impact improvements that almost certainly prevent major vulnerabilities in the affected code.

$5,000 for moderately complex patches that provide convincing security benefits.

Between $500 and $1,337 for submissions that are very simple or that offer only fairly speculative gains.

Keeping YouTube Views Authentic

February 4, 2014

Posted by Philipp Pfeiffenberger, Software Engineerworking with third party view service providersincreasing YouTube views

FFmpeg and a thousand fixes

January 10, 2014

Posted by Mateusz Jurczyk and Gynvael Coldwind, Information Security EngineersVulnerabilities - Application SecurityFFmpegsamples.mplayerhq.hu$ git log | grep Jurczyk | grep -c Coldwind1120c77be3a35a0160d6af88056b0899f120f2eef38e

NULL pointer dereferences,

Invalid pointer arithmetic leading to SIGSEGV due to unmapped memory access,

Out-of-bounds reads and writes to stack, heap and static-based arrays,

Invalid free() calls,

Double free() calls over the same pointer,

Division errors,

Assertion failures,

Use of uninitialized memory.

"Found by Mateusz "j00ru" Jurczyk and Gynvael Coldwind"herehere

Further improving digital certificate security

December 7, 2013

Posted by Adam Langley, Security Engineerintermediate certificate authorityCertificate Transparency[Update December 12: We have decided that the ANSSI certificate authority will be limited to the following top-level domains in a future version of Chrome: .fr .gp (Guadeloupe) .gf (Guyane) .mq (Martinique) .re (Réunion) .yt (Mayotte) .pm (Saint-Pierre et Miquelon) .bl (Saint Barthélemy) .mf (Saint Martin) .wf (Wallis et Futuna) .pf (Polynésie française) .nc (Nouvelle Calédonie) .tf (Terres australes et antarctiques françaises)]

Internet-wide efforts to fight email phishing are working

December 6, 2013

Here are some statistics that illustrate the scale of what we’re seeing:

86.8% of the emails we received are signed according to the (DKIM) standard (up from 76.9% in 2013). Over two million domains (weekly active) have adopted this standard (up from 0.5 millions 2013).
95.3% of incoming emails we receive come from SMTP servers that are authenticated using the SPF standard (up from 89.1% in 2013). Over 7.8 million domains (weekly active) have adopted the SPF standard (up from 3.5 million domains in 2013).
85% of incoming emails we receive are protected by both the DKIM and SPF standards (up from 74.7% in 2013).
Over 162,000 domains have deployed domain-wide policies that allow us to reject hundreds of millions of unauthenticated emails every week via the DMARC standard (up from 80,000 in 2013).

Join the fight against email spam

As more domains implement authentication, phishers are forced to target domains that are not yet protected. If you own a domain that sends email, the most effective action you can take to help us and prevent spammers from impersonating your domain is to set up DKIM, SPF and DMARC. Check our help pages on DKIM, SPF, DMARC to get started.

When using DKIM, please make sure that your public key is at least 1024 bits, so that attackers can’t crack it and impersonate your domain. The use of weak cryptographic keys -- ones that are 512 bits or less -- is one of the major sources of DKIM configuration errors (21%).

If you own domains that are never used to send email, you can still help prevent abuse. All you need to do is create a DMARC policy that describes your domain as a non-sender. Adding a “reject” policy for these domains ensures that no emails impersonating you will ever reach Gmail users’ inboxes.

While the fight against spammers is far from over, it’s nevertheless encouraging to see that community efforts are paying off. Gmail has been an early adopter of these standards and we remain a strong advocate of email authentication. We hope that publishing these results will inspire more domain owners to adopt the standards that protect them from impersonation and help keep email inboxes safe and clean.

Posted by Elie Bursztein, anti-abuse research lead and Vijay Eranti, Gmail anti-abuse technical lead
Editor's Note: This post was updated on February 9th, 2016. Adoption numbers reflect state of authentication as of this date.

86.8% of the emails we received are signed according to the (DKIM) standard (up from 76.9% in 2013). Over two million domains (weekly active) have adopted this standard (up from 0.5 millions 2013).

95.3% of incoming emails we receive come from SMTP servers that are authenticated using the SPF standard (up from 89.1% in 2013). Over 7.8 million domains (weekly active) have adopted the SPF standard (up from 3.5 million domains in 2013).

85% of incoming emails we receive are protected by both the DKIM and SPF standards (up from 74.7% in 2013).

Over 162,000 domains have deployed domain-wide policies that allow us to reject hundreds of millions of unauthenticated emails every week via the DMARC standard (up from 80,000 in 2013).

Join the fight against email spam DKIMSPFDMARC

Even more patch rewards!

November 18, 2013

Posted by Michal Zalewski, Google Security TeamAbout a month ago, we kicked off our Patch Reward Program. The goal is very simple: to recognize and reward proactive security improvements to third-party open-source projects that are vital to the health of the entire Internet.We started with a fairly conservative scope, but said we would expand the program soon. Today, we are adding the following to the list of projects that are eligible for rewards:

All the open-source components of Android: Android Open Source Project

Widely used web servers: Apache httpd, lighttpd, nginx

Popular mail delivery services: Sendmail, Postfix, Exim, Dovecot

Virtual private networking: OpenVPN

Network time: University of Delaware NTPD

Additional core libraries: Mozilla NSS, libxml2

Toolchain security improvements for GCC, binutils, and llvm

For more information about eligibility, reward amounts, and the submission process, please visit this page. Happy patching!

Out with the old: Stronger certificates with Google Internet Authority G2

November 18, 2013

Posted by Dan Dulay, Security Engineernotedforward secrecyGoogle Internet Authority G2

A roster of TLS cipher suites weaknesses

November 14, 2013

Posted by Adam Langley, Software Engineerlist of cipher suitesECDHE: the key agreement mechanism. RSA: the authentication mechanism. AES_128_CBC: the cipher. SHA: the message authentication primitive. RC412345AES-CBC BEASTdescribedLucky13AES-GCM ChaCha20-Poly1305 Summary

Don’t mess with my browser!

October 31, 2013

In the current Canary build of Chrome, we’ll automatically block downloads of malware that we detect. If you see this message in the download tray at the bottom of your screen, you can click “Dismiss” knowing Chrome is working to keep you safe.

This is in addition to the 10,000 new websites we flag per day with Safe Browsing, which also detects and blocks malicious downloads, to keep more than 1 billion web users safe across multiple browsers that use this technology. Keeping you secure is a top priority, which is why we’re working on additional means to stop malicious software installs as well.

Update: 11/1/13: Updated to mention that Safe Browsing already detects and blocks malware.

Linus Upson, Vice President

In some ways, it's safer than ever to be online — especially if you use Chrome. With continued security research and seamless automatic updates, your browsing experience is always getting better and more secure. But recently you may have noticed something seems amiss. Online criminals have been increasing their use of malicious software that can silently hijack your browser settings. This has become a top issue in the Chrome help forums; we're listening and are here to help.
Bad guys trick you into installing and running this kind of software by bundling it with something you might want, like a free screensaver, a video plugin or—ironically—a supposed security update. These malicious programs disguise themselves so you won’t know they’re there and they may change your homepage or inject ads into the sites you browse. Worse, they block your ability to change your settings back and make themselves hard to uninstall, keeping you trapped in an undesired state.

We're taking steps to help, including adding a "reset browser settings" button in the last Chrome update, which lets you easily return your Chrome to a factory-fresh state. You can find this in the “Advanced Settings” section of Chrome settings.

In the current Canary build of Chrome, we’ll automatically block downloads of malware that we detect. If you see this message in the download tray at the bottom of your screen, you can click “Dismiss” knowing Chrome is working to keep you safe.

reCAPTCHA just got easier (but only if you’re human)

October 25, 2013

A new and easier numeric CAPTCHA

Humans find numeric CAPTCHAs significantly easier to solve than those containing arbitrary text and achieve nearly perfect pass rates on them. So with our new system, you’ll encounter CAPTCHAs that are a breeze to solve. Bots, however, won’t even see them. While we’ve already made significant advancements to reCAPTCHA technology, we’ll have even more to report on in the next few months, so stay tuned.

Posted by Vinay Shet, Product Manager, reCAPTCHACAPTCHA