CINXE.COM

<!DOCTYPE html> <html class='v2 list-page' dir='ltr' itemscope='' itemtype='http://schema.org/Blog' lang='en' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'> <head> <link href='https://www.blogger.com/static/v1/widgets/3566091532-css_bundle_v2.css' rel='stylesheet' type='text/css'/> <title> Google Online Security Blog: 2011 </title> <meta content='JPvErrROkJmNEh4Lr_QT6CD77GdfQr6cLFw6gIXg6kc' name='google-site-verification'/> <meta content='width=device-width, height=device-height, minimum-scale=1.0, initial-scale=1.0, user-scalable=0' name='viewport'/> <meta content='IE=Edge' http-equiv='X-UA-Compatible'/> <meta content='Google Online Security Blog' property='og:title'/> <meta content='en_US' property='og:locale'/> <meta content='https://security.googleblog.com/2011/' property='og:url'/> <meta content='Google Online Security Blog' property='og:site_name'/>  <meta content='Google Online Security Blog' property='og:title'/> <meta content='summary' name='twitter:card'/> <meta content='@google' name='twitter:creator'/> <link href='https://fonts.googleapis.com/css?family=Roboto:400italic,400,500,500italic,700,700italic' rel='stylesheet' type='text/css'/> <link href='https://fonts.googleapis.com/icon?family=Material+Icons' rel='stylesheet'/> <script src='https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js' type='text/javascript'></script>  <style id='page-skin-1' type='text/css'></style> <style id='template-skin-1' type='text/css'></style>  <meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/> <meta content='blogger' name='generator'/> <link href='https://security.googleblog.com/favicon.ico' rel='icon' type='image/x-icon'/> <link href='https://security.googleblog.com/2011/' rel='canonical'/> <link rel="alternate" type="application/atom+xml" title="Google Online Security Blog - Atom" href="https://security.googleblog.com/feeds/posts/default" /> <link rel="alternate" type="application/rss+xml" title="Google Online Security Blog - RSS" href="https://security.googleblog.com/feeds/posts/default?alt=rss" /> <link rel="service.post" type="application/atom+xml" title="Google Online Security Blog - Atom" href="https://www.blogger.com/feeds/1176949257541686127/posts/default" />  <meta content='https://security.googleblog.com/2011/' property='og:url'/> <meta content='Google Online Security Blog' property='og:title'/> <meta content='The latest news and insights from Google on security and safety on the Internet' property='og:description'/>  <base target='_self'/> <style> html { font-family: Roboto, sans-serif; -moz-osx-font-smoothing: grayscale; -webkit-font-smoothing: antialiased; } body { padding: 0; /* This ensures that the scroll bar is always present, which is needed */ /* because content render happens after page load; otherwise the header */ /* would "bounce" in-between states. */ min-height: 150%; } h2 { font-size: 16px; } h1, h2, h3, h4, h5 { line-height: 2em; } html, h4, h5, h6 { font-size: 14px; } a, a:visited { color: #4184F3; text-decoration: none; } a:focus, a:hover, a:active { text-decoration: none; } .Header { margin-top: 15px; } .Header h1 { font-size: 32px; font-weight: 300; line-height: 32px; height: 42px; } .header-inner .Header .titlewrapper { padding: 0; margin-top: 30px; } .header-inner .Header .descriptionwrapper { padding: 0; margin: 0; } .cols-wrapper { margin-top: 56px; } .header-outer, .cols-wrapper, .footer-outer, .google-footer-outer { padding: 0 60px; } .header-inner { height: 256px; position: relative; } html, .header-inner a { color: #212121; color: rgba(0,0,0,.87); } .header-inner .google-logo { display: inline-block; background-size: contain; z-index: 1; height: 46px; overflow: hidden; margin-top: 4px; margin-right: 8px; } .header-left { position: absolute; top: 50%; -webkit-transform: translateY(-50%); transform: translateY(-50%); margin-top: 12px; width: 100%; } .google-logo { margin-left: -4px; } #google-footer { position: relative; font-size: 13px; list-style: none; text-align: right; } #google-footer a { color: #444; } #google-footer ul { margin: 0; padding: 0; height: 144px; line-height: 144px; } #google-footer ul li { display: inline; } #google-footer ul li:before { color: #999; content: "\00b7"; font-weight: bold; margin: 5px; } #google-footer ul li:first-child:before { content: ''; } #google-footer .google-logo-dark { left: 0; margin-top: -16px; position: absolute; top: 50%; } /** Sitemap links. **/ .footer-inner-2 { font-size: 14px; padding-top: 42px; padding-bottom: 74px; } .footer-inner-2 .HTML h2 { color: #212121; color: rgba(0,0,0,.87); font-size: 14px; font-weight: 500; padding-left: 0; margin: 10px 0; } .footer-inner-2 .HTML ul { font-weight: normal; list-style: none; padding-left: 0; } .footer-inner-2 .HTML li { line-height: 24px; padding: 0; } .footer-inner-2 li a { color: rgba(65,132,243,.87); } /** Archive widget. **/ .BlogArchive { font-size: 13px; font-weight: normal; } .BlogArchive .widget-content { display: none; } .BlogArchive h2, .Label h2 { color: #4184F3; text-decoration: none; } .BlogArchive .hierarchy li { display: inline-block; } /* Specificity needed here to override widget CSS defaults. */ .BlogArchive #ArchiveList ul li, .BlogArchive #ArchiveList ul ul li { margin: 0; padding-left: 0; text-indent: 0; } .BlogArchive .intervalToggle { cursor: pointer; } .BlogArchive .expanded .intervalToggle .new-toggle { -ms-transform: rotate(180deg); transform: rotate(180deg); } .BlogArchive .new-toggle { float: right; padding-top: 3px; opacity: 0.87; } #ArchiveList { text-transform: uppercase; } #ArchiveList .expanded > ul:last-child { margin-bottom: 16px; } #ArchiveList .archivedate { width: 100%; } /* Months */ .BlogArchive .items { max-width: 150px; margin-left: -4px; } .BlogArchive .expanded .items { margin-bottom: 10px; overflow: hidden; } .BlogArchive .items > ul { float: left; height: 32px; } .BlogArchive .items a { padding: 0 4px; } .Label { font-size: 13px; font-weight: normal; } .sidebar-icon { display: inline-block; width: 24px; height: 24px; vertical-align: middle; margin-right: 12px; margin-top: -1px } .Label a { margin-right: 4px; } .Label .widget-content { display: none; } .FollowByEmail { font-size: 13px; font-weight: normal; } .FollowByEmail h2 { background: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAALCAYAAACZIGYHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUBJREFUeNrMkSGLAlEUhb+ZB4JFi8mx2cz+ApvhRUGTcUCrNqNJDYIi+DO0GUwmQXDK2DSIoGgZcSaIjDrzwrK4ssvChj1w0733O+fdp+m6PozH4yQSCfb7Pa7r8pOi0SjJZBLP8zgej4gAIMvlMuPxmADIYrHger1+C6lUKmo+NJ/NZojb7SZDWiwWo1qtks1msW2bw+HwZdkwDHq9HvV6nel0SqvVYrvdIh6Ph3Qch+VyqRYLhQJSSjRNw7IsfN9XgGKxSLfbJZfL0e/3aTabrFYr7vc7IujLcOh8PqunrNdr0uk0pVKJVCpFJBJRgEajweVyod1uMxgM2O12BAGUgRbU8DV2JpOhVquRz+cRQii3+XxOp9NRN3jVR5LPOp1OjEYjlSL8hclkgmmabDabt4d+m+S30vkD/R/IU4ABAPTZgnZdmG/PAAAAAElFTkSuQmCC"); background-repeat: no-repeat; background-position: 0 50%; text-indent: 30px; } .FollowByEmail .widget-content { display: none; } .searchBox input { border: 1px solid #eee; color: #212121; color: rgba(0,0,0,.87); font-size: 14px; padding: 8px 8px 8px 40px; width: 164px; font-family: Roboto, sans-serif; background: url("https://www.gstatic.com/images/icons/material/system/1x/search_grey600_24dp.png") 8px center no-repeat; } .searchBox ::-webkit-input-placeholder { /* WebKit, Blink, Edge */ color: rgba(0,0,0,.54); } .searchBox :-moz-placeholder { /* Mozilla Firefox 4 to 18 */ color: #000; opacity: 0.54; } .searchBox ::-moz-placeholder { /* Mozilla Firefox 19+ */ color: #000; opacity: 0.54; } .searchBox :-ms-input-placeholder { /* Internet Explorer 10-11 */ color: #757575; } .widget-item-control { margin-top: 0px; } .section { margin: 0; padding: 0; } #sidebar-top { border: 1px solid #eee; } #sidebar-top > div { margin: 16px 0; } .widget ul { line-height: 1.6; } /*main post*/ .post { margin-bottom:30px; } #main .post .title { margin: 0; } #main .post .title a { color: #212121; color: rgba(0,0,0,.87); font-weight: normal; font-size: 24px; } #main .post .title a:hover { text-decoration:none; color:#4184F3; } .message, #main .post .post-header { margin: 0; padding: 0; } #main .post .post-header .caption, #main .post .post-header .labels-caption, #main .post .post-footer .caption, #main .post .post-footer .labels-caption { color: #444; font-weight: 500; } #main .tr-caption-container td { text-align: left; } #main .post .tr-caption { color: #757575; color: rgba(0,0,0,.54); display: block; max-width: 560px; padding-bottom: 20px; } #main .post .tr-caption-container { line-height: 24px; margin: -1px 0 0 0 !important; padding: 4px 0; text-align: left; } #main .post .post-header .published{ font-size:11px; font-weight:bold; } .post-header .publishdate { font-size: 17px; font-weight:normal; color: #757575; color: rgba(0,0,0,.54); } #main .post .post-footer{ font-size:12px; padding-bottom: 21px; } .label-footer { margin-bottom: 12px; margin-top: 12px; } .comment-img { margin-right: 16px; opacity: 0.54; vertical-align: middle; } #main .post .post-header .published { margin-bottom: 40px; margin-top: -2px; } .post .post-content { color: #212121; color: rgba(0,0,0,.87); font-size: 17px; margin: 25px 0 36px 0; line-height: 32px; } .post-body .post-content ul, .post-body .post-content ol { margin: 16px 0; padding: 0 48px; } .post-summary { display: none; } /* Another old-style caption. */ .post-content div i, .post-content div + i { font-size: 14px; font-style: normal; color: #757575; color: rgba(0,0,0,.54); display: block; line-height: 24px; margin-bottom: 16px; text-align: left; } /* Another old-style caption (with link) */ .post-content a > i { color: #4184F3 !important; } /* Old-style captions for images. */ .post-content .separator + div:not(.separator) { margin-top: -16px; } /* Capture section headers. */ .post-content br + br + b, .post-content .space + .space + b, .post-content .separator + b { display: inline-block; margin-bottom: 8px; margin-top: 24px; } .post-content li { line-height: 32px; } /* Override all post images/videos to left align. */ .post-content .separator > a, .post-content .separator > span { margin-left: 0 !important; } .post-content img { max-width: 100%; height: auto; width: auto; } .post-content .tr-caption-container img { margin-bottom: 12px; } .post-content iframe, .post-content embed { max-width: 100%; } .post-content .carousel-container { margin-bottom: 48px; } #main .post-content b { font-weight: 500; } /* These are the main paragraph spacing tweaks. */ #main .post-content br { content: ' '; display: block; padding: 4px; } .post-content .space { display: block; height: 8px; } .post-content iframe + .space, .post-content iframe + br { padding: 0 !important; } #main .post .jump-link { margin-bottom:10px; } .post-content img, .post-content iframe { margin: 30px 0 20px 0; } .post-content > img:first-child, .post-content > iframe:first-child { margin-top: 0; } .col-right .section { padding: 0 16px; } #aside { background:#fff; border:1px solid #eee; border-top: 0; } #aside .widget { margin:0; } #aside .widget h2, #ArchiveList .toggle + a.post-count-link { color: #212121; color: rgba(0,0,0,.87); font-weight: 400 !important; margin: 0; } #ArchiveList .toggle { float: right; } #ArchiveList .toggle .material-icons { padding-top: 4px; } #sidebar .tab { cursor: pointer; } #sidebar .tab .arrow { display: inline-block; float: right; } #sidebar .tab .icon { display: inline-block; vertical-align: top; height: 24px; width: 24px; margin-right: 13px; margin-left: -1px; margin-top: 1px; color: #757575; color: rgba(0,0,0,.54); } #sidebar .widget-content > :first-child { padding-top: 8px; } #sidebar .active .tab .arrow { -ms-transform: rotate(180deg); transform: rotate(180deg); } #sidebar .arrow { color: #757575; color: rgba(0,0,0,.54); } #sidebar .widget h2 { font-size: 14px; line-height: 24px; display: inline-block; } #sidebar .widget .BlogArchive { padding-bottom: 8px; } #sidebar .widget { border-bottom: 1px solid #eee; box-shadow: 0px 1px 0 white; margin-bottom: 0; padding: 14px 0; min-height: 20px; } #sidebar .widget:last-child { border-bottom: none; box-shadow: none; margin-bottom: 0; } #sidebar ul { margin: 0; padding: 0; } #sidebar ul li { list-style:none; padding:0; } #sidebar ul li a { line-height: 32px; } #sidebar .archive { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAYCAYAAADzoH0MAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAE1JREFUeNpiNDY23s9AAWBioBCwYBM8c+YMVsUmJibEGYBNMS5DaeMFfDYSZQA2v9I3FrB5AZeriI4FmnrBccCT8mhmGs1MwyAzAQQYAKEWG9zm9QFEAAAAAElFTkSuQmCC"); height: 24px; line-height: 24px; padding-left: 30px; } #sidebar .labels { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAARCAYAAAA7bUf6AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUxJREFUeNpiNDY23s9AAMycOfM7UF05kHkZmzwTMkdSUhKrIcXFxZy3bt3qBjIN8RrS09PDsHnzZjCNDr58+cKQlpbGDjSoHcg1w2oIyAUODg5gARCNzUVIBrUCuVYYhjx//pzhwIEDYAEQDeJjA1CDWIAGNQK59jBxRuSABbkAlwHIgIeHh2HWrFn/1NTU2oDcvSgBS4wBSC5iArqoCsj1YGIgEyAZVMoEchqlBjEB/cZAiUHg2AEGznpKDAImxOeM////B4VLKtBvEUCngZ1ILKivr3/u6+ubBzJAGZQ9gC5aQoqLgAY8BhkAZL4BuQQkxgXE34A4BuiiZEIuAhrwEGhAEZD5DpzYoIaA2UAM4kQADUrHZRDUgAIg8wO2XAwzbQXQa5OweQ1owB10AyA6gS7BgX1u3ry5397eHow3bdo0EyjGi00tQIABANPgyAH1q1eaAAAAAElFTkSuQmCC"); height: 20px; line-height: 20px; padding-left: 30px; } #sidebar .rss a { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAASCAYAAABWzo5XAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAX5JREFUeNqsVDGSgkAQHL2rIiIikohIc/EBRkbwAIwuwgfwAXiAD9AHSI7kEkECRCb6AIyINDLx7K0aa6kT7uq0q7YYtnZ7umdnt7darXbr9Zpegeu61DNNc0dvwCcH4/GYJpMJnc9nOhwOVJbl/4hAAokMECZJQtvt9k+kH7qufyEYDAakqqqYxFdRFBqNRmTbNg2HQ0rTlK7XayvR0xqBdDqdkuM4dE/0ULhYLOh4PHYrknG5XGi/31MYhuL/nkwonM1mlGUZ1XXdrsiyLGEDhY7juJEZ1u5tIixDGdYhmYw+B7CAzPP5nDabjdgIAgCksMX1832/3drtdqPT6SQWapomiGEFNkDEdpDMMAzK81ys/7XYy+XyoQgq2WoURSIJ2iIIgp/WZCCTvFm2wgeAU31aI3Q2GhIDMeB53qPYPIcm5VrxXIOIOxsDMStjVawAc1VViRgN22lNBiuQN3GR+SY07hpOoStmFQAKXRRFY93bnpG+fONfedi+BRgAbkS8Fxp7QQIAAAAASUVORK5CYII="); } #sidebar .subscription a { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAALCAYAAACZIGYHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUBJREFUeNrMkSGLAlEUhb+ZB4JFi8mx2cz+ApvhRUGTcUCrNqNJDYIi+DO0GUwmQXDK2DSIoGgZcSaIjDrzwrK4ssvChj1w0733O+fdp+m6PozH4yQSCfb7Pa7r8pOi0SjJZBLP8zgej4gAIMvlMuPxmADIYrHger1+C6lUKmo+NJ/NZojb7SZDWiwWo1qtks1msW2bw+HwZdkwDHq9HvV6nel0SqvVYrvdIh6Ph3Qch+VyqRYLhQJSSjRNw7IsfN9XgGKxSLfbJZfL0e/3aTabrFYr7vc7IujLcOh8PqunrNdr0uk0pVKJVCpFJBJRgEajweVyod1uMxgM2O12BAGUgRbU8DV2JpOhVquRz+cRQii3+XxOp9NRN3jVR5LPOp1OjEYjlSL8hclkgmmabDabt4d+m+S30vkD/R/IU4ABAPTZgnZdmG/PAAAAAElFTkSuQmCC"); } #sidebar-bottom { background: #f5f5f5; border-top:1px solid #eee; } #sidebar-bottom .widget { border-bottom: 1px solid #e0e0e0; padding: 15px 0; text-align: center; } #sidebar-bottom > div:last-child { border-bottom: 0; } #sidebar-bottom .text { line-height: 20px; } /* Home, forward, and backward pagination. */ .blog-pager { border-top : 1px #e0e0e0 solid; padding-top: 10px; margin-top: 15px; text-align: right !important; } #blog-pager { margin-botom: 0; margin-top: -14px; padding: 16px 0 0 0; } #blog-pager a { display: inline-block; } .blog-pager i.disabled { opacity: 0.2 !important; } .blog-pager i { color: black; margin-left: 16px; opacity: 0.54; } .blog-pager i:hover, .blog-pager i:active { opacity: 0.87; } #blog-pager-older-link, #blog-pager-newer-link { float: none; } .gplus-profile { background-color: #fafafa; border: 1px solid #eee; overflow: hidden; width: 212px; } .gplus-profile-inner { margin-left: -1px; margin-top: -1px; } /* Sidebar follow buttons. */ .followgooglewrapper { padding: 12px 0 0 0; } .loading { visibility: hidden; } .detail-page .post-footer .cmt_iframe_holder { padding-top: 40px !important; } /** Desktop **/ @media (max-width: 900px) { .col-right { display: none; } .col-main { margin-right: 0; min-width: initial; } .footer-outer { display: none; } .cols-wrapper { min-width: initial; } .google-footer-outer { background-color: #f5f5f5; } } /** Tablet **/ @media (max-width: 712px) { .header-outer, .cols-wrapper, .footer-outer, .google-footer-outer { padding: 0 40px; } } /* An extra breakpoint accommodating for long blog titles. */ @media (max-width: 600px) { .header-left { height: 100%; top: inherit; margin-top: 0; -webkit-transform: initial; transform: initial; } .header-title { margin-top: 18px; } .header-inner .google-logo { height: 40px; margin-top: 3px; } .header-inner .google-logo img { height: 42px; } .header-title h2 { font-size: 32px; line-height: 40px; } .header-desc { bottom: 24px; position: absolute; } } /** Mobile/small desktop window; also landscape. **/ @media (max-width: 480px), (max-height: 480px) { .header-outer, .cols-wrapper, .footer-outer, .google-footer-outer { padding: 0 16px; } .cols-wrapper { margin-top: 0; } .post-header .publishdate, .post .post-content { font-size: 16px; } .post .post-content { line-height: 28px; margin-bottom: 30px; } .post { margin-top: 30px; } .byline-author { display: block; font-size: 12px; line-height: 24px; margin-top: 6px; } #main .post .title a { font-weight: 500; color: #4c4c4c; color: rgba(0,0,0,.70); } #main .post .post-header { padding-bottom: 12px; } #main .post .post-header .published { margin-bottom: -8px; margin-top: 3px; } .post .read-more { display: block; margin-top: 14px; } .post .tr-caption { font-size: 12px; } #main .post .title a { font-size: 20px; line-height: 30px; } .post-content iframe { /* iframe won't keep aspect ratio when scaled down. */ max-height: 240px; } .post-content .separator img, .post-content .tr-caption-container img, .post-content iframe { margin-left: -16px; max-width: inherit; width: calc(100% + 32px); } .post-content table, .post-content td { width: 100%; } #blog-pager { margin: 0; padding: 16px 0; } /** List page tweaks. **/ .list-page .post-original { display: none; } .list-page .post-summary { display: block; } .list-page .comment-container { display: none; } .list-page #blog-pager { padding-top: 0; border: 0; margin-top: -8px; } .list-page .label-footer { display: none; } .list-page #main .post .post-footer { border-bottom: 1px solid #eee; margin: -16px 0 0 0; padding: 0 0 20px 0; } .list-page .post .share { display: none; } /** Detail page tweaks. **/ .detail-page .post-footer .cmt_iframe_holder { padding-top: 32px !important; } .detail-page .label-footer { margin-bottom: 0; } .detail-page #main .post .post-footer { padding-bottom: 0; } .detail-page #comments { display: none; } } [data-about-pullquote], [data-is-preview], [data-about-syndication] { display: none; } </style> <noscript> <style> .loading { visibility: visible }</style> </noscript>  <script async='true' src='https://www.googletagmanager.com/gtag/js?id=G-K46T604G22'></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-K46T604G22'); </script> <link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1176949257541686127&zx=7d0e13b7-a5ae-43d5-accb-df9b7d8640ba' media='none' onload='if(media!='all')media='all'' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1176949257541686127&zx=7d0e13b7-a5ae-43d5-accb-df9b7d8640ba' rel='stylesheet'/></noscript> <meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/> <meta name='google-adsense-platform-domain' content='blogspot.com'/> </head> <body> <script type='text/javascript'> //<![CDATA[ var axel = Math.random() + ""; var a = axel * 10000000000000; document.write('<iframe src="https://2542116.fls.doubleclick.net/activityi;src=2542116;type=gblog;cat=googl0;ord=ord=' + a + '?" width="1" height="1" frameborder="0" style="display:none"></iframe>'); //]]> </script> <noscript> <img alt='' height='1' src='https://ad.doubleclick.net/ddm/activity/src=2542116;type=gblog;cat=googl0;ord=1?' width='1'/> </noscript>  <div class='header-outer'> <div class='header-inner'> <div class='section' id='header'><div class='widget Header' data-version='1' id='Header1'> <div class='header-left'> <div class='header-title'> <a class='google-logo' href='https://security.googleblog.com/'> <img height='50' src='https://www.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png'/> </a> <a href='/.'> <h2> Security Blog </h2> </a> </div> <div class='header-desc'> The latest news and insights from Google on security and safety on the Internet </div> </div> </div></div> </div> </div>  <div class='cols-wrapper loading'> <div class='col-main-wrapper'> <div class='col-main'> <div class='section' id='main'><div class='widget Blog' data-version='1' id='Blog1'> <div class='post' data-id='1226806321887732434' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/12/expanding-safe-browsing-alerts-to.html' itemprop='url' title='Expanding Safe Browsing Alerts to include malware distribution domains'> Expanding Safe Browsing Alerts to include malware distribution domains </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> December 1, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Nav Jagpal, Security Team</span><br /><br />For the past year, we’ve been sending notifications to network administrators registered through the <a href="http://googleonlinesecurity.blogspot.com/2010/09/safe-browsing-alerts-for-network.html">Safe Browsing Alerts for Network Administrators</a> service when our automated tools find phishing URLs or compromised sites that lead to malware on their networks. These notifications provide administrators with important information to help them improve the security of their networks.<br /><br />Today we’re adding distribution domains to the set of information we share. These are domains that are responsible for launching exploits and serving malware. Unlike compromised sites, which are often run by innocent webmasters, distribution domains are set up with the primary purpose of serving malicious content.<br /><br />If you’re a network administrator and haven’t yet registered your AS, you can do so <a href="//www.google.com/safebrowsing/alerts/">here</a>. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Nav Jagpal, Security Team</span><br /><br />For the past year, we’ve been sending notifications to network administrators registered through the <a href="http://googleonlinesecurity.blogspot.com/2010/09/safe-browsing-alerts-for-network.html">Safe Browsing Alerts for Network Administrators</a> service when our automated tools find phishing URLs or compromised sites that lead to malware on their networks. These notifications provide administrators with important information to help them improve the security of their networks.<br /><br />Today we’re adding distribution domains to the set of information we share. These are domains that are responsible for launching exploits and serving malware. Unlike compromised sites, which are often run by innocent webmasters, distribution domains are set up with the primary purpose of serving malicious content.<br /><br />If you’re a network administrator and haven’t yet registered your AS, you can do so <a href="//www.google.com/safebrowsing/alerts/">here</a>. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Expanding Safe Browsing Alerts to include malware distribution domains&url=https://security.googleblog.com/2011/12/expanding-safe-browsing-alerts-to.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/12/expanding-safe-browsing-alerts-to.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='1' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/12/expanding-safe-browsing-alerts-to.html' data-url='https://security.googleblog.com/2011/12/expanding-safe-browsing-alerts-to.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/12/expanding-safe-browsing-alerts-to.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='1505127665693931147' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/11/reminder-safe-browsing-version-1-api.html' itemprop='url' title='Reminder: Safe Browsing version 1 API turning down December 1'> Reminder: Safe Browsing version 1 API turning down December 1 </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> November 22, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Brian Ryner, Security Team</span><br /><br />In May we <a href="http://googleonlinesecurity.blogspot.com/2011/05/safe-browsing-protocol-v2-transition.html">announced</a> that we are ending support for the Safe Browsing protocol version 1 on December 1 in order to focus our resources on the <a href="http://code.google.com/apis/safebrowsing/developers_guide_v2.html">new version 2 API</a> and the <a href="http://code.google.com/apis/safebrowsing/lookup_guide.html">lookup service</a>. These new APIs provide simpler and more efficient access to the same data, and they use significantly less bandwidth. If you haven't yet migrated off of the version 1 API, we encourage you to do so as soon as possible. Our <a href="http://googleonlinesecurity.blogspot.com/2011/05/safe-browsing-protocol-v2-transition.html">earlier post</a> contains links to documentation for the new protocol version and other resources to help you make the transition smoothly.<br /><br />After December 1, we will remove all data from the version 1 API list to ensure that any remaining clients do not have false positives in their database. After January 1, 2012, we will turn off the version 1 service completely, and all requests will return a 404 error.<br /><br />Thanks for your cooperation, and enjoy using the next generation of Safe Browsing. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Brian Ryner, Security Team</span><br /><br />In May we <a href="http://googleonlinesecurity.blogspot.com/2011/05/safe-browsing-protocol-v2-transition.html">announced</a> that we are ending support for the Safe Browsing protocol version 1 on December 1 in order to focus our resources on the <a href="http://code.google.com/apis/safebrowsing/developers_guide_v2.html">new version 2 API</a> and the <a href="http://code.google.com/apis/safebrowsing/lookup_guide.html">lookup service</a>. These new APIs provide simpler and more efficient access to the same data, and they use significantly less bandwidth. If you haven't yet migrated off of the version 1 API, we encourage you to do so as soon as possible. Our <a href="http://googleonlinesecurity.blogspot.com/2011/05/safe-browsing-protocol-v2-transition.html">earlier post</a> contains links to documentation for the new protocol version and other resources to help you make the transition smoothly.<br /><br />After December 1, we will remove all data from the version 1 API list to ensure that any remaining clients do not have false positives in their database. After January 1, 2012, we will turn off the version 1 service completely, and all requests will return a 404 error.<br /><br />Thanks for your cooperation, and enjoy using the next generation of Safe Browsing. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Reminder: Safe Browsing version 1 API turning down December 1&url=https://security.googleblog.com/2011/11/reminder-safe-browsing-version-1-api.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/11/reminder-safe-browsing-version-1-api.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/11/reminder-safe-browsing-version-1-api.html' data-url='https://security.googleblog.com/2011/11/reminder-safe-browsing-version-1-api.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/11/reminder-safe-browsing-version-1-api.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='1552631326272284679' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/11/protecting-data-for-long-term-with.html' itemprop='url' title='Protecting data for the long term with forward secrecy'> Protecting data for the long term with forward secrecy </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> November 22, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Adam Langley, Security Team</span><br /><br />Last year we introduced <a href="http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html">HTTPS by default for Gmail</a> and <a href="http://googleblog.blogspot.com/2010/05/search-more-securely-with-encrypted.html">encrypted search</a>. We’re pleased to see that other major communications sites are following suit and deploying HTTPS in one form or another. We are now pushing forward by enabling <a href="http://en.wikipedia.org/wiki/Perfect_forward_secrecy">forward secrecy</a> by default.<br /><br />Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.<br /><br />Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.<br /><br />Forward secret HTTPS is now live for Gmail and many other Google HTTPS services(*), like SSL Search, Docs and Google+. We have also <a href="http://cvs.openssl.org/fileview?f=openssl/CHANGES&v=1.1481.2.56.2.57">released the work</a> that we did on the open source OpenSSL library that made this possible. You can check whether you have forward secret connections in Chrome by clicking on the green padlock in the address bar of HTTPS sites. Google’s forward secret connections will have a key exchange mechanism of ECDHE_RSA.<br /><br />We would very much like to see forward secrecy become the norm and hope that our deployment serves as a demonstration of the practicality of that vision.<br /><br /><img alt="" border="0" id="BLOGGER_PHOTO_ID_5677881951525500994" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVqsqQ-liKqZP7eRBhD62rtO7eiJ15LFc39hVOOxIx-_kzXsA56oyd-TvBej3tFVwXWxP7yp_EY1gF_oKDTl52IWp_Vaz5VZ4KoXrnFO6gcteOKl2cJ-sj3DFZYz4Qma5hKV_a_oDSzjA/s400/ecdhe.png" style="display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; text-align: center; cursor: pointer; width: 400px; height: 270px; " /><br />(* Chrome, Firefox (all platforms) and Internet Explorer (Vista or later) support forward secrecy using elliptic curve Diffie-Hellman. Initially, only Chrome and Firefox will use it by default with Google services because IE doesn’t support the combination of ECDHE and RC4. We hope to support IE in the future.) <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Adam Langley, Security Team</span><br /><br />Last year we introduced <a href="http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html">HTTPS by default for Gmail</a> and <a href="http://googleblog.blogspot.com/2010/05/search-more-securely-with-encrypted.html">encrypted search</a>. We’re pleased to see that other major communications sites are following suit and deploying HTTPS in one form or another. We are now pushing forward by enabling <a href="http://en.wikipedia.org/wiki/Perfect_forward_secrecy">forward secrecy</a> by default.<br /><br />Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.<br /><br />Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.<br /><br />Forward secret HTTPS is now live for Gmail and many other Google HTTPS services(*), like SSL Search, Docs and Google+. We have also <a href="http://cvs.openssl.org/fileview?f=openssl/CHANGES&v=1.1481.2.56.2.57">released the work</a> that we did on the open source OpenSSL library that made this possible. You can check whether you have forward secret connections in Chrome by clicking on the green padlock in the address bar of HTTPS sites. Google’s forward secret connections will have a key exchange mechanism of ECDHE_RSA.<br /><br />We would very much like to see forward secrecy become the norm and hope that our deployment serves as a demonstration of the practicality of that vision.<br /><br /><img alt="" border="0" id="BLOGGER_PHOTO_ID_5677881951525500994" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVqsqQ-liKqZP7eRBhD62rtO7eiJ15LFc39hVOOxIx-_kzXsA56oyd-TvBej3tFVwXWxP7yp_EY1gF_oKDTl52IWp_Vaz5VZ4KoXrnFO6gcteOKl2cJ-sj3DFZYz4Qma5hKV_a_oDSzjA/s400/ecdhe.png" style="display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; text-align: center; cursor: pointer; width: 400px; height: 270px; " /><br />(* Chrome, Firefox (all platforms) and Internet Explorer (Vista or later) support forward secrecy using elliptic curve Diffie-Hellman. Initially, only Chrome and Firefox will use it by default with Google services because IE doesn’t support the combination of ECDHE and RC4. We hope to support IE in the future.) <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Protecting data for the long term with forward secrecy&url=https://security.googleblog.com/2011/11/protecting-data-for-long-term-with.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/11/protecting-data-for-long-term-with.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='15' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/11/protecting-data-for-long-term-with.html' data-url='https://security.googleblog.com/2011/11/protecting-data-for-long-term-with.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/11/protecting-data-for-long-term-with.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='588724102287335204' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/10/safe-browsing-alerts-for-network.html' itemprop='url' title='Safe Browsing Alerts for Network Administrators is graduating from Labs'> Safe Browsing Alerts for Network Administrators is graduating from Labs </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> October 6, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Nav Jagpal, Security Team</span><br /> <br /> Today, we’re congratulating Safe Browsing Alerts for Network Administrators on its graduation from Labs to its new home at <a href="//www.google.com/safebrowsing/alerts/">http://www.google.com/safebrowsing/alerts/</a><br /> <br /> We <a href="http://googleonlinesecurity.blogspot.com/2010/09/safe-browsing-alerts-for-network.html">announced</a> the tool about a year ago and have received a lot of positive feedback. Network administrators, large and small, are using the information we provide about malware and phishing URLs to clean up their networks and help webmasters make their sites safer. Earlier this year, <a href="http://searchsecurity.techtarget.com.au/news/2240035959/Winners-at-the-AusCERT-2011-awards-night">AusCert recognized our efforts</a> by awarding Safe Browsing Alerts for Network Administrators the title of “Best Security Initiative.” <br /> <br /> If you’re a network administrator and haven’t yet registered your AS, you can do so <a href="//www.google.com/safebrowsing/alerts/">here</a>. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Nav Jagpal, Security Team</span><br /> <br /> Today, we’re congratulating Safe Browsing Alerts for Network Administrators on its graduation from Labs to its new home at <a href="//www.google.com/safebrowsing/alerts/">http://www.google.com/safebrowsing/alerts/</a><br /> <br /> We <a href="http://googleonlinesecurity.blogspot.com/2010/09/safe-browsing-alerts-for-network.html">announced</a> the tool about a year ago and have received a lot of positive feedback. Network administrators, large and small, are using the information we provide about malware and phishing URLs to clean up their networks and help webmasters make their sites safer. Earlier this year, <a href="http://searchsecurity.techtarget.com.au/news/2240035959/Winners-at-the-AusCERT-2011-awards-night">AusCert recognized our efforts</a> by awarding Safe Browsing Alerts for Network Administrators the title of “Best Security Initiative.” <br /> <br /> If you’re a network administrator and haven’t yet registered your AS, you can do so <a href="//www.google.com/safebrowsing/alerts/">here</a>. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Safe Browsing Alerts for Network Administrators is graduating from Labs&url=https://security.googleblog.com/2011/10/safe-browsing-alerts-for-network.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/10/safe-browsing-alerts-for-network.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/10/safe-browsing-alerts-for-network.html' data-url='https://security.googleblog.com/2011/10/safe-browsing-alerts-for-network.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/10/safe-browsing-alerts-for-network.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='2450884721254666605' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/09/gmail-account-security-in-iran.html' itemprop='url' title='Gmail account security in Iran'> Gmail account security in Iran </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> September 8, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Eric Grosse, VP Security Engineering</span><br /><br />We <a href="http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html">learned last week</a> that the compromise of a Dutch company involved with verifying the authenticity of websites could have put the Internet communications of many Iranians at risk, including their Gmail. While Google’s internal systems were not compromised, we are directly contacting possibly affected users and providing similar information below because our top priority is to protect the privacy and security of our users.<br /><br />While users of the Chrome browser were protected from this threat, we advise all users in Iran to take concrete steps to secure their accounts:<br /><div><ol><li>Change your password. You may have already been asked to change your password when you signed in to your Google Account. If not, you can change it <a href="https://mail.google.com/support/bin/answer.py?answer=6567">here</a>.</li><li>Verify your account recovery options. Secondary email addresses, phone numbers, and other information can help you regain access to your account if you lose your password. Check to be sure your recovery options are correct and up to date <a href="//www.google.com/support/accounts/bin/answer.py?answer=183723">here</a>. </li><li>Check the websites and applications that are allowed to access your account, and revoke any that are unfamiliar <a href="//www.google.com/support/accounts/bin/answer.py?answer=41236">here</a>. </li><li>Check your Gmail settings for suspicious <a href="https://mail.google.com/support/bin/answer.py?answer=10957">forwarding addresses</a> or <a href="https://mail.google.com/support/bin/answer.py?hl=en&ctx=mail&answer=138350">delegated accounts</a>. </li><li>Pay careful attention to <a href="//www.google.com/support/chrome/bin/answer.py?answer=95617">warnings that appear</a> in your web browser and don’t click past them.</li></ol>For more ways to secure your account, you can visit <a href="//www.google.com/help/security">http://www.google.com/help/security</a>. If you believe your account has been compromised, you can start the recovery process <a href="https://mail.google.com/support/bin/answer.py?answer=50270">here</a>.</div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Eric Grosse, VP Security Engineering</span><br /><br />We <a href="http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html">learned last week</a> that the compromise of a Dutch company involved with verifying the authenticity of websites could have put the Internet communications of many Iranians at risk, including their Gmail. While Google’s internal systems were not compromised, we are directly contacting possibly affected users and providing similar information below because our top priority is to protect the privacy and security of our users.<br /><br />While users of the Chrome browser were protected from this threat, we advise all users in Iran to take concrete steps to secure their accounts:<br /><div><ol><li>Change your password. You may have already been asked to change your password when you signed in to your Google Account. If not, you can change it <a href="https://mail.google.com/support/bin/answer.py?answer=6567">here</a>.</li><li>Verify your account recovery options. Secondary email addresses, phone numbers, and other information can help you regain access to your account if you lose your password. Check to be sure your recovery options are correct and up to date <a href="//www.google.com/support/accounts/bin/answer.py?answer=183723">here</a>. </li><li>Check the websites and applications that are allowed to access your account, and revoke any that are unfamiliar <a href="//www.google.com/support/accounts/bin/answer.py?answer=41236">here</a>. </li><li>Check your Gmail settings for suspicious <a href="https://mail.google.com/support/bin/answer.py?answer=10957">forwarding addresses</a> or <a href="https://mail.google.com/support/bin/answer.py?hl=en&ctx=mail&answer=138350">delegated accounts</a>. </li><li>Pay careful attention to <a href="//www.google.com/support/chrome/bin/answer.py?answer=95617">warnings that appear</a> in your web browser and don’t click past them.</li></ol>For more ways to secure your account, you can visit <a href="//www.google.com/help/security">http://www.google.com/help/security</a>. If you believe your account has been compromised, you can start the recovery process <a href="https://mail.google.com/support/bin/answer.py?answer=50270">here</a>.</div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Gmail account security in Iran&url=https://security.googleblog.com/2011/09/gmail-account-security-in-iran.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/09/gmail-account-security-in-iran.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='5' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/09/gmail-account-security-in-iran.html' data-url='https://security.googleblog.com/2011/09/gmail-account-security-in-iran.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/09/gmail-account-security-in-iran.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='386783284323132943' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html' itemprop='url' title='An update on attempted man-in-the-middle attacks'> An update on attempted man-in-the-middle attacks </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> August 29, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Heather Adkins, Information Security Manager</span> <br /> <br />Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). <br /> <br />Google Chrome users were protected from this attack because Chrome was able to <a href="http://blog.chromium.org/2011/06/new-chromium-security-features-june.html">detect</a> the fraudulent certificate. <br /> <br />To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also <a href="http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/">moved quickly</a> to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates. Microsoft also has <a href="http://blogs.technet.com/b/msrc/archive/2011/08/29/microsoft-releases-security-advisory-2607712.aspx">taken prompt action</a>. <br /> <br />To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings. <br /> <br /><i><b>Update</b> Aug 30:</i> Added information about Microsoft's response. <br /> <br /><i><b>Update</b> Sept 3:</i> Our top priority is to protect the privacy and security of our users. Based on the findings and decision of the Dutch government, as well as conversations with other browser makers, we have decided to reject all of the Certificate Authorities operated by DigiNotar. We encourage DigiNotar to provide a complete analysis of the situation. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Heather Adkins, Information Security Manager</span> <br /> <br />Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). <br /> <br />Google Chrome users were protected from this attack because Chrome was able to <a href="http://blog.chromium.org/2011/06/new-chromium-security-features-june.html">detect</a> the fraudulent certificate. <br /> <br />To further protect the safety and privacy of our users, we plan to disable the DigiNotar certificate authority in Chrome while investigations continue. Mozilla also <a href="http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/">moved quickly</a> to protect its users. This means that Chrome and Firefox users will receive alerts if they try to visit websites that use DigiNotar certificates. Microsoft also has <a href="http://blogs.technet.com/b/msrc/archive/2011/08/29/microsoft-releases-security-advisory-2607712.aspx">taken prompt action</a>. <br /> <br />To help deter unwanted surveillance, we recommend that users, especially those in Iran, keep their web browsers and operating systems up to date and pay attention to web browser security warnings. <br /> <br /><i><b>Update</b> Aug 30:</i> Added information about Microsoft's response. <br /> <br /><i><b>Update</b> Sept 3:</i> Our top priority is to protect the privacy and security of our users. Based on the findings and decision of the Dutch government, as well as conversations with other browser makers, we have decided to reject all of the Certificate Authorities operated by DigiNotar. We encourage DigiNotar to provide a complete analysis of the situation. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:An update on attempted man-in-the-middle attacks&url=https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='26' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html' data-url='https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='6465575028195159013' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/08/four-years-of-web-malware.html' itemprop='url' title='Four Years of Web Malware'> Four Years of Web Malware </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> August 17, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Lucas Ballard and Niels Provos, Google Security Team</span> <br /> <br /> Google’s Safe Browsing initiative has been protecting users from web pages that install malware for over five years now. Each day we show around 3 million malware warnings to over four hundred million users whose browsers implement the Safe Browsing API. Like other service providers, we are engaged in an arms race with malware distributors. Over time, we have adapted our original system to incorporate new detection algorithms that allow us to keep pace. We recently completed an analysis of four years of data that explores the evasive techniques that malware distributors employ. We compiled the results in a technical report, entitled “<a href="http://research.google.com/archive/papers/rajab-2011a.pdf">Trends in Circumventing Web-Malware Detection</a>.” <br /> <br /> Below are a few of the research highlights, but we recommend reviewing the <a href="http://research.google.com/archive/papers/rajab-2011a.pdf">full report</a> for details on our methodology and measurements. The analysis covers approximately 160 million web pages hosted on approximately 8 million sites. <br /> <br /> <b>Social Engineering</b> <br /> Social engineering is a malware distribution mechanism that relies on tricking a user into installing malware. Typically, the malware is disguised as an anti-virus product or browser plugin. Social engineering has increased in frequency significantly and is still rising. However, it’s important to keep this growth in perspective — sites that rely on social engineering comprise only 2% of all sites that distribute malware. <br /> <br /> <img alt="" border="0" id="BLOGGER_PHOTO_ID_5641924082717200370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5NSmx3m5vM8-1UCSntwlROnBlE5a85kE5cdbhGOMmdj4Ss5pNll-zCYTxNUkIUctNrkvdSjGEp1nixfh8F-w5REYr7OfOxLA1KoqgimmPPSfAxnW7pypVQyOHoq_EfDZH3w6Qi8VP9ZU/" style="cursor: pointer; display: block; margin-bottom: 10px; margin-left: auto; margin-right: auto; margin-top: 0px; text-align: center; width: 450px;" /> <br /> <div style="text-align: center;"> <i><span style="font-size: x-small;">Number of sites distributing Social Engineering Malware and Exploits over time</span></i></div> <br /> <b>Drive-by Download Exploit Trends</b> <br /> Far more common than social engineering, malicious pages install malware after exploiting a vulnerability in the browser or a plugin. This type of infection is often called a drive-by download. Our analysis of which vulnerabilities are actively being exploited over time shows that adversaries quickly switch to new and more reliable exploits to help avoid detection. The graph below shows the ratio of exploits targeting a vulnerability in one CVE to all exploits over time. Most vulnerabilities are exploited only for a short period of time until new vulnerabilities become available. A prominent exception is the MDAC vulnerability which is present in most exploit kits. <br /> <br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIKSCKkOYySTEg7wrv7A3i_dY5ry4ZphFA5NUQroUsQwqbIj6AzHUfTRbtEHoSnBmuyeci4_z3COXQJfNpr9xNBpnWjzB8YtgTMENb7R8sPf-k18fon0Rc7uaTk53cr9M2AJS8dY1c9-M/s1600/cveheatmap.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5641925280123638162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIKSCKkOYySTEg7wrv7A3i_dY5ry4ZphFA5NUQroUsQwqbIj6AzHUfTRbtEHoSnBmuyeci4_z3COXQJfNpr9xNBpnWjzB8YtgTMENb7R8sPf-k18fon0Rc7uaTk53cr9M2AJS8dY1c9-M/" style="cursor: hand; cursor: pointer; display: block; margin: 0px auto 10px; text-align: center; width: 450px;" /></a><br /> <div style="text-align: center;"> <span style="font-size: x-small;"><i>Prevalence of exploits targeting specific CVEs over time</i></span> </div> <br /> <div style="text-align: left;"> <b>Increase in IP Cloaking</b> <br /> Malware distributors are increasingly relying upon ‘cloaking’ as a technique to evade detection. The concept behind cloaking is simple: serve benign content to detection systems, but serve malicious content to normal web page visitors. Over the years, we have seen more malicious sites engaging in IP cloaking. To bypass the cloaking defense, we run our scanners in different ways to mimic regular user traffic. <br /> <br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl0z3tciI1CbSF4QHITWkTwy2TU8Iddj4klRV7G5SMuxu86F-OQb5qxGy7n9CMzLuoL75rkm46hxJCuwx_md2_A571SgIhsfO-2kjRkUklcY_7hhIJcA4QDB8MO2PiyqbyFJ24ikuGr5Y/s1600/cloaking_impact.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5641925693861656050" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl0z3tciI1CbSF4QHITWkTwy2TU8Iddj4klRV7G5SMuxu86F-OQb5qxGy7n9CMzLuoL75rkm46hxJCuwx_md2_A571SgIhsfO-2kjRkUklcY_7hhIJcA4QDB8MO2PiyqbyFJ24ikuGr5Y/" style="cursor: hand; cursor: pointer; display: block; margin: 0px auto 10px; text-align: center; width: 450px;" /></a><br /> <div style="text-align: center;"> <span style="font-size: x-small;"><i>Number of sites practicing IP Cloaking over time</i></span></div> <br /> <b>New Detection Capabilities</b> <br /> Our report analyzed four years of data to uncover trends in malware distribution on the web, and it demonstrates the ongoing tension between malware distributors and malware detectors. To help protect Internet users, even those who don’t use Google, we have updated the Safe Browsing infrastructure over the years to incorporate many state-of-the-art malware detection technologies. We hope the findings outlined in this report will help other researchers in this area and raise awareness of some of the current challenges. </div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Lucas Ballard and Niels Provos, Google Security Team</span> <br /> <br /> Google’s Safe Browsing initiative has been protecting users from web pages that install malware for over five years now. Each day we show around 3 million malware warnings to over four hundred million users whose browsers implement the Safe Browsing API. Like other service providers, we are engaged in an arms race with malware distributors. Over time, we have adapted our original system to incorporate new detection algorithms that allow us to keep pace. We recently completed an analysis of four years of data that explores the evasive techniques that malware distributors employ. We compiled the results in a technical report, entitled “<a href="http://research.google.com/archive/papers/rajab-2011a.pdf">Trends in Circumventing Web-Malware Detection</a>.” <br /> <br /> Below are a few of the research highlights, but we recommend reviewing the <a href="http://research.google.com/archive/papers/rajab-2011a.pdf">full report</a> for details on our methodology and measurements. The analysis covers approximately 160 million web pages hosted on approximately 8 million sites. <br /> <br /> <b>Social Engineering</b> <br /> Social engineering is a malware distribution mechanism that relies on tricking a user into installing malware. Typically, the malware is disguised as an anti-virus product or browser plugin. Social engineering has increased in frequency significantly and is still rising. However, it’s important to keep this growth in perspective — sites that rely on social engineering comprise only 2% of all sites that distribute malware. <br /> <br /> <img alt="" border="0" id="BLOGGER_PHOTO_ID_5641924082717200370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5NSmx3m5vM8-1UCSntwlROnBlE5a85kE5cdbhGOMmdj4Ss5pNll-zCYTxNUkIUctNrkvdSjGEp1nixfh8F-w5REYr7OfOxLA1KoqgimmPPSfAxnW7pypVQyOHoq_EfDZH3w6Qi8VP9ZU/" style="cursor: pointer; display: block; margin-bottom: 10px; margin-left: auto; margin-right: auto; margin-top: 0px; text-align: center; width: 450px;" /> <br /> <div style="text-align: center;"> <i><span style="font-size: x-small;">Number of sites distributing Social Engineering Malware and Exploits over time</span></i></div> <br /> <b>Drive-by Download Exploit Trends</b> <br /> Far more common than social engineering, malicious pages install malware after exploiting a vulnerability in the browser or a plugin. This type of infection is often called a drive-by download. Our analysis of which vulnerabilities are actively being exploited over time shows that adversaries quickly switch to new and more reliable exploits to help avoid detection. The graph below shows the ratio of exploits targeting a vulnerability in one CVE to all exploits over time. Most vulnerabilities are exploited only for a short period of time until new vulnerabilities become available. A prominent exception is the MDAC vulnerability which is present in most exploit kits. <br /> <br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIKSCKkOYySTEg7wrv7A3i_dY5ry4ZphFA5NUQroUsQwqbIj6AzHUfTRbtEHoSnBmuyeci4_z3COXQJfNpr9xNBpnWjzB8YtgTMENb7R8sPf-k18fon0Rc7uaTk53cr9M2AJS8dY1c9-M/s1600/cveheatmap.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5641925280123638162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIKSCKkOYySTEg7wrv7A3i_dY5ry4ZphFA5NUQroUsQwqbIj6AzHUfTRbtEHoSnBmuyeci4_z3COXQJfNpr9xNBpnWjzB8YtgTMENb7R8sPf-k18fon0Rc7uaTk53cr9M2AJS8dY1c9-M/" style="cursor: hand; cursor: pointer; display: block; margin: 0px auto 10px; text-align: center; width: 450px;" /></a><br /> <div style="text-align: center;"> <span style="font-size: x-small;"><i>Prevalence of exploits targeting specific CVEs over time</i></span> </div> <br /> <div style="text-align: left;"> <b>Increase in IP Cloaking</b> <br /> Malware distributors are increasingly relying upon ‘cloaking’ as a technique to evade detection. The concept behind cloaking is simple: serve benign content to detection systems, but serve malicious content to normal web page visitors. Over the years, we have seen more malicious sites engaging in IP cloaking. To bypass the cloaking defense, we run our scanners in different ways to mimic regular user traffic. <br /> <br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl0z3tciI1CbSF4QHITWkTwy2TU8Iddj4klRV7G5SMuxu86F-OQb5qxGy7n9CMzLuoL75rkm46hxJCuwx_md2_A571SgIhsfO-2kjRkUklcY_7hhIJcA4QDB8MO2PiyqbyFJ24ikuGr5Y/s1600/cloaking_impact.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5641925693861656050" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl0z3tciI1CbSF4QHITWkTwy2TU8Iddj4klRV7G5SMuxu86F-OQb5qxGy7n9CMzLuoL75rkm46hxJCuwx_md2_A571SgIhsfO-2kjRkUklcY_7hhIJcA4QDB8MO2PiyqbyFJ24ikuGr5Y/" style="cursor: hand; cursor: pointer; display: block; margin: 0px auto 10px; text-align: center; width: 450px;" /></a><br /> <div style="text-align: center;"> <span style="font-size: x-small;"><i>Number of sites practicing IP Cloaking over time</i></span></div> <br /> <b>New Detection Capabilities</b> <br /> Our report analyzed four years of data to uncover trends in malware distribution on the web, and it demonstrates the ongoing tension between malware distributors and malware detectors. To help protect Internet users, even those who don’t use Google, we have updated the Safe Browsing infrastructure over the years to incorporate many state-of-the-art malware detection technologies. We hope the findings outlined in this report will help other researchers in this area and raise awareness of some of the current challenges. </div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Four Years of Web Malware&url=https://security.googleblog.com/2011/08/four-years-of-web-malware.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/08/four-years-of-web-malware.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='3' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/08/four-years-of-web-malware.html' data-url='https://security.googleblog.com/2011/08/four-years-of-web-malware.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/08/four-years-of-web-malware.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='3679451503660073250' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/08/fuzzing-at-scale.html' itemprop='url' title='Fuzzing at scale'> Fuzzing at scale </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> August 12, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Chris Evans, Matt Moore and Tavis Ormandy, Google Security Team</span> <br /> <br />One of the exciting things about working on security at Google is that you have a lot of compute horsepower available if you need it. This is very useful if you’re looking to <a href="http://en.wikipedia.org/wiki/Fuzz_testing">fuzz</a> something, and especially if you’re going to use modern fuzzing techniques. <br /> <br />Using these techniques and large amounts of compute power, we’ve found hundreds of bugs in our own code, including Chrome components such as WebKit and the PDF viewer. We recently decided to apply the same techniques to fuzz Adobe’s Flash Player, which we include with Chrome in partnership with Adobe. <br /> <br />A good overview of some modern techniques can be read <a href="http://taviso.decsystem.org/making_software_dumber.pdf">in this presentation</a>. For the purposes of fuzzing Flash, we mainly relied on “corpus distillation”. This is a technique whereby you locate a large number of sample files for the format at hand (SWF in this case). You then see which areas of code are reached by each of the sample files. Finally, you run an algorithm to generate a minimal set of sample files that achieves the code coverage of the full set. This calculated set of files is a great basis for fuzzing: a manageable number of files that exercise lots of unusual code paths. <br /> <br />What does corpus distillation look like at Google scale? Turns out we have a large index of the web, so we cranked through 20 terabytes of SWF file downloads followed by 1 week of run time on 2,000 CPU cores to calculate the minimal set of about 20,000 files. Finally, those same 2,000 cores plus 3 more weeks of runtime were put to good work mutating the files in the minimal set (bitflipping, etc.) and generating crash cases. These crash cases included an interesting range of vulnerability categories, including buffer overflows, integer overflows, use-after-frees and object type confusions. <br /> <br />The initial run of the ongoing effort resulted in about 400 unique crash signatures, which were logged as 106 individual security bugs following Adobe's initial triage. As these bugs were resolved, many were identified as duplicates that weren't caught during the initial triage. A unique crash signature does not always indicate a unique bug. Since Adobe has access to symbols and sources, they were able to group similar crashes to perform root cause analysis reducing the actual number of changes to the code. No analysis was performed to determine how many of the identified crashes were actually exploitable. However, each crash was treated as though it were potentially exploitable and addressed by Adobe. In the final analysis, the Flash Player update Adobe shipped earlier this week contained about 80 code changes to fix these bugs. <br /> <br />Commandeering massive resource to improve security is rewarding on its own, but the real highlight of this exercise has been Adobe’s response. The <a href="http://www.adobe.com/support/security/bulletins/apsb11-21.html">Flash patch</a> earlier this week fixes these bugs and incorporates UIPI protections for the Flash Player sandbox in Chrome which Justin Schuh contributed assistance on developing. Fixing <a href="http://blogs.adobe.com/asset/2011/08/how-did-you-get-to-that-number.html">so many issues</a> in such a short time frame shows a real commitment to security from Adobe, for which we are grateful. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Chris Evans, Matt Moore and Tavis Ormandy, Google Security Team</span> <br /> <br />One of the exciting things about working on security at Google is that you have a lot of compute horsepower available if you need it. This is very useful if you’re looking to <a href="http://en.wikipedia.org/wiki/Fuzz_testing">fuzz</a> something, and especially if you’re going to use modern fuzzing techniques. <br /> <br />Using these techniques and large amounts of compute power, we’ve found hundreds of bugs in our own code, including Chrome components such as WebKit and the PDF viewer. We recently decided to apply the same techniques to fuzz Adobe’s Flash Player, which we include with Chrome in partnership with Adobe. <br /> <br />A good overview of some modern techniques can be read <a href="http://taviso.decsystem.org/making_software_dumber.pdf">in this presentation</a>. For the purposes of fuzzing Flash, we mainly relied on “corpus distillation”. This is a technique whereby you locate a large number of sample files for the format at hand (SWF in this case). You then see which areas of code are reached by each of the sample files. Finally, you run an algorithm to generate a minimal set of sample files that achieves the code coverage of the full set. This calculated set of files is a great basis for fuzzing: a manageable number of files that exercise lots of unusual code paths. <br /> <br />What does corpus distillation look like at Google scale? Turns out we have a large index of the web, so we cranked through 20 terabytes of SWF file downloads followed by 1 week of run time on 2,000 CPU cores to calculate the minimal set of about 20,000 files. Finally, those same 2,000 cores plus 3 more weeks of runtime were put to good work mutating the files in the minimal set (bitflipping, etc.) and generating crash cases. These crash cases included an interesting range of vulnerability categories, including buffer overflows, integer overflows, use-after-frees and object type confusions. <br /> <br />The initial run of the ongoing effort resulted in about 400 unique crash signatures, which were logged as 106 individual security bugs following Adobe's initial triage. As these bugs were resolved, many were identified as duplicates that weren't caught during the initial triage. A unique crash signature does not always indicate a unique bug. Since Adobe has access to symbols and sources, they were able to group similar crashes to perform root cause analysis reducing the actual number of changes to the code. No analysis was performed to determine how many of the identified crashes were actually exploitable. However, each crash was treated as though it were potentially exploitable and addressed by Adobe. In the final analysis, the Flash Player update Adobe shipped earlier this week contained about 80 code changes to fix these bugs. <br /> <br />Commandeering massive resource to improve security is rewarding on its own, but the real highlight of this exercise has been Adobe’s response. The <a href="http://www.adobe.com/support/security/bulletins/apsb11-21.html">Flash patch</a> earlier this week fixes these bugs and incorporates UIPI protections for the Flash Player sandbox in Chrome which Justin Schuh contributed assistance on developing. Fixing <a href="http://blogs.adobe.com/asset/2011/08/how-did-you-get-to-that-number.html">so many issues</a> in such a short time frame shows a real commitment to security from Adobe, for which we are grateful. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Fuzzing at scale&url=https://security.googleblog.com/2011/08/fuzzing-at-scale.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/08/fuzzing-at-scale.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='20' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/08/fuzzing-at-scale.html' data-url='https://security.googleblog.com/2011/08/fuzzing-at-scale.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/08/fuzzing-at-scale.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='8706672392619937063' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/07/2-step-verification-stay-safe-around.html' itemprop='url' title='2-step verification: stay safe around the world in 40 languages'> 2-step verification: stay safe around the world in 40 languages </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> July 28, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Nishit Shah, Product Manager, Google Security</span><br /> <br /> <i>(Cross-posted from the <a href="http://googleblog.blogspot.com/2011/07/2-step-verification-stay-safe-around.html">Official Google Blog</a>)</i><br /> <br /> Earlier this year, we <a href="http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html">introduced</a> a security feature called <i>2-step verification</i> that helps protect your Google Account from threats like password compromise and identity theft. By entering a one-time verification code from your phone after you type your password, you can make it much tougher for an unauthorized person to gain access to your account.<br /> <br /> People have told us how much they like the feature, which is why we're thrilled to offer 2-step verification in 40 languages and in more than 150 countries. There’s never been a better time to set it up: Examples in the news of password theft and data breaches constantly remind us to stay on our toes and take advantage of tools to properly secure our valuable online information. Email, social networking and other online accounts still get compromised today, but 2-step verification cuts those risks significantly.<br /> <br /> We recommend investing some time in keeping your information safe by watching our <a href="//www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284">2-step verification video</a> to learn how to quickly increase your Google Account’s resistance to common problems like reused passwords and <a href="//www.google.com/support/chrome/bin/answer.py?answer=99020">malware and phishing scams</a>. Wherever you are in the world, <a href="//www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284">sign up for 2-step verification</a> and help keep yourself one step ahead of the bad guys.<br /> <br /> To learn more about online safety tips and resources, visit our ongoing security <a href="http://googleblog.blogspot.com/search/label/security">blog series</a>, and review a couple of simple <a href="//www.google.com/help/security/">tips and tricks</a> for online security. Also, watch our video about <a href="//www.youtube.com/watch?hl=en&v=nOgsXdB67Pc">five easy ways</a> to help you stay safe and secure as you browse.<br /> <br /> <i><b>Update</b> on 12/1/11</i>: We recently made 2-step verification available for users in even more places, including Iran, Japan, Liberia, Myanmar (Burma), Sudan and Syria. This enhanced security feature for Google Accounts is now available in more than 175 countries. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Nishit Shah, Product Manager, Google Security</span><br /> <br /> <i>(Cross-posted from the <a href="http://googleblog.blogspot.com/2011/07/2-step-verification-stay-safe-around.html">Official Google Blog</a>)</i><br /> <br /> Earlier this year, we <a href="http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html">introduced</a> a security feature called <i>2-step verification</i> that helps protect your Google Account from threats like password compromise and identity theft. By entering a one-time verification code from your phone after you type your password, you can make it much tougher for an unauthorized person to gain access to your account.<br /> <br /> People have told us how much they like the feature, which is why we're thrilled to offer 2-step verification in 40 languages and in more than 150 countries. There’s never been a better time to set it up: Examples in the news of password theft and data breaches constantly remind us to stay on our toes and take advantage of tools to properly secure our valuable online information. Email, social networking and other online accounts still get compromised today, but 2-step verification cuts those risks significantly.<br /> <br /> We recommend investing some time in keeping your information safe by watching our <a href="//www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284">2-step verification video</a> to learn how to quickly increase your Google Account’s resistance to common problems like reused passwords and <a href="//www.google.com/support/chrome/bin/answer.py?answer=99020">malware and phishing scams</a>. Wherever you are in the world, <a href="//www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284">sign up for 2-step verification</a> and help keep yourself one step ahead of the bad guys.<br /> <br /> To learn more about online safety tips and resources, visit our ongoing security <a href="http://googleblog.blogspot.com/search/label/security">blog series</a>, and review a couple of simple <a href="//www.google.com/help/security/">tips and tricks</a> for online security. Also, watch our video about <a href="//www.youtube.com/watch?hl=en&v=nOgsXdB67Pc">five easy ways</a> to help you stay safe and secure as you browse.<br /> <br /> <i><b>Update</b> on 12/1/11</i>: We recently made 2-step verification available for users in even more places, including Iran, Japan, Liberia, Myanmar (Burma), Sudan and Syria. This enhanced security feature for Google Accounts is now available in more than 175 countries. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:2-step verification: stay safe around the world in 40 languages&url=https://security.googleblog.com/2011/07/2-step-verification-stay-safe-around.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/07/2-step-verification-stay-safe-around.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='8' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/07/2-step-verification-stay-safe-around.html' data-url='https://security.googleblog.com/2011/07/2-step-verification-stay-safe-around.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/07/2-step-verification-stay-safe-around.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='2370052525378628789' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/07/using-data-to-protect-people-from.html' itemprop='url' title='Using data to protect people from malware'> Using data to protect people from malware </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> July 19, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Damian Menscher, Security Engineer</span><br /><br /><i>(Cross-posted from the <a href="http://googleblog.blogspot.com/2011/07/using-data-to-protect-people-from.html">Official Google Blog</a>)</i><br /><br />The Internet brings remarkable benefits to society. Unfortunately, some people use it for harm and their own gain at the expense of others. We believe in the power of the web and information, and we work every day to detect potential abuse of our services and ward off attacks.<br /><br />As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results:<br /><br /><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQOimXmKc8l6BhEhG4-ZNHsHPTo-kJQa3VsRLvgeyUFUjs9c2n4m-pmR5G5OBX7flGvzOZXe9XQhTLZwMf6NP39YNaox5QcyfMJFKpra0bQZW-ZA0EcGBNxWOmtHpo9NG-FbdPaUtxA4o/s1600/MalwareWarningScreenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQOimXmKc8l6BhEhG4-ZNHsHPTo-kJQa3VsRLvgeyUFUjs9c2n4m-pmR5G5OBX7flGvzOZXe9XQhTLZwMf6NP39YNaox5QcyfMJFKpra0bQZW-ZA0EcGBNxWOmtHpo9NG-FbdPaUtxA4o/" width="500" /></a></div><br />This particular malware causes infected computers to send traffic to Google through a small number of intermediary servers called “proxies.” We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections.<br /><br />We hope to use the knowledge we’ve gathered to assist as many people as possible. In case our notice doesn’t reach everyone directly, you can run a system scan on your computer yourself by following the steps in our <a href="//www.google.com/support/websearch/bin/answer.py?answer=1182191">Help Center article</a>.<br /><br /><b>Updated July 20, 2011:</b> We've seen a few common questions we thought we'd address here:<br /><ul><li>The malware appears to have gotten onto users' computers from one of roughly a hundred variants of fake antivirus, or "fake AV" software that has been in circulation for a while. We aren't aware of a common name for the malware.</li><li>We believe a couple million machines are affected by this malware.</li><li>We've heard from a number of you that you're thinking about the potential for an attacker to copy our notice and attempt to point users to a dangerous site instead. It's a good security practice to be cautious about the links you click, so the spirit of those comments is spot-on. We thought about this, too, which is why the notice appears only at the top of our search results page. Falsifying the message on this page would require prior compromise of that computer, so the notice is not a risk to additional users. </li><li>In the meantime, we've been able to successfully warn hundreds of thousands of users that their computer is infected. These are people who otherwise may never have known.</li></ul> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Damian Menscher, Security Engineer</span><br /><br /><i>(Cross-posted from the <a href="http://googleblog.blogspot.com/2011/07/using-data-to-protect-people-from.html">Official Google Blog</a>)</i><br /><br />The Internet brings remarkable benefits to society. Unfortunately, some people use it for harm and their own gain at the expense of others. We believe in the power of the web and information, and we work every day to detect potential abuse of our services and ward off attacks.<br /><br />As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results:<br /><br /><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQOimXmKc8l6BhEhG4-ZNHsHPTo-kJQa3VsRLvgeyUFUjs9c2n4m-pmR5G5OBX7flGvzOZXe9XQhTLZwMf6NP39YNaox5QcyfMJFKpra0bQZW-ZA0EcGBNxWOmtHpo9NG-FbdPaUtxA4o/s1600/MalwareWarningScreenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQOimXmKc8l6BhEhG4-ZNHsHPTo-kJQa3VsRLvgeyUFUjs9c2n4m-pmR5G5OBX7flGvzOZXe9XQhTLZwMf6NP39YNaox5QcyfMJFKpra0bQZW-ZA0EcGBNxWOmtHpo9NG-FbdPaUtxA4o/" width="500" /></a></div><br />This particular malware causes infected computers to send traffic to Google through a small number of intermediary servers called “proxies.” We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections.<br /><br />We hope to use the knowledge we’ve gathered to assist as many people as possible. In case our notice doesn’t reach everyone directly, you can run a system scan on your computer yourself by following the steps in our <a href="//www.google.com/support/websearch/bin/answer.py?answer=1182191">Help Center article</a>.<br /><br /><b>Updated July 20, 2011:</b> We've seen a few common questions we thought we'd address here:<br /><ul><li>The malware appears to have gotten onto users' computers from one of roughly a hundred variants of fake antivirus, or "fake AV" software that has been in circulation for a while. We aren't aware of a common name for the malware.</li><li>We believe a couple million machines are affected by this malware.</li><li>We've heard from a number of you that you're thinking about the potential for an attacker to copy our notice and attempt to point users to a dangerous site instead. It's a good security practice to be cautious about the links you click, so the spirit of those comments is spot-on. We thought about this, too, which is why the notice appears only at the top of our search results page. Falsifying the message on this page would require prior compromise of that computer, so the notice is not a risk to additional users. </li><li>In the meantime, we've been able to successfully warn hundreds of thousands of users that their computer is infected. These are people who otherwise may never have known.</li></ul> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Using data to protect people from malware&url=https://security.googleblog.com/2011/07/using-data-to-protect-people-from.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/07/using-data-to-protect-people-from.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='36' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/07/using-data-to-protect-people-from.html' data-url='https://security.googleblog.com/2011/07/using-data-to-protect-people-from.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/07/using-data-to-protect-people-from.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='3707854928375167843' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/06/introducing-dom-snitch-our-passive-in.html' itemprop='url' title='Introducing DOM Snitch, our passive in-the-browser reconnaissance tool'> Introducing DOM Snitch, our passive in-the-browser reconnaissance tool </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> June 21, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <div style="text-align: left;">Posted by Radoslav Vasilev, Security Test Engineer</div><div><br /></div><div><i>(Cross-posted from the <a href="http://googletesting.blogspot.com/2011/06/introducing-dom-snitch-our-passive-in.html">Google Testing Blog</a>)</i></div><br />Every day modern web applications are becoming increasingly sophisticated, and as their complexity grows so does their attack surface. Previously we introduced open source tools such as <a href="https://code.google.com/p/skipfish/">Skipfish</a> and <a href="https://code.google.com/p/ratproxy/">Ratproxy</a> to assist developers in understanding and securing these applications.<br /><br />As existing tools focus mostly on testingserver-side code, today we are happy to introduce <a href="https://code.google.com/p/domsnitch/">DOM Snitch</a> — an experimental* Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code. To do this, we have adopted <a href="http://code.google.com/p/domsnitch/wiki/DOMSnitchDoc#How_does_DOM_Snitch_work_under_the_hood?">several approaches</a> to intercepting JavaScript calls to key and potentially dangerous browser infrastructure such as document.write or HTMLElement.innerHTML (<a href="http://code.google.com/p/domsnitch/wiki/DOMSnitchDoc#What_can_DOM_Snitch_intercept?">among others</a>). Once a JavaScript call has been intercepted, DOM Snitch records the document URL and a complete stack trace that will help assess if the intercepted call can lead to cross-site scripting, mixed content, insecure modifications to the <a href="https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_DOM_access">same-origin policy for DOM access</a>, or other client-side issues.<br /><div><br /><img alt="" border="0" id="BLOGGER_PHOTO_ID_5620745308020057810" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_QQBgVs5lMAunytwIw6YeCntZBhp-hyrrYMOIn5lFMrBtESkigbZ7j1XYGTuACQAgfeclw5FEPoYa5L1WGLvgIxx4k8bSgAdYiwBjxHI5dzEBpufWChmrBr1r_BF-pcmk6W6apr1bWv4/s400/domsnitch.png" style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 211px;" /><br /></div><div>Here are the benefits of DOM Snitch:<br /><ul><li><b>Real-time:</b> Developers can observe DOM modifications as they happen inside the browser without the need to step through JavaScript code with a debugger or pause the execution of their application.</li><li><b>Easy to use:</b> With built-in <a href="https://code.google.com/p/domsnitch/wiki/QuickIntro#Current_capabilities">security heuristics</a> and nested views, both advanced and less experienced developers and testers can quickly spot areas of the application being tested that need more attention.</li><li><b>Easier collaboration:</b> Enables developers to easily export and share captured DOM modifications while troubleshooting an issue with their peers.</li></ul>DOM Snitch is intended for use by developers, testers, and security researchers alike. <a href="https://code.google.com/p/domsnitch/downloads/list">Click here</a> to download DOM Snitch. To read the documentation, please visit <a href="https://code.google.com/p/domsnitch/wiki/DOMSnitchDoc">this page</a>.<br /><br /><br />*Developers and testers should be aware that DOM Snitch is currently experimental. We do not guarantee that it will work flawlessly for all web applications. More details on known issues can be found <a href="https://code.google.com/p/domsnitch/wiki/KnownIssues">here</a> or in the project’s <a href="https://code.google.com/p/domsnitch/issues/list">issues tracker</a>.</div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <div style="text-align: left;">Posted by Radoslav Vasilev, Security Test Engineer</div><div><br /></div><div><i>(Cross-posted from the <a href="http://googletesting.blogspot.com/2011/06/introducing-dom-snitch-our-passive-in.html">Google Testing Blog</a>)</i></div><br />Every day modern web applications are becoming increasingly sophisticated, and as their complexity grows so does their attack surface. Previously we introduced open source tools such as <a href="https://code.google.com/p/skipfish/">Skipfish</a> and <a href="https://code.google.com/p/ratproxy/">Ratproxy</a> to assist developers in understanding and securing these applications.<br /><br />As existing tools focus mostly on testingserver-side code, today we are happy to introduce <a href="https://code.google.com/p/domsnitch/">DOM Snitch</a> — an experimental* Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code. To do this, we have adopted <a href="http://code.google.com/p/domsnitch/wiki/DOMSnitchDoc#How_does_DOM_Snitch_work_under_the_hood?">several approaches</a> to intercepting JavaScript calls to key and potentially dangerous browser infrastructure such as document.write or HTMLElement.innerHTML (<a href="http://code.google.com/p/domsnitch/wiki/DOMSnitchDoc#What_can_DOM_Snitch_intercept?">among others</a>). Once a JavaScript call has been intercepted, DOM Snitch records the document URL and a complete stack trace that will help assess if the intercepted call can lead to cross-site scripting, mixed content, insecure modifications to the <a href="https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_DOM_access">same-origin policy for DOM access</a>, or other client-side issues.<br /><div><br /><img alt="" border="0" id="BLOGGER_PHOTO_ID_5620745308020057810" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_QQBgVs5lMAunytwIw6YeCntZBhp-hyrrYMOIn5lFMrBtESkigbZ7j1XYGTuACQAgfeclw5FEPoYa5L1WGLvgIxx4k8bSgAdYiwBjxHI5dzEBpufWChmrBr1r_BF-pcmk6W6apr1bWv4/s400/domsnitch.png" style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 211px;" /><br /></div><div>Here are the benefits of DOM Snitch:<br /><ul><li><b>Real-time:</b> Developers can observe DOM modifications as they happen inside the browser without the need to step through JavaScript code with a debugger or pause the execution of their application.</li><li><b>Easy to use:</b> With built-in <a href="https://code.google.com/p/domsnitch/wiki/QuickIntro#Current_capabilities">security heuristics</a> and nested views, both advanced and less experienced developers and testers can quickly spot areas of the application being tested that need more attention.</li><li><b>Easier collaboration:</b> Enables developers to easily export and share captured DOM modifications while troubleshooting an issue with their peers.</li></ul>DOM Snitch is intended for use by developers, testers, and security researchers alike. <a href="https://code.google.com/p/domsnitch/downloads/list">Click here</a> to download DOM Snitch. To read the documentation, please visit <a href="https://code.google.com/p/domsnitch/wiki/DOMSnitchDoc">this page</a>.<br /><br /><br />*Developers and testers should be aware that DOM Snitch is currently experimental. We do not guarantee that it will work flawlessly for all web applications. More details on known issues can be found <a href="https://code.google.com/p/domsnitch/wiki/KnownIssues">here</a> or in the project’s <a href="https://code.google.com/p/domsnitch/issues/list">issues tracker</a>.</div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Introducing DOM Snitch, our passive in-the-browser reconnaissance tool&url=https://security.googleblog.com/2011/06/introducing-dom-snitch-our-passive-in.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/06/introducing-dom-snitch-our-passive-in.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='1' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/06/introducing-dom-snitch-our-passive-in.html' data-url='https://security.googleblog.com/2011/06/introducing-dom-snitch-our-passive-in.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/06/introducing-dom-snitch-our-passive-in.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='1314099224771804657' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/06/protecting-users-from-malware-hosted-on.html' itemprop='url' title='Protecting users from malware hosted on bulk subdomain services'> Protecting users from malware hosted on bulk subdomain services </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> June 17, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Oliver Fisher, Google Anti-Malware Team</span><br /><br />Over the past few months, Google’s systems have detected a number of bulk subdomain providers becoming targets of abuse by malware distributors. Bulk subdomain providers register a domain name, like example.com, and then sell subdomains of this domain name, like subdomain.example.com. Subdomains are often registered by the thousands at one time and are used to distribute malware and fake anti-virus products on the web. In some cases our malware scanners have found more than 50,000 malware domains from a single bulk provider.<br /><br />Google’s automated malware scanning systems detect sites that distribute malware. To help protect users we recently modified those systems to identify bulk subdomain services which are being abused. In some severe cases our systems may now flag the whole bulk domain.<br /><br />We offer many services to webmasters to help them fight abuse, such as:<br /><ul><li><a href="//www.google.com/webmasters/tools/">Webmaster Tools</a> lets webmasters find examples of URLs under their domains that may be distributing malware.</li><li><a href="http://googleonlinesecurity.blogspot.com/2010/09/safe-browsing-alerts-for-network.html">Google Safe Browsing Alerts for Network Administrators</a> allows owners of Autonomous Systems to get notifications for hosts that are involved in malware delivery. </li></ul>If you are the owner of a website that is hosted in a bulk subdomain service, please consider contacting your bulk subdomain provider if Google SafeBrowsing shows a warning for your site. The top-level bulk subdomain may be a target of abuse. Bulk subdomain service providers may use Google’s tools to help identify and disable abusive subdomains and accounts. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Oliver Fisher, Google Anti-Malware Team</span><br /><br />Over the past few months, Google’s systems have detected a number of bulk subdomain providers becoming targets of abuse by malware distributors. Bulk subdomain providers register a domain name, like example.com, and then sell subdomains of this domain name, like subdomain.example.com. Subdomains are often registered by the thousands at one time and are used to distribute malware and fake anti-virus products on the web. In some cases our malware scanners have found more than 50,000 malware domains from a single bulk provider.<br /><br />Google’s automated malware scanning systems detect sites that distribute malware. To help protect users we recently modified those systems to identify bulk subdomain services which are being abused. In some severe cases our systems may now flag the whole bulk domain.<br /><br />We offer many services to webmasters to help them fight abuse, such as:<br /><ul><li><a href="//www.google.com/webmasters/tools/">Webmaster Tools</a> lets webmasters find examples of URLs under their domains that may be distributing malware.</li><li><a href="http://googleonlinesecurity.blogspot.com/2010/09/safe-browsing-alerts-for-network.html">Google Safe Browsing Alerts for Network Administrators</a> allows owners of Autonomous Systems to get notifications for hosts that are involved in malware delivery. </li></ul>If you are the owner of a website that is hosted in a bulk subdomain service, please consider contacting your bulk subdomain provider if Google SafeBrowsing shows a warning for your site. The top-level bulk subdomain may be a target of abuse. Bulk subdomain service providers may use Google’s tools to help identify and disable abusive subdomains and accounts. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Protecting users from malware hosted on bulk subdomain services&url=https://security.googleblog.com/2011/06/protecting-users-from-malware-hosted-on.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/06/protecting-users-from-malware-hosted-on.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='21' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/06/protecting-users-from-malware-hosted-on.html' data-url='https://security.googleblog.com/2011/06/protecting-users-from-malware-hosted-on.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/06/protecting-users-from-malware-hosted-on.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='196134317956426840' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/06/trying-to-end-mixed-scripting.html' itemprop='url' title='Trying to end mixed scripting vulnerabilities'> Trying to end mixed scripting vulnerabilities </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> June 16, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Chris Evans and Tom Sepez, Google Chrome Security Team</span><br /><br />A “mixed sc<span >ripting” vulnerability is caused when a page served over HTTPS loads a script, CSS, or plug-in resource over HTTP. A man-in-the-middle attacker (such as someone on the same wireless network) can typically intercept the HTTP resource</span> load and gain full access to the website loading the resource. It’s often as bad as if the web page hadn’t used HTTPS at all.<br /><br />A less severe but similar problem -- let’s call it a “mixed display” vulnerability -- is caused when a page served over HTTPS loads an image, iFrame, or font over HTTP. A man-in-the-middle attacker can again intercept the HTTP resource load but normally can only affect the appearance of the page.<br /><br />Browsers have long used different indicators, modal dialogs, block options or even click-throughs to indicate these conditions to users. If a page on your website has a mixed scripting issue, Chromium will currently indicate it like this in the URL bar:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpa3qgpRfIqJOEwuAE4Af12d60WEUM5DkmyEh22kPT0KrwKWo0vxgWCb-smvSVPMgjNosTnb3aIUu4qUymlZm3AIPIgZ6lug7EBvnkCKRoXP9tEa_p35SWkG2SNSIdVP7Q1E7eoqi2c5g/s1600/https1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpa3qgpRfIqJOEwuAE4Af12d60WEUM5DkmyEh22kPT0KrwKWo0vxgWCb-smvSVPMgjNosTnb3aIUu4qUymlZm3AIPIgZ6lug7EBvnkCKRoXP9tEa_p35SWkG2SNSIdVP7Q1E7eoqi2c5g/s400/https1.png" style="cursor: move;" width="243" /></a><br /><br />And for a mixed display issue:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinBCK7aQEThicgzPcC_Ov06du6_yW5RYc6UGWpDKjBpco_knulT8gBQT48XtwzueLhT03oYADGi2LMCwoSbGvejomFVduQYZwQU65GiAF7qeksRhAd00wHgLb47Xp1QER1wFvxRzxUPKs/s1600/https2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinBCK7aQEThicgzPcC_Ov06du6_yW5RYc6UGWpDKjBpco_knulT8gBQT48XtwzueLhT03oYADGi2LMCwoSbGvejomFVduQYZwQU65GiAF7qeksRhAd00wHgLb47Xp1QER1wFvxRzxUPKs/s400/https2.png" width="243" /></a><br /><br />If any of the HTTPS pages on your website show the cross-out red https, there are good reasons to investigate promptly:<br /><ul><li>Your website won’t work as well in other modern browsers (such as IE9 or FF4) due to click-throughs and ugly modal dialogs.</li><li>You may have a security vulnerability that could compromise the entire HTTPS connection.</li></ul>As of the first Chromium 14 canary release (14.0.785.0), we are trialing blocking mixed scripting conditions by default. We’ll be carefully listening to feedback; please leave it on <a href="https://code.google.com/p/chromium/issues/detail?id=81637">this Chromium bug</a>.<br /><br />We also added an infobar that shows when a script is being blocked:<br /><br /><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEEuml86Jk85gJ-7Ue2AAcy5BhVrKATmuyEJhTyiduDQdxwPtvyWXuHibM2sj-7-h50uEEB63nfzCv0KyhNAdy-ySjkNcuTkNAbkZTn_TfnpBFPfJGLEaNPOo_-XQOtwqUvFr8mNgdagY/s1600/blocked+%25281%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEEuml86Jk85gJ-7Ue2AAcy5BhVrKATmuyEJhTyiduDQdxwPtvyWXuHibM2sj-7-h50uEEB63nfzCv0KyhNAdy-ySjkNcuTkNAbkZTn_TfnpBFPfJGLEaNPOo_-XQOtwqUvFr8mNgdagY/" width="500" /></a></div><br />As a user, you can choose to reload the website without the block applied. Ideally, in the longer term, the infobar will not have the option for the user to bypass it. Our experience shows that some subset of users will attempt to “click through” even the scariest of warnings -- despite the hazards that can follow.<br /><br /><b>Tools that can help website owners</b><br />If Chromium’s UI shows any mixed content issues on your site, you can try to use a couple of our developer tools to locate the problem. A useful message is typically logged to the JavaScript console (Menu -> Tools -> JavaScript Console):<br /><br /><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgq38InEiYuE0CqfJOIERX_kbRwbn-Ibt9Yw4_aRtSCUsekDgALD4UPgSeb7-YM9Yr1vjgBt71Zuqlq3rQdv5BIy7KwTYlkdoh97txM2DqFXZdC-Nv30L-o1g30ugYo1-jKYQJltcck330/s1600/mixedscriptconsole.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgq38InEiYuE0CqfJOIERX_kbRwbn-Ibt9Yw4_aRtSCUsekDgALD4UPgSeb7-YM9Yr1vjgBt71Zuqlq3rQdv5BIy7KwTYlkdoh97txM2DqFXZdC-Nv30L-o1g30ugYo1-jKYQJltcck330/" width="500" /></a></div><br />You can also reload the page with the “Network” tab active and look for requests that were issued over the http:// protocol. It’s worth noting that the entire origin is poisoned when mixed scripting occurs in it, so you’ll want to look at the console for all tabs that reference the indicated origin. To clear the error, all tabs that reference the poisoned origin need to be closed. For particularly tough cases where it’s not clear how the origin became poisoned, you can also <a href="http://www.chromium.org/for-testers/enable-logging">enable debugging to the command-line console</a> to see the relevant warning message.<br /><br />The latest Chromium 13 dev channel build (13.0.782.10) has a command line flag: <b>--no-running-insecure-content</b>. We recommend that website owners and advanced users run with this flag, so we can all help mop up errant sites. (We also have the flag <b>--no-displaying-insecure-content</b> for the less serious class of mixed content issues; there are no plans to block this by default in Chromium 14).<br /><br />The Chromium 14 release will come with an inverse flag: --allow-running-insecure-content, as a convenience for users and admins who have internal applications without immediate fixes for these errors.<br /><br />Thanks for helping us push website security forward as a community. Until this class of bug is stamped out, Chromium has your back. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Chris Evans and Tom Sepez, Google Chrome Security Team</span><br /><br />A “mixed sc<span >ripting” vulnerability is caused when a page served over HTTPS loads a script, CSS, or plug-in resource over HTTP. A man-in-the-middle attacker (such as someone on the same wireless network) can typically intercept the HTTP resource</span> load and gain full access to the website loading the resource. It’s often as bad as if the web page hadn’t used HTTPS at all.<br /><br />A less severe but similar problem -- let’s call it a “mixed display” vulnerability -- is caused when a page served over HTTPS loads an image, iFrame, or font over HTTP. A man-in-the-middle attacker can again intercept the HTTP resource load but normally can only affect the appearance of the page.<br /><br />Browsers have long used different indicators, modal dialogs, block options or even click-throughs to indicate these conditions to users. If a page on your website has a mixed scripting issue, Chromium will currently indicate it like this in the URL bar:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpa3qgpRfIqJOEwuAE4Af12d60WEUM5DkmyEh22kPT0KrwKWo0vxgWCb-smvSVPMgjNosTnb3aIUu4qUymlZm3AIPIgZ6lug7EBvnkCKRoXP9tEa_p35SWkG2SNSIdVP7Q1E7eoqi2c5g/s1600/https1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpa3qgpRfIqJOEwuAE4Af12d60WEUM5DkmyEh22kPT0KrwKWo0vxgWCb-smvSVPMgjNosTnb3aIUu4qUymlZm3AIPIgZ6lug7EBvnkCKRoXP9tEa_p35SWkG2SNSIdVP7Q1E7eoqi2c5g/s400/https1.png" style="cursor: move;" width="243" /></a><br /><br />And for a mixed display issue:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinBCK7aQEThicgzPcC_Ov06du6_yW5RYc6UGWpDKjBpco_knulT8gBQT48XtwzueLhT03oYADGi2LMCwoSbGvejomFVduQYZwQU65GiAF7qeksRhAd00wHgLb47Xp1QER1wFvxRzxUPKs/s1600/https2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinBCK7aQEThicgzPcC_Ov06du6_yW5RYc6UGWpDKjBpco_knulT8gBQT48XtwzueLhT03oYADGi2LMCwoSbGvejomFVduQYZwQU65GiAF7qeksRhAd00wHgLb47Xp1QER1wFvxRzxUPKs/s400/https2.png" width="243" /></a><br /><br />If any of the HTTPS pages on your website show the cross-out red https, there are good reasons to investigate promptly:<br /><ul><li>Your website won’t work as well in other modern browsers (such as IE9 or FF4) due to click-throughs and ugly modal dialogs.</li><li>You may have a security vulnerability that could compromise the entire HTTPS connection.</li></ul>As of the first Chromium 14 canary release (14.0.785.0), we are trialing blocking mixed scripting conditions by default. We’ll be carefully listening to feedback; please leave it on <a href="https://code.google.com/p/chromium/issues/detail?id=81637">this Chromium bug</a>.<br /><br />We also added an infobar that shows when a script is being blocked:<br /><br /><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEEuml86Jk85gJ-7Ue2AAcy5BhVrKATmuyEJhTyiduDQdxwPtvyWXuHibM2sj-7-h50uEEB63nfzCv0KyhNAdy-ySjkNcuTkNAbkZTn_TfnpBFPfJGLEaNPOo_-XQOtwqUvFr8mNgdagY/s1600/blocked+%25281%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEEuml86Jk85gJ-7Ue2AAcy5BhVrKATmuyEJhTyiduDQdxwPtvyWXuHibM2sj-7-h50uEEB63nfzCv0KyhNAdy-ySjkNcuTkNAbkZTn_TfnpBFPfJGLEaNPOo_-XQOtwqUvFr8mNgdagY/" width="500" /></a></div><br />As a user, you can choose to reload the website without the block applied. Ideally, in the longer term, the infobar will not have the option for the user to bypass it. Our experience shows that some subset of users will attempt to “click through” even the scariest of warnings -- despite the hazards that can follow.<br /><br /><b>Tools that can help website owners</b><br />If Chromium’s UI shows any mixed content issues on your site, you can try to use a couple of our developer tools to locate the problem. A useful message is typically logged to the JavaScript console (Menu -> Tools -> JavaScript Console):<br /><br /><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgq38InEiYuE0CqfJOIERX_kbRwbn-Ibt9Yw4_aRtSCUsekDgALD4UPgSeb7-YM9Yr1vjgBt71Zuqlq3rQdv5BIy7KwTYlkdoh97txM2DqFXZdC-Nv30L-o1g30ugYo1-jKYQJltcck330/s1600/mixedscriptconsole.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgq38InEiYuE0CqfJOIERX_kbRwbn-Ibt9Yw4_aRtSCUsekDgALD4UPgSeb7-YM9Yr1vjgBt71Zuqlq3rQdv5BIy7KwTYlkdoh97txM2DqFXZdC-Nv30L-o1g30ugYo1-jKYQJltcck330/" width="500" /></a></div><br />You can also reload the page with the “Network” tab active and look for requests that were issued over the http:// protocol. It’s worth noting that the entire origin is poisoned when mixed scripting occurs in it, so you’ll want to look at the console for all tabs that reference the indicated origin. To clear the error, all tabs that reference the poisoned origin need to be closed. For particularly tough cases where it’s not clear how the origin became poisoned, you can also <a href="http://www.chromium.org/for-testers/enable-logging">enable debugging to the command-line console</a> to see the relevant warning message.<br /><br />The latest Chromium 13 dev channel build (13.0.782.10) has a command line flag: <b>--no-running-insecure-content</b>. We recommend that website owners and advanced users run with this flag, so we can all help mop up errant sites. (We also have the flag <b>--no-displaying-insecure-content</b> for the less serious class of mixed content issues; there are no plans to block this by default in Chromium 14).<br /><br />The Chromium 14 release will come with an inverse flag: --allow-running-insecure-content, as a convenience for users and admins who have internal applications without immediate fixes for these errors.<br /><br />Thanks for helping us push website security forward as a community. Until this class of bug is stamped out, Chromium has your back. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Trying to end mixed scripting vulnerabilities&url=https://security.googleblog.com/2011/06/trying-to-end-mixed-scripting.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/06/trying-to-end-mixed-scripting.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='15' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/06/trying-to-end-mixed-scripting.html' data-url='https://security.googleblog.com/2011/06/trying-to-end-mixed-scripting.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/06/trying-to-end-mixed-scripting.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='6362648509819552812' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/05/safe-browsing-protocol-v2-transition.html' itemprop='url' title='Safe Browsing Protocol v2 Transition'> Safe Browsing Protocol v2 Transition </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> May 26, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Ian Fette, Google Security Team</span><br /><br />Last year, we released <a href="http://code.google.com/apis/safebrowsing/developers_guide_v2.html">version 2</a> of the Safe Browsing API, along with a <a href="http://code.google.com/p/google-safe-browsing/downloads/list">reference implementation</a> in Python. This version provides more efficient updates compared to version 1, giving clients the most useful (freshest) data first. The new version uses significantly less bandwidth, and also allows us to serve data that covers more URLs than previously possible. Browsers including Chrome and Firefox have already migrated to version 2, and we are confident that the new version works well and delivers significant benefits compared to the previous version.<br /><br />We are now planning to discontinue version 1 of the protocol to help us better focus our efforts and resources. On December 1, 2011, we will stop supporting version 1 and will take the service down shortly thereafter. If you are currently using version 1 of the protocol, we encourage you to migrate as soon as possible to the new version. In addition to the <a href="http://code.google.com/apis/safebrowsing/developers_guide_v2.html">documentation</a> and <a href="http://code.google.com/p/google-safe-browsing/downloads/list">reference implementation</a>, there’s a <a href="http://groups.google.com/group/google-safe-browsing-api">Google Group</a> dedicated to the API where you may be able to get additional advice or ask questions as you prepare to transition. Those of you who who have already migrated to version 2 will not be affected and do not need to take any further action.<br /><br />If you are looking to migrate from the version 1 API and are worried about the complexity of the version 2 API, we now have a <a href="http://code.google.com/apis/safebrowsing/lookup_guide.html">lookup service</a> that you can use in lieu of version 2 of the Safe Browsing Protocol if your usage is relatively low. The lookup service is a RESTful service that lets you send a URL or set of URLs to Google and receive a reply indicating the state of those URLs. You can use this API if you check fewer than 100,000 URLs per day and don’t mind waiting on a network roundtrip. This process may be simpler to use than version 2 of the Safe Browsing Protocol, but it is not supported for users who will generate excessive load (meaning that your software, either your servers or deployed clients, will collectively generate over 100,000 requests to Google in a 24-hour period).<br /><br />If you are currently using version 1 of the Safe Browsing Protocol, please update to either the Safe Browsing Protocol version 2, or the lookup service, before December 1, 2011. If you have any questions, feel free to check out the Google Safe Browsing API <a href="http://groups.google.com/group/google-safe-browsing-api">discussion list</a>. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Ian Fette, Google Security Team</span><br /><br />Last year, we released <a href="http://code.google.com/apis/safebrowsing/developers_guide_v2.html">version 2</a> of the Safe Browsing API, along with a <a href="http://code.google.com/p/google-safe-browsing/downloads/list">reference implementation</a> in Python. This version provides more efficient updates compared to version 1, giving clients the most useful (freshest) data first. The new version uses significantly less bandwidth, and also allows us to serve data that covers more URLs than previously possible. Browsers including Chrome and Firefox have already migrated to version 2, and we are confident that the new version works well and delivers significant benefits compared to the previous version.<br /><br />We are now planning to discontinue version 1 of the protocol to help us better focus our efforts and resources. On December 1, 2011, we will stop supporting version 1 and will take the service down shortly thereafter. If you are currently using version 1 of the protocol, we encourage you to migrate as soon as possible to the new version. In addition to the <a href="http://code.google.com/apis/safebrowsing/developers_guide_v2.html">documentation</a> and <a href="http://code.google.com/p/google-safe-browsing/downloads/list">reference implementation</a>, there’s a <a href="http://groups.google.com/group/google-safe-browsing-api">Google Group</a> dedicated to the API where you may be able to get additional advice or ask questions as you prepare to transition. Those of you who who have already migrated to version 2 will not be affected and do not need to take any further action.<br /><br />If you are looking to migrate from the version 1 API and are worried about the complexity of the version 2 API, we now have a <a href="http://code.google.com/apis/safebrowsing/lookup_guide.html">lookup service</a> that you can use in lieu of version 2 of the Safe Browsing Protocol if your usage is relatively low. The lookup service is a RESTful service that lets you send a URL or set of URLs to Google and receive a reply indicating the state of those URLs. You can use this API if you check fewer than 100,000 URLs per day and don’t mind waiting on a network roundtrip. This process may be simpler to use than version 2 of the Safe Browsing Protocol, but it is not supported for users who will generate excessive load (meaning that your software, either your servers or deployed clients, will collectively generate over 100,000 requests to Google in a 24-hour period).<br /><br />If you are currently using version 1 of the Safe Browsing Protocol, please update to either the Safe Browsing Protocol version 2, or the lookup service, before December 1, 2011. If you have any questions, feel free to check out the Google Safe Browsing API <a href="http://groups.google.com/group/google-safe-browsing-api">discussion list</a>. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Safe Browsing Protocol v2 Transition&url=https://security.googleblog.com/2011/05/safe-browsing-protocol-v2-transition.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/05/safe-browsing-protocol-v2-transition.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/05/safe-browsing-protocol-v2-transition.html' data-url='https://security.googleblog.com/2011/05/safe-browsing-protocol-v2-transition.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/05/safe-browsing-protocol-v2-transition.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='9008002394805788310' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/05/website-security-for-webmasters.html' itemprop='url' title='Website Security for Webmasters'> Website Security for Webmasters </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> May 5, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Gary Illyes, Webmaster Trends Analyst</span><br /><br /><div><i>(Cross-posted from the <a href="http://googlewebmastercentral.blogspot.com/2011/05/website-security-for-webmasters.html">Webmaster Central Blog</a>)</i></div><div><br />Users are taught to protect themselves from malicious programs by installing sophisticated antivirus software, but they often also entrust their private information to various websites. As a result, webmasters have a dual task to protect both their website itself and the user data that they receive.<br /><br />Over the years companies and webmasters have learned—often the hard way—that web application security is not a joke; we’ve seen user passwords leaked due to <a href="http://en.wikipedia.org/wiki/SQL_injection">SQL injection</a> attacks, cookies stolen with <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">XSS</a>, and websites taken over by hackers due to negligent input validation.<br /><br /><img alt="" border="0" id="BLOGGER_PHOTO_ID_5603170363751903522" src="//4.bp.blogspot.com/-edYHtaKmejg/TcJ1wkttsSI/AAAAAAAAABI/pcTuQ092SRU/s320/image05.png" style="cursor: hand; cursor: pointer; float: left; height: 40px; margin: 0 10px 10px 0; width: 40px;">Today we’ll show you some examples of how a web application can be exploited so you can learn from them; for this we’ll use <a href="http://google-gruyere.appspot.com/">Gruyere</a>, an intentionally vulnerable application we use for security training internally, and that we introduced here <a href="http://googleonlinesecurity.blogspot.com/2010/05/do-know-evil-web-application.html">last year</a>. <span style="font-weight: bold;">Do not probe others’ websites for vulnerabilities without permission</span> as it may be perceived as hacking; but you’re welcome—nay, encouraged—to run tests on Gruyere.<br /><br /><div><br /><span style="font-weight: bold;">Client state manipulation - What will happen if I alter the URL?</span><br /><br />Let’s say you have an image hosting site and you’re using a PHP script to display the images users have uploaded:<br /><br /><span style="font-style: italic;">http://www.example.com/showimage.php?imgloc=/garyillyes/kitten.jpg</span><br /><br />So what will the application do if I alter the URL to something like this and userpasswords.txt is an actual file?<br /><br /><span style="font-style: italic;">http://www.example.com/showimage.php?imgloc=/../../userpasswords.txt</span><br /><br />Will I get the content of userpasswords.txt?<br /><br />Another example of client state manipulation is when form fields are not validated. For instance, let’s say you have this form:<br /><br /><a href="//4.bp.blogspot.com/-CUl2wmaPSfU/TcJ26natwlI/AAAAAAAAABY/FJLhqkOijIE/s1600/image01.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5603171635787842130" src="//4.bp.blogspot.com/-CUl2wmaPSfU/TcJ26natwlI/AAAAAAAAABY/FJLhqkOijIE/s400/image01.png" style="cursor: hand; cursor: pointer; display: block; height: 224px; margin: 0px auto 10px; text-align: center; width: 400px;"></a><br /><br />It seems that the username of the submitter is stored in a hidden input field. Well, that’s great! Does that mean that if I change the value of that field to another username, I can submit the form as that user? It may very well happen; the user input is apparently not authenticated with, for example, a token which can be verified on the server.<br />Imagine the situation if that form were part of your shopping cart and I modified the price of a $1000 item to $1, and then placed the order.<br /><br />Protecting your application against this kind of attack is not easy; take a look at the third part of <a href="http://google-gruyere.appspot.com/part3">Gruyere</a> to learn a few tips about how to defend your app.<br /><br /><span style="font-weight: bold;">Cross-site scripting (XSS) - User input can’t be trusted</span><br /><br /><a href="//1.bp.blogspot.com/-zl9GLNOZTSU/TcJ3RWU3pHI/AAAAAAAAABg/QWpA-wnwCkE/s1600/image04.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5603172026336912498" src="//1.bp.blogspot.com/-zl9GLNOZTSU/TcJ3RWU3pHI/AAAAAAAAABg/QWpA-wnwCkE/s400/image04.png" style="cursor: hand; cursor: pointer; display: block; height: 250px; margin: 0px auto 10px; text-align: center; width: 350px;"></a><br /><br />A simple, harmless URL:<br /><span style="font-style: italic;">http://google-gruyere.appspot.com/611788451095/%3Cscript%3Ealert('0wn3d')%3C/script%3E</span><br />But is it truly harmless? If I decode the <a href="http://en.wikipedia.org/wiki/Percent_encoding">percent-encoded</a> characters, I get:<br /><pre style="text-align: center;"><script>alert('0wn3d')</script></pre><br />Gruyere, just like many sites with <a href="//www.google.com/support/webmasters/bin/answer.py?answer=93641">custom error pages</a>, is designed to include the path component in the HTML page. This can introduce security bugs, like XSS, as it introduces user input directly into the rendered HTML page of the web application. You might say, “It’s just an alert box, so what?” The thing is, if I can inject an alert box, I can most likely inject something else, too, and maybe steal your cookies which I could use to sign in to your site as you.<br /><br />Another example is when the stored user input isn’t sanitized. Let’s say I write a comment on your blog; the comment is simple:<br /><pre style="text-align: center;"><a href=”javascript:alert(‘0wn3d’)”>Click here to see a kitten</a></pre><br />If other users click on my innocent link, I have their cookies:<br /><br /><a href="//3.bp.blogspot.com/-G5gvanGzYso/TcJ4Y21jlrI/AAAAAAAAABo/dBxxlOCeNCU/s1600/image00.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5603173254834656946" src="//3.bp.blogspot.com/-G5gvanGzYso/TcJ4Y21jlrI/AAAAAAAAABo/dBxxlOCeNCU/s400/image00.png" style="cursor: hand; cursor: pointer; display: block; height: 210px; margin: 0px auto 10px; text-align: center; width: 300px;"></a><br /><br />You can learn how to find XSS vulnerabilities in your own web app and how to fix them in the second part of <a href="http://google-gruyere.appspot.com/part2">Gruyere</a>; or, if you’re an advanced developer, take a look at the automatic escaping features in template systems we blogged about previously on <a href="http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html">this blog</a>.<br /><br /><span style="font-weight: bold;">Cross-site request forgery (XSRF) - Should I trust requests from evil.com?</span><br /><br /><a href="//3.bp.blogspot.com/-oGUWkyOcgVI/TcJ5Jlnc02I/AAAAAAAAAB4/W2LgndPdgLE/s1600/image03.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5603174092025680738" src="//3.bp.blogspot.com/-oGUWkyOcgVI/TcJ5Jlnc02I/AAAAAAAAAB4/W2LgndPdgLE/s400/image03.png" style="cursor: hand; cursor: pointer; float: left; height: 80px; margin: 0 10px 10px 0; width: 250px;"></a> Oops, a broken picture. It can’t be dangerous--it’s broken, after all--which means that the URL of the image returns a 404 or it’s just malformed. Is that true in all of the cases?<br /><br />No, it’s not! You can specify any URL as an image source, regardless of its content type. It can be an HTML page, a JavaScript file, or some other potentially malicious resource. In this case the image source was a simple page’s URL:<br /><br /><a href="//4.bp.blogspot.com/-W5Kf2VzGYQ4/TcJ5YqZ5qJI/AAAAAAAAACA/a7ir-pIueG0/s1600/image02.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5603174351009065106" src="//4.bp.blogspot.com/-W5Kf2VzGYQ4/TcJ5YqZ5qJI/AAAAAAAAACA/a7ir-pIueG0/s400/image02.png" style="cursor: hand; cursor: pointer; display: block; height: 50px; margin: 0px auto 10px; text-align: center; width: 400px;"></a><br /><br />That page will only work if I’m logged in and I have some cookies set. Since I was actually logged in to the application, when the browser tried to fetch the image by accessing the image source URL, it also deleted my first snippet. This doesn’t sound particularly dangerous, but if I’m a bit familiar with the app, I could also invoke a URL which deletes a user’s profile or lets admins grant permissions for other users.<br /><br />To protect your app against XSRF you should not allow state changing actions to be called via GET; the POST method was invented for this kind of state-changing request. This change alone may have mitigated the above attack, but usually it's not enough and you need to include an unpredictable value in all state changing requests to prevent XSRF. Please head to <a href="http://google-gruyere.appspot.com/part3">Gruyere</a> if you want to learn more about XSRF.<br /><br /><span style="font-weight: bold;">Cross-site script inclusion (XSSI) - All your script are belong to us</span><br /><br />Many sites today can dynamically update a page's content via asynchronous JavaScript requests that return JSON data. Sometimes, JSON can contain sensitive data, and if the correct precautions are not in place, it may be possible for an attacker to steal this sensitive information.<br /><br />Let’s imagine the following scenario: I have created a standard HTML page and send you the link; since you trust me, you visit the link I sent you. The page contains only a few lines:<br /><pre><script>function _feed(s) {alert("Your private snippet is: " + s['private_snippet']);}</script><script src="http://google-gruyere.appspot.com/611788451095/feed.gtl"></script></pre><br />Since you’re signed in to Gruyere and you have a private snippet, you’ll see an alert box on my page informing you about the contents of your snippet. As always, if I managed to fire up an alert box, I can do whatever else I want; in this case it was a simple snippet, but it could have been your biggest secret, too.<br /><br />It’s not too hard to defend your app against XSSI, but it still requires careful thinking. You can use tokens as explained in the XSRF section, set your script to answer only POST requests, or simply start the JSON response with ‘\n’ to make sure the script is not executable.<br /><br /><span style="font-weight: bold;">SQL Injection - Still think user input is safe?</span><br /><br />What will happen if I try to sign in to your app with a username like<br /><pre style="text-align: center;">JohnDoe’; DROP TABLE members;--</pre><br />While this specific example won’t expose user data, it can cause great headaches because it has the potential to completely remove the SQL table where your app stores information about members.<br /><br />Generally, you can protect your app from SQL injection with proactive thinking and input validation. First, are you sure the SQL user needs to have permission to execute “DROP TABLE members”? Wouldn’t it be enough to grant only SELECT rights? By setting the SQL user’s permissions carefully, you can avoid painful experiences and lots of troubles. You might also want to configure error reporting in such way that the database and its tables’ names aren’t exposed in the case of a failed query.<br />Second, as we learned in the XSS case, never trust user input: what looks like a login form to you, looks like a potential doorway to an attacker. Always sanitize and quotesafe the input that will be stored in a database, and whenever possible make use of statements generally referred to as prepared or parametrized statements available in most database programming interfaces.<br /><br />Knowing how web applications can be exploited is the first step in understanding how to defend them. In light of this, we encourage you to take the <a href="http://google-gruyere.appspot.com/">Gruyere course</a>, take other web security courses from the <a href="http://code.google.com/edu/security/index.html">Google Code University</a> and check out <a href="http://code.google.com/p/skipfish/wiki/SkipfishDoc">skipfish</a> if you're looking for an automated web application security testing tool. If you have more questions please post them in our <a href="//www.google.com/support/forum/p/Webmasters/browse?hl=en">Webmaster Help Forum</a>.</div></div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Gary Illyes, Webmaster Trends Analyst</span><br /><br /><div><i>(Cross-posted from the <a href="http://googlewebmastercentral.blogspot.com/2011/05/website-security-for-webmasters.html">Webmaster Central Blog</a>)</i></div><div><br />Users are taught to protect themselves from malicious programs by installing sophisticated antivirus software, but they often also entrust their private information to various websites. As a result, webmasters have a dual task to protect both their website itself and the user data that they receive.<br /><br />Over the years companies and webmasters have learned—often the hard way—that web application security is not a joke; we’ve seen user passwords leaked due to <a href="http://en.wikipedia.org/wiki/SQL_injection">SQL injection</a> attacks, cookies stolen with <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">XSS</a>, and websites taken over by hackers due to negligent input validation.<br /><br /><img alt="" border="0" id="BLOGGER_PHOTO_ID_5603170363751903522" src="//4.bp.blogspot.com/-edYHtaKmejg/TcJ1wkttsSI/AAAAAAAAABI/pcTuQ092SRU/s320/image05.png" style="cursor: hand; cursor: pointer; float: left; height: 40px; margin: 0 10px 10px 0; width: 40px;">Today we’ll show you some examples of how a web application can be exploited so you can learn from them; for this we’ll use <a href="http://google-gruyere.appspot.com/">Gruyere</a>, an intentionally vulnerable application we use for security training internally, and that we introduced here <a href="http://googleonlinesecurity.blogspot.com/2010/05/do-know-evil-web-application.html">last year</a>. <span style="font-weight: bold;">Do not probe others’ websites for vulnerabilities without permission</span> as it may be perceived as hacking; but you’re welcome—nay, encouraged—to run tests on Gruyere.<br /><br /><div><br /><span style="font-weight: bold;">Client state manipulation - What will happen if I alter the URL?</span><br /><br />Let’s say you have an image hosting site and you’re using a PHP script to display the images users have uploaded:<br /><br /><span style="font-style: italic;">http://www.example.com/showimage.php?imgloc=/garyillyes/kitten.jpg</span><br /><br />So what will the application do if I alter the URL to something like this and userpasswords.txt is an actual file?<br /><br /><span style="font-style: italic;">http://www.example.com/showimage.php?imgloc=/../../userpasswords.txt</span><br /><br />Will I get the content of userpasswords.txt?<br /><br />Another example of client state manipulation is when form fields are not validated. For instance, let’s say you have this form:<br /><br /><a href="//4.bp.blogspot.com/-CUl2wmaPSfU/TcJ26natwlI/AAAAAAAAABY/FJLhqkOijIE/s1600/image01.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5603171635787842130" src="//4.bp.blogspot.com/-CUl2wmaPSfU/TcJ26natwlI/AAAAAAAAABY/FJLhqkOijIE/s400/image01.png" style="cursor: hand; cursor: pointer; display: block; height: 224px; margin: 0px auto 10px; text-align: center; width: 400px;"></a><br /><br />It seems that the username of the submitter is stored in a hidden input field. Well, that’s great! Does that mean that if I change the value of that field to another username, I can submit the form as that user? It may very well happen; the user input is apparently not authenticated with, for example, a token which can be verified on the server.<br />Imagine the situation if that form were part of your shopping cart and I modified the price of a $1000 item to $1, and then placed the order.<br /><br />Protecting your application against this kind of attack is not easy; take a look at the third part of <a href="http://google-gruyere.appspot.com/part3">Gruyere</a> to learn a few tips about how to defend your app.<br /><br /><span style="font-weight: bold;">Cross-site scripting (XSS) - User input can’t be trusted</span><br /><br /><a href="//1.bp.blogspot.com/-zl9GLNOZTSU/TcJ3RWU3pHI/AAAAAAAAABg/QWpA-wnwCkE/s1600/image04.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5603172026336912498" src="//1.bp.blogspot.com/-zl9GLNOZTSU/TcJ3RWU3pHI/AAAAAAAAABg/QWpA-wnwCkE/s400/image04.png" style="cursor: hand; cursor: pointer; display: block; height: 250px; margin: 0px auto 10px; text-align: center; width: 350px;"></a><br /><br />A simple, harmless URL:<br /><span style="font-style: italic;">http://google-gruyere.appspot.com/611788451095/%3Cscript%3Ealert('0wn3d')%3C/script%3E</span><br />But is it truly harmless? If I decode the <a href="http://en.wikipedia.org/wiki/Percent_encoding">percent-encoded</a> characters, I get:<br /><pre style="text-align: center;"><script>alert('0wn3d')</script></pre><br />Gruyere, just like many sites with <a href="//www.google.com/support/webmasters/bin/answer.py?answer=93641">custom error pages</a>, is designed to include the path component in the HTML page. This can introduce security bugs, like XSS, as it introduces user input directly into the rendered HTML page of the web application. You might say, “It’s just an alert box, so what?” The thing is, if I can inject an alert box, I can most likely inject something else, too, and maybe steal your cookies which I could use to sign in to your site as you.<br /><br />Another example is when the stored user input isn’t sanitized. Let’s say I write a comment on your blog; the comment is simple:<br /><pre style="text-align: center;"><a href=”javascript:alert(‘0wn3d’)”>Click here to see a kitten</a></pre><br />If other users click on my innocent link, I have their cookies:<br /><br /><a href="//3.bp.blogspot.com/-G5gvanGzYso/TcJ4Y21jlrI/AAAAAAAAABo/dBxxlOCeNCU/s1600/image00.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5603173254834656946" src="//3.bp.blogspot.com/-G5gvanGzYso/TcJ4Y21jlrI/AAAAAAAAABo/dBxxlOCeNCU/s400/image00.png" style="cursor: hand; cursor: pointer; display: block; height: 210px; margin: 0px auto 10px; text-align: center; width: 300px;"></a><br /><br />You can learn how to find XSS vulnerabilities in your own web app and how to fix them in the second part of <a href="http://google-gruyere.appspot.com/part2">Gruyere</a>; or, if you’re an advanced developer, take a look at the automatic escaping features in template systems we blogged about previously on <a href="http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html">this blog</a>.<br /><br /><span style="font-weight: bold;">Cross-site request forgery (XSRF) - Should I trust requests from evil.com?</span><br /><br /><a href="//3.bp.blogspot.com/-oGUWkyOcgVI/TcJ5Jlnc02I/AAAAAAAAAB4/W2LgndPdgLE/s1600/image03.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5603174092025680738" src="//3.bp.blogspot.com/-oGUWkyOcgVI/TcJ5Jlnc02I/AAAAAAAAAB4/W2LgndPdgLE/s400/image03.png" style="cursor: hand; cursor: pointer; float: left; height: 80px; margin: 0 10px 10px 0; width: 250px;"></a> Oops, a broken picture. It can’t be dangerous--it’s broken, after all--which means that the URL of the image returns a 404 or it’s just malformed. Is that true in all of the cases?<br /><br />No, it’s not! You can specify any URL as an image source, regardless of its content type. It can be an HTML page, a JavaScript file, or some other potentially malicious resource. In this case the image source was a simple page’s URL:<br /><br /><a href="//4.bp.blogspot.com/-W5Kf2VzGYQ4/TcJ5YqZ5qJI/AAAAAAAAACA/a7ir-pIueG0/s1600/image02.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5603174351009065106" src="//4.bp.blogspot.com/-W5Kf2VzGYQ4/TcJ5YqZ5qJI/AAAAAAAAACA/a7ir-pIueG0/s400/image02.png" style="cursor: hand; cursor: pointer; display: block; height: 50px; margin: 0px auto 10px; text-align: center; width: 400px;"></a><br /><br />That page will only work if I’m logged in and I have some cookies set. Since I was actually logged in to the application, when the browser tried to fetch the image by accessing the image source URL, it also deleted my first snippet. This doesn’t sound particularly dangerous, but if I’m a bit familiar with the app, I could also invoke a URL which deletes a user’s profile or lets admins grant permissions for other users.<br /><br />To protect your app against XSRF you should not allow state changing actions to be called via GET; the POST method was invented for this kind of state-changing request. This change alone may have mitigated the above attack, but usually it's not enough and you need to include an unpredictable value in all state changing requests to prevent XSRF. Please head to <a href="http://google-gruyere.appspot.com/part3">Gruyere</a> if you want to learn more about XSRF.<br /><br /><span style="font-weight: bold;">Cross-site script inclusion (XSSI) - All your script are belong to us</span><br /><br />Many sites today can dynamically update a page's content via asynchronous JavaScript requests that return JSON data. Sometimes, JSON can contain sensitive data, and if the correct precautions are not in place, it may be possible for an attacker to steal this sensitive information.<br /><br />Let’s imagine the following scenario: I have created a standard HTML page and send you the link; since you trust me, you visit the link I sent you. The page contains only a few lines:<br /><pre><script>function _feed(s) {alert("Your private snippet is: " + s['private_snippet']);}</script><script src="http://google-gruyere.appspot.com/611788451095/feed.gtl"></script></pre><br />Since you’re signed in to Gruyere and you have a private snippet, you’ll see an alert box on my page informing you about the contents of your snippet. As always, if I managed to fire up an alert box, I can do whatever else I want; in this case it was a simple snippet, but it could have been your biggest secret, too.<br /><br />It’s not too hard to defend your app against XSSI, but it still requires careful thinking. You can use tokens as explained in the XSRF section, set your script to answer only POST requests, or simply start the JSON response with ‘\n’ to make sure the script is not executable.<br /><br /><span style="font-weight: bold;">SQL Injection - Still think user input is safe?</span><br /><br />What will happen if I try to sign in to your app with a username like<br /><pre style="text-align: center;">JohnDoe’; DROP TABLE members;--</pre><br />While this specific example won’t expose user data, it can cause great headaches because it has the potential to completely remove the SQL table where your app stores information about members.<br /><br />Generally, you can protect your app from SQL injection with proactive thinking and input validation. First, are you sure the SQL user needs to have permission to execute “DROP TABLE members”? Wouldn’t it be enough to grant only SELECT rights? By setting the SQL user’s permissions carefully, you can avoid painful experiences and lots of troubles. You might also want to configure error reporting in such way that the database and its tables’ names aren’t exposed in the case of a failed query.<br />Second, as we learned in the XSS case, never trust user input: what looks like a login form to you, looks like a potential doorway to an attacker. Always sanitize and quotesafe the input that will be stored in a database, and whenever possible make use of statements generally referred to as prepared or parametrized statements available in most database programming interfaces.<br /><br />Knowing how web applications can be exploited is the first step in understanding how to defend them. In light of this, we encourage you to take the <a href="http://google-gruyere.appspot.com/">Gruyere course</a>, take other web security courses from the <a href="http://code.google.com/edu/security/index.html">Google Code University</a> and check out <a href="http://code.google.com/p/skipfish/wiki/SkipfishDoc">skipfish</a> if you're looking for an automated web application security testing tool. If you have more questions please post them in our <a href="//www.google.com/support/forum/p/Webmasters/browse?hl=en">Webmaster Help Forum</a>.</div></div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Website Security for Webmasters&url=https://security.googleblog.com/2011/05/website-security-for-webmasters.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/05/website-security-for-webmasters.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='1' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/05/website-security-for-webmasters.html' data-url='https://security.googleblog.com/2011/05/website-security-for-webmasters.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/05/website-security-for-webmasters.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='8114550924546216008' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/04/protecting-users-from-malicious.html' itemprop='url' title='Protecting users from malicious downloads'> Protecting users from malicious downloads </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> April 5, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Moheeb Abu Rajab, Google Security Team</span> <br /> <br /> For the past five years Google has been offering protection to users against websites that attempt to distribute malware via drive-by downloads — that is, infections that harm users’ computers when they simply visit a vulnerable site. The data produced by our systems and published via the <a href="http://code.google.com/apis/safebrowsing/">Safe Browsing API</a> is used by Google search and browsers such as Google Chrome, Firefox, and Safari to warn users who may attempt to visit these dangerous webpages. <br /> <br /> Safe Browsing has done a lot of good for the web, yet the Internet remains rife with deceptive and harmful content. It’s easy to find sites hosting free downloads that promise one thing but actually behave quite differently. These downloads may even perform actions without the user’s consent, such as displaying spam ads, performing click fraud, or stealing other users’ passwords. Such sites usually don’t attempt to exploit vulnerabilities on the user’s computer system. Instead, they use social engineering to entice users to download and run the malicious content. <br /> <br /> Today we’re pleased to announce a new feature that aims to protect users against these kinds of downloads, starting with malicious Windows executables. The new feature will be integrated with Google Chrome and will display a warning if a user attempts to download a suspected malicious executable file:<br /> <br /> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4jxytcXqhHwVPg8vi3SCkcChbYm1OrbeNWxoPOJnJ0GxMLTvY5iS9fd35wn3-ymLmBdD6z7FOP1a1YHQ1QtpTT_cTGOoe52-52a17gY4Op4RSdUqDXsEp7LcZt_OWZB6OJr0d-YU_P0Q/s1600/warning.png" imageanchor="1" style=""><img border="0" height="53" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4jxytcXqhHwVPg8vi3SCkcChbYm1OrbeNWxoPOJnJ0GxMLTvY5iS9fd35wn3-ymLmBdD6z7FOP1a1YHQ1QtpTT_cTGOoe52-52a17gY4Op4RSdUqDXsEp7LcZt_OWZB6OJr0d-YU_P0Q/s400/warning.png" width="400" /></a></div><center><i>Download warning</i></center><br /> <br /> This warning will be displayed for any download URL that matches the latest list of malicious websites published by the <a href="http://code.google.com/apis/safebrowsing/">Safe Browsing API</a>. The new feature follows the same <a href="//www.google.com/chrome/intl/en/privacy.html">privacy policy</a> currently in use by the Safe Browsing feature. For example, this feature does not enable Google to determine the URLs you are visiting.<br /> <br /> We’re starting with a small-scale experimental phase for a subset of our users who subscribe to the Chrome development release channel, and we hope to make this feature available to all users in the next stable release of Google Chrome. We hope that the feature will improve our users’ online experience and help make the Internet a safer place.<br /> <br /> For webmasters, you can continue to use the same interface provided by <a href="https://www.google.com/webmasters/tools/">Google Webmaster Tools</a> to learn about malware issues with your sites. These tools include binaries that have been identified by this new feature, and the same <a href="http://googleonlinesecurity.blogspot.com/2009/10/malware-warning-review-process.html">review process</a> will apply. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Moheeb Abu Rajab, Google Security Team</span> <br /> <br /> For the past five years Google has been offering protection to users against websites that attempt to distribute malware via drive-by downloads — that is, infections that harm users’ computers when they simply visit a vulnerable site. The data produced by our systems and published via the <a href="http://code.google.com/apis/safebrowsing/">Safe Browsing API</a> is used by Google search and browsers such as Google Chrome, Firefox, and Safari to warn users who may attempt to visit these dangerous webpages. <br /> <br /> Safe Browsing has done a lot of good for the web, yet the Internet remains rife with deceptive and harmful content. It’s easy to find sites hosting free downloads that promise one thing but actually behave quite differently. These downloads may even perform actions without the user’s consent, such as displaying spam ads, performing click fraud, or stealing other users’ passwords. Such sites usually don’t attempt to exploit vulnerabilities on the user’s computer system. Instead, they use social engineering to entice users to download and run the malicious content. <br /> <br /> Today we’re pleased to announce a new feature that aims to protect users against these kinds of downloads, starting with malicious Windows executables. The new feature will be integrated with Google Chrome and will display a warning if a user attempts to download a suspected malicious executable file:<br /> <br /> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4jxytcXqhHwVPg8vi3SCkcChbYm1OrbeNWxoPOJnJ0GxMLTvY5iS9fd35wn3-ymLmBdD6z7FOP1a1YHQ1QtpTT_cTGOoe52-52a17gY4Op4RSdUqDXsEp7LcZt_OWZB6OJr0d-YU_P0Q/s1600/warning.png" imageanchor="1" style=""><img border="0" height="53" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4jxytcXqhHwVPg8vi3SCkcChbYm1OrbeNWxoPOJnJ0GxMLTvY5iS9fd35wn3-ymLmBdD6z7FOP1a1YHQ1QtpTT_cTGOoe52-52a17gY4Op4RSdUqDXsEp7LcZt_OWZB6OJr0d-YU_P0Q/s400/warning.png" width="400" /></a></div><center><i>Download warning</i></center><br /> <br /> This warning will be displayed for any download URL that matches the latest list of malicious websites published by the <a href="http://code.google.com/apis/safebrowsing/">Safe Browsing API</a>. The new feature follows the same <a href="//www.google.com/chrome/intl/en/privacy.html">privacy policy</a> currently in use by the Safe Browsing feature. For example, this feature does not enable Google to determine the URLs you are visiting.<br /> <br /> We’re starting with a small-scale experimental phase for a subset of our users who subscribe to the Chrome development release channel, and we hope to make this feature available to all users in the next stable release of Google Chrome. We hope that the feature will improve our users’ online experience and help make the Internet a safer place.<br /> <br /> For webmasters, you can continue to use the same interface provided by <a href="https://www.google.com/webmasters/tools/">Google Webmaster Tools</a> to learn about malware issues with your sites. These tools include binaries that have been identified by this new feature, and the same <a href="http://googleonlinesecurity.blogspot.com/2009/10/malware-warning-review-process.html">review process</a> will apply. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Protecting users from malicious downloads&url=https://security.googleblog.com/2011/04/protecting-users-from-malicious.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/04/protecting-users-from-malicious.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='6' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/04/protecting-users-from-malicious.html' data-url='https://security.googleblog.com/2011/04/protecting-users-from-malicious.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/04/protecting-users-from-malicious.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='2029461104519147234' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/04/improving-ssl-certificate-security.html' itemprop='url' title='Improving SSL certificate security'> Improving SSL certificate security </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> April 1, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Ben Laurie, Google Security Team</span><br /> <br /> In the wake of the recent <a href="http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html">Comodo fraud incident</a>, there has been a great deal of speculation about how to improve the public key infrastructure, on which the security of the Internet rests. Unfortunately, this isn’t a problem that will be fixed overnight. Luckily, however, experts have long known about these issues and have been devising solutions for some time.<br /> <br /> Given the current interest it seems like a good time to talk about two projects in which Google is engaged.<br /> <br /> The first is the Google Certificate Catalog. Google’s web crawlers scan the web on a regular basis in order to provide our search and other services. In the process, we also keep a record of all the SSL certificates we see. The Google Certificate Catalog is a database of all of those certificates, published in DNS. So, for example, if you wanted to see what we think of <a href="https://www.google.com/">https://www.google.com/</a>’s certificate, you could do this:<br /> <br /> <span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">$ <b>openssl s_client -connect www.google.com:443 < /dev/null | openssl x509 -outform DER | openssl sha1</b><br /> depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA<br /> verify error:num=20:unable to get local issuer certificate<br /> verify return:0<br /> DONE<br /> 405062e5befde4af97e9382af16cc87c8fb7c4e2<br /> $ <b>dig +short 405062e5befde4af97e9382af16cc87c8fb7c4e2.certs.googlednstest.com TXT</b><br /> "14867 15062 74"</span><br /> <br /> In other words: take the SHA-1 hash of the certificate, represent it as a hexadecimal number, then look up a TXT record with that name in the <span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">certs.googlednstest.com</span> domain. What you get back is a set of three numbers. The first number is the day that Google’s crawlers first saw that certificate, the second is the most recent day, and the third is the number of days we saw it in between.<br /> <br /> In order for the hash of a certificate to appear in our database, it must satisfy some criteria:<br /> <ul><li>It must be correctly signed (either by a CA or self-signed).</li> <li>It must have the correct domain name — that is, one that matches the one we used to retrieve the certificate.</li> </ul>The basic idea is that if a certificate doesn’t appear in our database, despite being correctly signed by a well-known CA and having a matching domain name, then there may be something suspicious about that certificate. This endeavor owes much to the excellent <a href="http://www.networknotary.org/">Perspectives</a> project, but it is a somewhat different approach.<br /> <br /> Accessing the data manually is rather difficult and painful, so we’re thinking about how to add opt-in support to the Chrome browser. We hope other browsers will in time consider acting similarly.<br /> <br /> The second initiative to discuss is the <a href="https://datatracker.ietf.org/wg/dane/charter/">DANE Working Group at the IETF</a>. DANE stands for DNS-based Authentication of Named Entities. In short, the idea is to allow domain operators to publish information about SSL certificates used on their hosts. It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts. So, once more, if a certificate is seen that isn’t consistent with the DANE records, it should be treated with suspicion. Related to the DANE effort is the individually contributed <a href="http://tools.ietf.org/html/draft-hallambaker-donotissue-03">CAA record</a>, which predates the DANE WG and provides similar functionality.<br /> <br /> One could rightly point out that both of these efforts rely on DNS, which is not secure. Luckily we’ve been working on that problem for even longer than this one, and a reasonable answer is DNSSEC, which enables publishing DNS records that are cryptographically protected against forgery and modification.<br /> <br /> It will be some time before DNSSEC is deployed widely enough for DANE to be broadly useful, since DANE requires every domain to be able to use DNSSEC. However, work is on the way to use DNSSEC for the Certificate Catalog well before the entire DNSSEC infrastructure is ready. If we publish a key for the domain in which we publish the catalog, clients can simply incorporate this key as an interim measure until DNSSEC is properly deployed.<br /> <br /> Improving the public key infrastructure of the web is a big task and one that’s going to require the cooperation of many parties to be widely effective. We hope these projects will help point us in the right direction. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Ben Laurie, Google Security Team</span><br /> <br /> In the wake of the recent <a href="http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html">Comodo fraud incident</a>, there has been a great deal of speculation about how to improve the public key infrastructure, on which the security of the Internet rests. Unfortunately, this isn’t a problem that will be fixed overnight. Luckily, however, experts have long known about these issues and have been devising solutions for some time.<br /> <br /> Given the current interest it seems like a good time to talk about two projects in which Google is engaged.<br /> <br /> The first is the Google Certificate Catalog. Google’s web crawlers scan the web on a regular basis in order to provide our search and other services. In the process, we also keep a record of all the SSL certificates we see. The Google Certificate Catalog is a database of all of those certificates, published in DNS. So, for example, if you wanted to see what we think of <a href="https://www.google.com/">https://www.google.com/</a>’s certificate, you could do this:<br /> <br /> <span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">$ <b>openssl s_client -connect www.google.com:443 < /dev/null | openssl x509 -outform DER | openssl sha1</b><br /> depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA<br /> verify error:num=20:unable to get local issuer certificate<br /> verify return:0<br /> DONE<br /> 405062e5befde4af97e9382af16cc87c8fb7c4e2<br /> $ <b>dig +short 405062e5befde4af97e9382af16cc87c8fb7c4e2.certs.googlednstest.com TXT</b><br /> "14867 15062 74"</span><br /> <br /> In other words: take the SHA-1 hash of the certificate, represent it as a hexadecimal number, then look up a TXT record with that name in the <span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">certs.googlednstest.com</span> domain. What you get back is a set of three numbers. The first number is the day that Google’s crawlers first saw that certificate, the second is the most recent day, and the third is the number of days we saw it in between.<br /> <br /> In order for the hash of a certificate to appear in our database, it must satisfy some criteria:<br /> <ul><li>It must be correctly signed (either by a CA or self-signed).</li> <li>It must have the correct domain name — that is, one that matches the one we used to retrieve the certificate.</li> </ul>The basic idea is that if a certificate doesn’t appear in our database, despite being correctly signed by a well-known CA and having a matching domain name, then there may be something suspicious about that certificate. This endeavor owes much to the excellent <a href="http://www.networknotary.org/">Perspectives</a> project, but it is a somewhat different approach.<br /> <br /> Accessing the data manually is rather difficult and painful, so we’re thinking about how to add opt-in support to the Chrome browser. We hope other browsers will in time consider acting similarly.<br /> <br /> The second initiative to discuss is the <a href="https://datatracker.ietf.org/wg/dane/charter/">DANE Working Group at the IETF</a>. DANE stands for DNS-based Authentication of Named Entities. In short, the idea is to allow domain operators to publish information about SSL certificates used on their hosts. It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts. So, once more, if a certificate is seen that isn’t consistent with the DANE records, it should be treated with suspicion. Related to the DANE effort is the individually contributed <a href="http://tools.ietf.org/html/draft-hallambaker-donotissue-03">CAA record</a>, which predates the DANE WG and provides similar functionality.<br /> <br /> One could rightly point out that both of these efforts rely on DNS, which is not secure. Luckily we’ve been working on that problem for even longer than this one, and a reasonable answer is DNSSEC, which enables publishing DNS records that are cryptographically protected against forgery and modification.<br /> <br /> It will be some time before DNSSEC is deployed widely enough for DANE to be broadly useful, since DANE requires every domain to be able to use DNSSEC. However, work is on the way to use DNSSEC for the Certificate Catalog well before the entire DNSSEC infrastructure is ready. If we publish a key for the domain in which we publish the catalog, clients can simply incorporate this key as an interim measure until DNSSEC is properly deployed.<br /> <br /> Improving the public key infrastructure of the web is a big task and one that’s going to require the cooperation of many parties to be widely effective. We hope these projects will help point us in the right direction. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Improving SSL certificate security&url=https://security.googleblog.com/2011/04/improving-ssl-certificate-security.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/04/improving-ssl-certificate-security.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='23' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/04/improving-ssl-certificate-security.html' data-url='https://security.googleblog.com/2011/04/improving-ssl-certificate-security.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/04/improving-ssl-certificate-security.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='6482786953427442924' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/03/chrome-warns-users-of-out-of-date.html' itemprop='url' title='Chrome warns users of out-of-date browser plugins'> Chrome warns users of out-of-date browser plugins </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> March 31, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <div style="text-align: center;"><br /></div><span class="byline-author">Posted by Panayiotis Mavrommatis and Noé Lutz, Google Security Team</span><br /><br />The new version of Google Chrome is not only <a href="http://chrome.blogspot.com/2011/03/speedier-simpler-and-safer-chromes.html">speedier and simpler</a> but it also improves user security by automatically disabling out-of-date, vulnerable browser plugins.<br /><br />As browsers get better at auto-updating, out-of-date plugins are becoming the weakest link against malware attacks. Thousands of web sites are compromised every week, turning those sites into malware distribution vectors by actively exploiting out-of-date plugins that run in the browser. Simply visiting one of these sites is usually enough to get your computer infected.<br /><br />Keeping all of your plugins up-to-date with the latest security fixes can be a hassle, so a while ago we started using our 20% time to develop a solution. The initial implementation was a Chrome extension called <a href="https://chrome.google.com/extensions/detail/pgkcfihepeihdlfphbndagmompiakeci">“SecBrowsing,”</a> which kept track of the latest plugin versions and encouraged users to update accordingly. The extension helped us gather valuable knowledge about plugins, and we started working with the Chrome team to build the feature right inside the browser.<br /><br />With the latest version of Chrome, users will be automatically warned about any out-of-date plugins. If you run into a page that requires a plugin that’s not current, it won’t run by default. Instead, you’ll see a message that will help you get the latest, most secure version of the plugin. An example of this message is below, and you can read more about the feature at the <a href="http://blog.chromium.org/2011/03/mini-newsletter-from-your-google-chrome.html">Chromium blog</a>.<br /><br /><div><img alt="" border="0" id="BLOGGER_PHOTO_ID_5590315301372164770" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXyPEh_wT6TsG3Rvd91GGVVg59pGyaAK90YJ20wqzVDC3KzXZXcdgmO5jL4jvu0t0-h6Qmck10zpFL4vYKZaxTZyKRnZj6MPLJRyISD9XkDek13zbMGvw5PNIT4TlRFdClYcY-kDNf05U/s400/out+of+date+plugin.png" style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 146px;" /></div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <div style="text-align: center;"><br /></div><span class="byline-author">Posted by Panayiotis Mavrommatis and Noé Lutz, Google Security Team</span><br /><br />The new version of Google Chrome is not only <a href="http://chrome.blogspot.com/2011/03/speedier-simpler-and-safer-chromes.html">speedier and simpler</a> but it also improves user security by automatically disabling out-of-date, vulnerable browser plugins.<br /><br />As browsers get better at auto-updating, out-of-date plugins are becoming the weakest link against malware attacks. Thousands of web sites are compromised every week, turning those sites into malware distribution vectors by actively exploiting out-of-date plugins that run in the browser. Simply visiting one of these sites is usually enough to get your computer infected.<br /><br />Keeping all of your plugins up-to-date with the latest security fixes can be a hassle, so a while ago we started using our 20% time to develop a solution. The initial implementation was a Chrome extension called <a href="https://chrome.google.com/extensions/detail/pgkcfihepeihdlfphbndagmompiakeci">“SecBrowsing,”</a> which kept track of the latest plugin versions and encouraged users to update accordingly. The extension helped us gather valuable knowledge about plugins, and we started working with the Chrome team to build the feature right inside the browser.<br /><br />With the latest version of Chrome, users will be automatically warned about any out-of-date plugins. If you run into a page that requires a plugin that’s not current, it won’t run by default. Instead, you’ll see a message that will help you get the latest, most secure version of the plugin. An example of this message is below, and you can read more about the feature at the <a href="http://blog.chromium.org/2011/03/mini-newsletter-from-your-google-chrome.html">Chromium blog</a>.<br /><br /><div><img alt="" border="0" id="BLOGGER_PHOTO_ID_5590315301372164770" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXyPEh_wT6TsG3Rvd91GGVVg59pGyaAK90YJ20wqzVDC3KzXZXcdgmO5jL4jvu0t0-h6Qmck10zpFL4vYKZaxTZyKRnZj6MPLJRyISD9XkDek13zbMGvw5PNIT4TlRFdClYcY-kDNf05U/s400/out+of+date+plugin.png" style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 146px;" /></div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Chrome warns users of out-of-date browser plugins&url=https://security.googleblog.com/2011/03/chrome-warns-users-of-out-of-date.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/03/chrome-warns-users-of-out-of-date.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/03/chrome-warns-users-of-out-of-date.html' data-url='https://security.googleblog.com/2011/03/chrome-warns-users-of-out-of-date.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/03/chrome-warns-users-of-out-of-date.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='6431747515119342935' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/03/mhtml-vulnerability-under-active.html' itemprop='url' title='MHTML vulnerability under active exploitation'> MHTML vulnerability under active exploitation </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> March 11, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Chris Evans, Robert Swiecki, Michal Zalewski, and Billy Rios, Google Security Team</span><br /> <br /> We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed <a href="http://lcamtuf.blogspot.com/2011/03/note-on-mhtml-vulnerability.html">MHTML vulnerability</a> for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.<br /> <br /> For now, we recommend concerned users and corporations seriously consider <a href="http://support.microsoft.com/kb/2501696">deploying Microsoft’s temporary Fixit</a> to block this attack until an official patch is available.<br /> <br /> To help protect users of our services, we have deployed various server-side defenses to make the MHTML vulnerability harder to exploit. That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100% reliable or comprehensive. We’re working with Microsoft to develop a comprehensive solution for this issue.<br /> <br /> The abuse of this vulnerability is also interesting because it represents a new quality in the exploitation of web-level vulnerabilities. To date, similar attacks focused on directly compromising users' systems, as opposed to leveraging vulnerabilities to interact with web<br /> services. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Chris Evans, Robert Swiecki, Michal Zalewski, and Billy Rios, Google Security Team</span><br /> <br /> We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed <a href="http://lcamtuf.blogspot.com/2011/03/note-on-mhtml-vulnerability.html">MHTML vulnerability</a> for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.<br /> <br /> For now, we recommend concerned users and corporations seriously consider <a href="http://support.microsoft.com/kb/2501696">deploying Microsoft’s temporary Fixit</a> to block this attack until an official patch is available.<br /> <br /> To help protect users of our services, we have deployed various server-side defenses to make the MHTML vulnerability harder to exploit. That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100% reliable or comprehensive. We’re working with Microsoft to develop a comprehensive solution for this issue.<br /> <br /> The abuse of this vulnerability is also interesting because it represents a new quality in the exploitation of web-level vulnerabilities. To date, similar attacks focused on directly compromising users' systems, as opposed to leveraging vulnerabilities to interact with web<br /> services. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:MHTML vulnerability under active exploitation&url=https://security.googleblog.com/2011/03/mhtml-vulnerability-under-active.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/03/mhtml-vulnerability-under-active.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='27' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/03/mhtml-vulnerability-under-active.html' data-url='https://security.googleblog.com/2011/03/mhtml-vulnerability-under-active.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/03/mhtml-vulnerability-under-active.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='3813461209748256544' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2011/02/advanced-sign-in-security-for-your.html' itemprop='url' title='Advanced sign-in security for your Google account'> Advanced sign-in security for your Google account </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> February 10, 2011 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Nishit Shah, Product Manager, Google Security</span><br /> <br /> <i>(Cross-posted from the <a href="http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html">Official Google Blog</a>)</i><br /> <br /> Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples (like the classic <a href="http://gmailblog.blogspot.com/2010/03/detecting-suspicious-account-activity.html">"Mugged in London" scam</a>) that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information.<br /> <br /> Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers <a href="http://googleenterprise.blogspot.com/2010/09/more-secure-cloud-for-millions-of.html">a few months ago</a>, we've developed an advanced opt-in security feature called <i>2-step verification</i> that makes your Google Account significantly more secure by helping to verify that you're the real owner of your account. Now it's time to offer the same advanced protection to all of our users.<br /> <br /> 2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your <a href="https://www.google.com/accounts/ManageAccount">Account Settings page</a> that looks like this:<br /> <div> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWVHL5TLSE_d0enSbwAdL95EOKZE3f6tJwxnDxzT4fAL7bGi7ftp_AMMzv3LdxzFgPtOZ5x5cmthKdjYP4748D9xZczjQpAJ6L_0ilaRO6Jr6jMGs4NwHt2kUkCTHaPPqqtFzUYvhjelE/s1600/AccountSettings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWVHL5TLSE_d0enSbwAdL95EOKZE3f6tJwxnDxzT4fAL7bGi7ftp_AMMzv3LdxzFgPtOZ5x5cmthKdjYP4748D9xZczjQpAJ6L_0ilaRO6Jr6jMGs4NwHt2kUkCTHaPPqqtFzUYvhjelE/s400/AccountSettings.png" width="400" /></a></div> <div style="text-align: center;"> <br /></div> Take your time to carefully set up 2-step verification—we expect it may take up to 15 minutes to enroll. A user-friendly set-up wizard will guide you through the process, including setting up a backup phone and creating backup codes in case you lose access to your primary phone. Once you enable 2-step verification, you'll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we'll have a pretty good idea that the person signing in is actually you.<br /> <div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjraqkLDEWmTDKNHqkC7MqreGP8YE8P0YVI9hf8GfMHIOQMM_KRuVNcU_17uH7mpJf72L5NJZiKsgXvpk71YpYdjbEu3nli_dUrmHD_fO44ufT7R7nfYEe7FrtSf5OxH2m3Y3VcUM4oX5A/s1600/step1and2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjraqkLDEWmTDKNHqkC7MqreGP8YE8P0YVI9hf8GfMHIOQMM_KRuVNcU_17uH7mpJf72L5NJZiKsgXvpk71YpYdjbEu3nli_dUrmHD_fO44ufT7R7nfYEe7FrtSf5OxH2m3Y3VcUM4oX5A/s500/step1and2.png" width="500" /></a></div> <div style="text-align: center;"> <br /></div> It's an extra step, but it's one that significantly improves the security of your Google Account because it requires the powerful combination of both something you <i>know</i>—your username and password—and something that only you should <i>have</i>—your phone. A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a "Remember verification for this computer for 30 days" option, and you won't need to re-enter a code for another 30 days. You can also set up one-time <i>application-specific passwords</i> to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.<br /> <br /> To learn more about 2-step verification and get started, visit our <a href="//www.google.com/support/accounts/bin/answer.py?answer=180744">Help Center</a>. And for more about staying safe online, see our ongoing <a href="http://googleblog.blogspot.com/search/label/security">security blog series</a> or visit <a href="http://www.staysafeonline.org/">http://www.staysafeonline.org/</a>. Be safe!<br /> <br /> <i><b>Update</b></i> <i>Dec 7, 2011</i>: Updated the screenshots in this post.</div> </div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Nishit Shah, Product Manager, Google Security</span><br /> <br /> <i>(Cross-posted from the <a href="http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html">Official Google Blog</a>)</i><br /> <br /> Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples (like the classic <a href="http://gmailblog.blogspot.com/2010/03/detecting-suspicious-account-activity.html">"Mugged in London" scam</a>) that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information.<br /> <br /> Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers <a href="http://googleenterprise.blogspot.com/2010/09/more-secure-cloud-for-millions-of.html">a few months ago</a>, we've developed an advanced opt-in security feature called <i>2-step verification</i> that makes your Google Account significantly more secure by helping to verify that you're the real owner of your account. Now it's time to offer the same advanced protection to all of our users.<br /> <br /> 2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your <a href="https://www.google.com/accounts/ManageAccount">Account Settings page</a> that looks like this:<br /> <div> <br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWVHL5TLSE_d0enSbwAdL95EOKZE3f6tJwxnDxzT4fAL7bGi7ftp_AMMzv3LdxzFgPtOZ5x5cmthKdjYP4748D9xZczjQpAJ6L_0ilaRO6Jr6jMGs4NwHt2kUkCTHaPPqqtFzUYvhjelE/s1600/AccountSettings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWVHL5TLSE_d0enSbwAdL95EOKZE3f6tJwxnDxzT4fAL7bGi7ftp_AMMzv3LdxzFgPtOZ5x5cmthKdjYP4748D9xZczjQpAJ6L_0ilaRO6Jr6jMGs4NwHt2kUkCTHaPPqqtFzUYvhjelE/s400/AccountSettings.png" width="400" /></a></div> <div style="text-align: center;"> <br /></div> Take your time to carefully set up 2-step verification—we expect it may take up to 15 minutes to enroll. A user-friendly set-up wizard will guide you through the process, including setting up a backup phone and creating backup codes in case you lose access to your primary phone. Once you enable 2-step verification, you'll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we'll have a pretty good idea that the person signing in is actually you.<br /> <div> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjraqkLDEWmTDKNHqkC7MqreGP8YE8P0YVI9hf8GfMHIOQMM_KRuVNcU_17uH7mpJf72L5NJZiKsgXvpk71YpYdjbEu3nli_dUrmHD_fO44ufT7R7nfYEe7FrtSf5OxH2m3Y3VcUM4oX5A/s1600/step1and2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjraqkLDEWmTDKNHqkC7MqreGP8YE8P0YVI9hf8GfMHIOQMM_KRuVNcU_17uH7mpJf72L5NJZiKsgXvpk71YpYdjbEu3nli_dUrmHD_fO44ufT7R7nfYEe7FrtSf5OxH2m3Y3VcUM4oX5A/s500/step1and2.png" width="500" /></a></div> <div style="text-align: center;"> <br /></div> It's an extra step, but it's one that significantly improves the security of your Google Account because it requires the powerful combination of both something you <i>know</i>—your username and password—and something that only you should <i>have</i>—your phone. A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a "Remember verification for this computer for 30 days" option, and you won't need to re-enter a code for another 30 days. You can also set up one-time <i>application-specific passwords</i> to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.<br /> <br /> To learn more about 2-step verification and get started, visit our <a href="//www.google.com/support/accounts/bin/answer.py?answer=180744">Help Center</a>. And for more about staying safe online, see our ongoing <a href="http://googleblog.blogspot.com/search/label/security">security blog series</a> or visit <a href="http://www.staysafeonline.org/">http://www.staysafeonline.org/</a>. Be safe!<br /> <br /> <i><b>Update</b></i> <i>Dec 7, 2011</i>: Updated the screenshots in this post.</div> </div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Advanced sign-in security for your Google account&url=https://security.googleblog.com/2011/02/advanced-sign-in-security-for-your.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2011/02/advanced-sign-in-security-for-your.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='14' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2011/02/advanced-sign-in-security-for-your.html' data-url='https://security.googleblog.com/2011/02/advanced-sign-in-security-for-your.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2011/02/advanced-sign-in-security-for-your.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='blog-pager' id='blog-pager'> <a class='home-link' href='https://security.googleblog.com/'> <i class='material-icons'>  </i> </a> <span id='blog-pager-newer-link'> <a class='blog-pager-newer-link' href='https://security.googleblog.com/search?updated-max=2012-08-29T12:45:00-04:00&max-results=10&reverse-paginate=true' id='Blog1_blog-pager-newer-link' title='Newer Posts'> <i class='material-icons'>  </i> </a> </span> <span id='blog-pager-older-link'> <a class='blog-pager-older-link' href='https://security.googleblog.com/search?updated-max=2011-02-10T15:02:00-05:00&max-results=10' id='Blog1_blog-pager-older-link' title='Older Posts'> <i class='material-icons'>  </i> </a> </span> </div> <div class='clear'></div> </div></div> </div> </div> <div class='col-right'> <div class='section' id='sidebar-top'><div class='widget HTML' data-version='1' id='HTML8'> <div class='widget-content'> <div class='searchBox'> <input type='text' title='Search This Blog' placeholder='Search blog ...' /> </div> </div> <div class='clear'></div> </div></div> <div id='aside'> <div class='section' id='sidebar'><div class='widget Label' data-version='1' id='Label1'> <div class='tab'> <img class='sidebar-icon' src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAYpJREFUeNrs2aFuwzAQBmAvKRkMKRjZA4QMDJaWFgyMjuzFRg37DIUlA3uFkoGQSaWzJU+tpri5O9+l/zSfdFJlpe59yTmyVedq1PjfcZMZ70NuQnaF8w8htyE/rABtpviXkLcK88c5HhLkMBfgVan43zfFBNGMjHVGT/s55KP2pAvidbGHd+nzKt1RKSLG3rKF1iPFv6UWiPke8i7kEqGdGsI1O+LYVdqJAjgirwkKYD0ytkJBUNbAMvX8V3q9PhUsYvU1sWD8SO/sQvx2ahxOiNoJCSBCoAHYCEQAC4EKICOQASQEOmAS8RcAFxFN5hiIiugpgC3wk9hQAHH/70EBHXUN7IER5EWMiBgo2+nzOKQv9SCAeEM/OQAkhE/ncccFICB87qzQMia5FsJfOui0zMnmRvipU1ormHQuxGTxUsAcCFLxJQBLBLn4UoAFglW8BkATwS5eC6CBEBWvCShBiIvXBkgQRcVbADiI4uKtABSESvGWgB9EzHt3+tNwyO0qa9SoIYtvAQYAqDJhaWWeMecAAAAASUVORK5CYII='/> <h2> Labels </h2> <i class='material-icons arrow'>  </i> </div> <div class='widget-content list-label-widget-content'> <ul> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/%23sharethemicincyber'> #sharethemicincyber </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/%23supplychain%20%23security%20%23opensource'> #supplychain #security #opensource </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/android'> android </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/android%20security'> android security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/android%20tr'> android tr </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/app%20security'> app security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/big%20data'> big data </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/biometrics'> biometrics </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/blackhat'> blackhat </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/C%2B%2B'> C++ </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/chrome'> chrome </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/chrome%20enterprise'> chrome enterprise </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/chrome%20security'> chrome security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/connected%20devices'> connected devices </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/CTF'> CTF </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/diversity'> diversity </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/encryption'> encryption </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/federated%20learning'> federated learning </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/fuzzing'> fuzzing </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Gboard'> Gboard </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/google%20play'> google play </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/google%20play%20protect'> google play protect </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/hacking'> hacking </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/interoperability'> interoperability </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/iot%20security'> iot security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/kubernetes'> kubernetes </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/linux%20kernel'> linux kernel </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/memory%20safety'> memory safety </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Open%20Source'> Open Source </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/pha%20family%20highlights'> pha family highlights </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/pixel'> pixel </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/privacy'> privacy </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/private%20compute%20core'> private compute core </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Rowhammer'> Rowhammer </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/rust'> rust </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Security'> Security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/security%20rewards%20program'> security rewards program </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/sigstore'> sigstore </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/spyware'> spyware </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/supply%20chain'> supply chain </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/targeted%20spyware'> targeted spyware </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/tensor'> tensor </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Titan%20M2'> Titan M2 </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/VDP'> VDP </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/vulnerabilities'> vulnerabilities </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/workshop'> workshop </a> </li> </ul> <div class='clear'></div> </div> </div><div class='widget BlogArchive' data-version='1' id='BlogArchive1'> <div class='tab'> <i class='material-icons icon'>  </i> <h2> Archive </h2> <i class='material-icons arrow'>  </i> </div> <div class='widget-content'> <div id='ArchiveList'> <div id='BlogArchive1_ArchiveList'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2024/'> 2024 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2023/'> 2023 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2022/'> 2022 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2021/'> 2021 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2020/'> 2020 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2019/'> 2019 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2018/'> 2018 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2017/'> 2017 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2016/'> 2016 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2015/'> 2015 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2014/'> 2014 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2013/'> 2013 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2012/'> 2012 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy toggle-open'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2011/'> 2011 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate expanded'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2010/'> 2010 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2009/'> 2009 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2008/'> 2008 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2007/'> 2007 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/05/'> May </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> </div> </div> <div class='clear'></div> </div> </div><div class='widget HTML' data-version='1' id='HTML6'> <div class='widget-content'> <a href="https://googleonlinesecurity.blogspot.com/atom.xml"> <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAihJREFUeNrsWa9Pw0AU7viRMDFRBAkzJDMIBIhJJhCzk7NILIqMv4AEhdz+BCY3OYssAlGBoAJREpZwAlHEBO8lr8nSvNeVbu1dyX3JlzTrXfa+u/e9d7c5joWFhYVO1Fa8PwH2gK6m+BRwAvSlAdsrgr8E1jUuMH73GTAEzrkBWymTewZlihhLmgDXIAFuHgGVQOUF7OSYM1p6PgTuA1vAZlUEvAnPdapcMY0VICECekQ0XRfYrqoHsAGNgXfAoMomRiFDEhOZkkL3S88hMaB2LwXp0bj+ps2edpToZpjfoIDQtBeU+xjoDzP2G/gCPKZ5f8WsCAFJoJgOCcFdWSTeL9YQMSvTA1h9BkI5jaiXhLpSCL/8mVZY0UpyJ9ZdOkniu1dmJ96BpzQu9w6s28gcOq9j6pwLdR8/36NK5CQKwJSMrb2MhhSglBpt4UjsrdsnNu0B3J0HCozbCc4TjyY2srEgos/4RQljCzNxl4ireQD8FOq+T+W0mTB2g7njhlR+Sy2jsXFvU658U8YTbeaGpdIu7mWkEAq5ZtIjIhFZdtfX7QHckSvB2B6zC3VdAkZk0kAQwaXTk/CzTXK3wjIExCs6ZJpTnE4uY1KV+KzFzA3KTiFPENHJkOPcsfpLhwe4btoSuvUqAR+6TOxlCE6ZfKUsJLgsqGW8OpqAGx2X+sLxrwUog+JUeQRMDBIwyXOcnlPtPnL0/UsT/8LnOxYWFhZG4leAAQAAQHEaYuzHbAAAAABJRU5ErkJggg==" class="sidebar-icon" /> <h2>Feed</h2> </a> </div> <div class='clear'></div> </div></div> <div class='section' id='sidebar-bottom'><div class='widget HTML' data-version='1' id='HTML5'> <div class='widget-content'> <div class='followgooglewrapper'> <script src="https://apis.google.com/js/plusone.js"></script> <div class="g-ytsubscribe" data-channel="Google" data-layout="full"></div> </div> <div class="share followgooglewrapper"> <button data-href="https://twitter.com/intent/follow?original_referer=http://googleonlinesecurity.blogspot.in/&screen_name=google" onclick='sharingPopup(this);' id='twitter-share'><span class="twitter-follow">Follow @google</span></button> <script> function sharingPopup (button) { var url = button.getAttribute("data-href"); window.open( url,'popUpWindow','height=500,width=500,left=10,top=10,resizable=yes,scrollbars=yes,toolbar=yes,menubar=no,location=no,directories=no,status=yes'); } </script> </div> <div class="fb-follow-button"> <a href="https://www.facebook.com/google" target="_blank"><img class="fb-follow" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmruMUNSjAUsU-iCQjxgiqufl2u1wHJfiVTn3wuiIZAK1VUSRsexREPAOLV0N4-4VVtaYbZL18UsVh5CUlUJWH5UurFiQKMkHlNnj3YYw-2UiYtbNbvBE7VsAhdtw9rwNuOc-riC1exNkp/s1600/facebook-logo.png" />Follow</a> </div> </div> <div class='clear'></div> </div><div class='widget HTML' data-version='1' id='HTML1'> <div class='widget-content'> Give us feedback in our <a href="https://support.google.com/bin/static.py?hl=en&page=portal_groups.cs">Product Forums</a>. </div> <div class='clear'></div> </div></div> </div> </div> <div style='clear:both;'></div> </div>  <div class='google-footer-outer loading'> <div id='google-footer'> <a href='//www.google.com/'> <img class='google-logo-dark' height='36' src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAALgAAABICAYAAABFoT/eAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAACLVJREFUeNrsXd+L20YQ3vOprdLqiMXFXE2qB7dcwEcTSB7ykIc+9A/PQx/yEMq1TWhNuYIpJriNr7XpmZ5IxFEvmW2EKs3Ornb1w50PxIFP0kiz387OzM6uhGAwGAxGP3Ho+f7x7ri1O7LdccPqZjSNA4dEHsLfaHcEFedJom93x9Xu2OyOFTcBo6sED3fHZHeMEELrkAHJF0B8Rr+gDFsZ5n0luLTQ95AXs4W06D/tjpR50xtM4CjD0y48YGB4rnyZxNOzyA7zBHr+nLnDaJLg0mo/ALekCasg3Z4XbM0ZdTEgnDPeHY8bIne+Qz2GvwyGNwsuyT218KWvIIBMcwGpLiipcolecjMxfBDchNyS1EvxLiOSIecp31q6IJ/C3yrIrMqMm4jhg+AxkdwbIO3aUO4KjqqMjCT3uaazMBhWBJfuxH3CtRfiXf66DhSRZWbmlMnNaILgZxrXJQO/eO3wORZwvwm4JUxuhheCjzVBYAbW1ces45YDSoZrFNOEE835M8FT6oyeEnws8Fz3QnBxFKPHBMem4GU+m6fPGb0leCTwWcM5B36MPgeZI01gudyDdw3hPeXfo8L/rmCUWnuMMdqUL2WqWeRbhf+twfVsO7YagZGNC79fw7OthEVtkiJ4jJzTd3KPwf3CRqhhiTu23AP5sl0/0xiwISQXpNwLIJK87mHF+U8ddzzdmgKlGzlPYjyxGJQouIhNT4k9AqWEFkqfguIvagTWbcq3KW1WE3xS3m8NtA9WS451xofwjKT5kkDoK/b6mDk5FfXr1lWDL4BofZEv2/SRsK/EHGlGdBdu8QNRb8HMCFwt7Yy3DDI/QP7fx5z3VLhdlJEIs4rKNuXXJXdxZPdB7kfCzWqwCO4V1LHgLjInX3tQ1KzCR52Cz+vDj1dydeRuS74rcvs2Pi6fT5H8OaaUQPQPYcWwRSGXyhhscn5dpAnEFMkuEZetbfkTAnlSuH4DxisE+aMGeJAQ3lFl7C4LJE6QWCaCd583ORQ1jYAwjFctal7nOs2ZZvicwvlZx+RHGrcoAwKUVX8uwcc/9TT65INeDOr5shL9LDRB6QTeIy3zwfdh3WOi6axLCEhSjXU7F3h6LqggUtvyJxpynwu8tDkD98fXApOxRj8zoZ9MnGveYVIVZKaGrkBXCY65BCYNN9NkjpKOyQ81Q79JgdxS+Jn3SDTEXRI7SWzaiSTB32oI3nU3BvMfM0urhOVYgwKhuiAfc4tM07wXwm1ZRoQYSl2NUwiu01fEAHVcpixd745FvVz4dzUUc0o8rwoLy8ZSwU6CyFx1RP5II9+1bFPEFs9HWbNLiimDXE+vCm7u1CS47cofzD3aEhVY57mxRo5zlqdt+RFC1JUH2S7bcVXg4liTMakaBZZVxiTICRoivcn1sEUBlk24JmaC6kxUbYmWoqvyfck2xZGGnDFYa9MMzkYQ1ijkCX6qidybrgePiQ0QIQqoi6qRLeqQfIoRsEHaQJLBdHOnLGetSdm/IPcymJuS1PAnbQPH0MOw/39C1vL11DiLOqIsbDI8QcHvGiLnySi2qUXBicaqUSxN5LEB0g7Jt3ENXJLPJ5S1tnaZBoWbpRqrmjRE7qHmpSmNHdQcYrEUadoh+TbBnc9ri7iycI1kzPeNcLDIvbiqXpez9Tmdq6zGREPuzECBoxrPMiI2WtvyNwhJba2wy3JZ6ky5dD1lSvmZS3e4SPA1wcf1VTFHKX+cGwZzdUYcqpvUtvwrD/InDttVlyZeAKlNN5MKbAiurHhKIPlUuJvlTCCiDjSKSCsUmCFWbGLZwCESfK07JB8LvMYWVtw0D00JEHV8Mq2HkqPbE0oHLvvK2g0o8ETg+4cfwTlZDT9JDoWygu4uQQE/ivIvtcnfPkaCqhiupz7jWOAzqL/vjtcdkv9G4MVMt+EaylfuImiPAXEUjRF3pjjaHiPPZ6If9TGGAO4ZY0am6jOCb+DQ+ZCqLkIpOIPrdNfIjnFPY6nyFut7TS/fanrziOBOKMupKw94WaLMtuVnSFt9CPrWWdJE6PeltCX432DEBoh+5Dv8RRhdis8YAv9uyq4/JAwtlEApgBe9Cw9xDD3tdk4Jn0MDfiHwPHcRPxBePCMER3GuIx7kGlv9fkZ4V9lolx2Uv4X7hEj7qJ3LDoAMGbTRMRibu4L2xQ8bgt8AyU+Q+x7nYrvDnH4iuO5LxKsYwPVbkPMvKF9Zky9wXzRfVWizi62r9X5VHf55h+WHhDjGBZ4WRhyTr6z5SlCoLMxLSpBZFsQ9F80uQFbF/6aFWi+Ev51vzzsuX+msyzuQXXjUz8zEBy+zpq9yweXAoxJW4JbYrDS6gYDqGHxPl+TKeiBfxj9/EBIElPYeOA4y8/qRQfknjvSzgRgtq0Pw/M1eQeMdOSb2Bnrhr6Led+1vcp2x7oTFHMnedFW+Ivlty062BUt74oHgSj+vHepnhunn0JJAMtBZgDI/qmGtMujRv8DDpo47zBJ8UtPOuAR/7rKn8t9AJ0tBdmBAmJ/Fu71yxp4I3qh+DhyRqbi5Y1ShVPlSb8X7bRNcfgZFl+WRGYo7uecrWq1r8X5bhmzP5OdlDwsGRm1suSxkg5rYm7ConyGQ3Zl+DgSD8V/kPwrWBMG9YcBtyShBnTLdTiHgttw7qAW7cqh/ZnmPKr/6ignOaKsdyxbsToT5UkPsW00bJjijDXficcX/JsLs6w2BwGtherdckH3w/kNXRPVI0OqJQoHX42/66IMfMj/2huRjxIidgKV/W0JS+bsstDoTeAHcrI8E5zTh/sDkqxL5rZup55/3USlswfcHf4IrQplVDgW9XFlOqnwr6pVPMMEZTuC60EttvdzbLbaZ4PsFVa3nohhO+vW+yn/ZB2fUhpysmQrzBcTSai9EszuZMcEZ1lCFVrp9zGXhm69iLyY4oxFIa178lPe12I/P2DAYDAaDwWAwGAwGg8FgMBgMBoPBYDD2Cf8IMADDRGoQTe+E9AAAAABJRU5ErkJggg==' style='margin-top: -16px;' width='92'/> </a> <ul> <li> <a href='//www.google.com/'> Google </a> </li> <li> <a href='//www.google.com/policies/privacy/'> Privacy </a> </li> <li> <a href='//www.google.com/policies/terms/'> Terms </a> </li> </ul> </div> </div> <script type='text/javascript'> //<![CDATA[ // Social sharing popups. var postEl = document.getElementsByClassName('social-wrapper'); var postCount = postEl.length; for(i=0; i<postCount;i++){ postEl[i].addEventListener("click", function(event){ var postUrl = this.getAttribute("data-href"); window.open( postUrl,'popUpWindow','height=500,width=500,left=10,top=10,resizable=yes,scrollbars=yes,toolbar=yes,menubar=no,location=no,directories=no,status=yes'); });} //]]> </script> <script type='text/javascript'> //<![CDATA[ var BreakpointHandler = function() { this.initted = false; this.isHomePage = false; this.isMobile = false; }; BreakpointHandler.prototype.finalizeSummary = function(summaryHtml, lastNode) { // Use $.trim for IE8 compatibility summaryHtml = $.trim(summaryHtml).replace(/(<br>|\s)+$/,''); if (lastNode.nodeType == 3) { var lastChar = summaryHtml.slice(-1); if (!lastChar.match(/[.”"?]/)) { if (!lastChar.match(/[A-Za-z]/)) { summaryHtml = summaryHtml.slice(0, -1); } summaryHtml += ' ...'; } } else if (lastNode.nodeType == 1 && (lastNode.nodeName == 'I' || lastNode.nodeName == 'A')) { summaryHtml += ' ...'; } return summaryHtml; }; BreakpointHandler.prototype.generateSummaryFromContent = function(content, numWords) { var seenWords = 0; var summaryHtml = ''; for (var i=0; i < content.childNodes.length; i++) { var node = content.childNodes[i]; var nodeText; if (node.nodeType == 1) { if (node.hasAttribute('data-about-pullquote')) { continue; } nodeText = node.textContent; if (nodeText === undefined) { // innerText for IE8 nodeText = node.innerText; } if (node.nodeName == 'DIV' || node.nodeName == 'B') { // Don't end early if we haven't seen enough words. if (seenWords < 10) { continue; } if (i > 0) { summaryHtml = this.finalizeSummary(summaryHtml, content.childNodes[i-1]); } break; } summaryHtml += node.outerHTML; } else if (node.nodeType == 3) { nodeText = node.nodeValue; summaryHtml += nodeText + ' '; } var words = nodeText.match(/\S+\s*/g); if (!words) { continue; } var remain = numWords - seenWords; if (words.length >= remain) { summaryHtml = this.finalizeSummary(summaryHtml, node); break; } seenWords += words.length; } return summaryHtml; }; BreakpointHandler.prototype.detect = function() { var match, pl = /\+/g, search = /([^&=]+)=?([^&]*)/g, decode = function (s) { return decodeURIComponent(s.replace(pl, " ")); }, query = window.location.search.substring(1); var urlParams = {}; while (match = search.exec(query)) urlParams[decode(match[1])] = decode(match[2]); this.isListPage = $('html').hasClass('list-page'); this.isMobile = urlParams['m'] === '1'; this.isHomePage = window.location.pathname == '/'; }; BreakpointHandler.prototype.initContent = function() { var self = this; $('.post').each(function(index) { var body = $(this).children('.post-body')[0]; var content = $(body).children('.post-content')[0]; $(content).addClass('post-original'); var data = $(content).children('script').html(); data = self.rewriteForSSL(data); if (document.body.className.indexOf('is-preview') !== -1) { // If exists, extract specified editor's preview. var match = data.match(/([\s\S]+?)<div data-is-preview.+?>([\s\S]+)<\/div>/m); if (match) { data = match[1]; } } // Prevent big images from loading when they aren't needed. // This must be done as a pre-injection step, since image loading can't be // canceled once embedded into the DOM. if (self.isListPage && self.isMobile) { data = data.replace(/<(img|iframe) .+?>/g, ''); } // Insert template to be rendered as nodes. content.innerHTML = data; if (self.isListPage) { var summary = document.createElement('div'); $(summary).addClass('post-content'); $(summary).addClass('post-summary'); body.insertBefore(summary, content); if (match) { // Use provided summary. summary.innerHTML = match[2]; } else { // Generate a summary. // Summary generation relies on DOM, so it must occur after content is // inserted into the page. summary.innerHTML = self.generateSummaryFromContent(content, 30); } // Add read more link to summary. var titleAnchor = $(this).find('.title a')[0]; var link = titleAnchor.cloneNode(true); link.innerHTML = 'Read More'; $(link).addClass('read-more'); summary.appendChild(link); } }); // Firefox does not allow for proper styling of BR. if (navigator.userAgent.indexOf('Firefox') > -1) { $('.post-content br').replaceWith('<span class="space"></span>'); } $('.loading').removeClass('loading'); }; BreakpointHandler.prototype.process = function() { if (!this.initted) { var makeInsecureImageRegex = function(hosts) { var whitelist = hosts.join('|').replace(/\./g,'\\.'); // Normal image tags, plus input images (yes, this is possible!) return new RegExp('(<(img|input)[^>]+?src=("|\'))http:\/\/(' + whitelist +')', 'g'); }; this.sslImageRegex = makeInsecureImageRegex(BreakpointHandler.KNOWN_HTTPS_HOSTS); this.sslImageCurrentDomainRegex = makeInsecureImageRegex([window.location.hostname]); this.detect(); this.initContent(); this.initted = true; } }; BreakpointHandler.KNOWN_HTTPS_HOSTS = [ "www.google.org", "www.google.com", "services.google.com", "blogger.com", "draft.blogger.com", "www.blogger.com", "photos1.blogger.com", "photos2.blogger.com", "photos3.blogger.com", "blogblog.com", "img1.blogblog.com", "img2.blogblog.com", "www.blogblog.com", "www1.blogblog.com", "www2.blogblog.com", "0.bp.blogspot.com", "1.bp.blogspot.com", "2.bp.blogspot.com", "3.bp.blogspot.com", "4.bp.blogspot.com", "lh3.googleusercontent.com", "lh4.googleusercontent.com", "lh5.googleusercontent.com", "lh6.googleusercontent.com", "themes.googleusercontent.com", ]; BreakpointHandler.prototype.rewriteForSSL = function(html) { // Handle HTTP -> HTTPS source replacement of images, movies, and other embedded content. return html.replace(this.sslImageRegex, '$1https://$4') .replace(this.sslImageCurrentDomainRegex, '$1//$4') .replace(/(<(embed|iframe)[^>]+?src=("|'))http:\/\/([^"']*?(youtube|picasaweb\.google)\.com)/g, '$1https://$4') // Slideshow SWF takes a image host, so we need to rewrite that parameter. .replace(/(<embed[^>]+?feed=http(?=[^s]))/g, '$1s'); }; $(document).ready(function() { var handler = new BreakpointHandler(); handler.process(); // Top-level navigation. $(".BlogArchive .tab").click(function(ev) { ev.preventDefault(); $(this).parent().toggleClass('active'); $(this).siblings().slideToggle(300); }); $(".Label .tab").click(function(ev) { ev.preventDefault(); $(this).parent().toggleClass('active'); $(this).siblings().slideToggle(300); }); // Blog archive year expansion. $('.BlogArchive .intervalToggle').click(function(ev) { ev.preventDefault(); if ($(this).parent().hasClass('collapsed')) { $(this).parent().removeClass('collapsed'); $(this).parent().addClass('expanded'); } else { $(this).parent().removeClass('expanded'); $(this).parent().addClass('collapsed'); } }); // Reverse order of months. $('.BlogArchive .intervalToggle + div').each(function(_, items) { var year = $(this); year.children().each(function(_, month) { year.prepend(month); }); }); // Set anchors to open in new tab. $('.post-content img').parent().each(function(_, node) { if (node.nodeName == 'A') { $(this).attr('target', '_blank'); } }); // Process search requests. $('.searchBox input').on("keypress", function(ev) { if (ev.which == 13) { window.location.href = 'https://www.google.com/search?q=site%3A' + window.location.hostname + '%20' + encodeURIComponent ($(this).val()); } }); }); //]]> </script> <script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/984859869-widgets.js"></script> <script type='text/javascript'> window['__wavt'] = 'AOuZoY4gFBjB7b3XbHEGornOYptYPhz0WQ:1732774256932';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d1176949257541686127','//security.googleblog.com/2011/','1176949257541686127'); _WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '1176949257541686127', 'title': 'Google Online Security Blog', 'url': 'https://security.googleblog.com/2011/', 'canonicalUrl': 'https://security.googleblog.com/2011/', 'homepageUrl': 'https://security.googleblog.com/', 'searchUrl': 'https://security.googleblog.com/search', 'canonicalHomepageUrl': 'https://security.googleblog.com/', 'blogspotFaviconUrl': 'https://security.googleblog.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': false, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': 'G-K46T604G22', 'analytics4': true, 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Google Online Security Blog - Atom\x22 href\x3d\x22https://security.googleblog.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Google Online Security Blog - RSS\x22 href\x3d\x22https://security.googleblog.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Google Online Security Blog - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/1176949257541686127/posts/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/2fafd358a4bcb2b4', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'X', 'key': 'twitter', 'shareMessage': 'Share to X', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'archive', 'pageName': '2011', 'pageTitle': 'Google Online Security Blog: 2011'}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Google Online Security Blog', 'description': 'The latest news and insights from Google on security and safety on the Internet', 'url': 'https://security.googleblog.com/2011/', 'type': 'feed', 'isSingleItem': false, 'isMultipleItems': true, 'isError': false, 'isPage': false, 'isPost': false, 'isHomepage': false, 'isArchive': true, 'isLabelSearch': false, 'archive': {'year': 2011, 'rangeMessage': 'Showing posts from 2011'}}}]); _WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML8', 'sidebar-top', document.getElementById('HTML8'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_LabelView', new _WidgetInfo('Label1', 'sidebar', document.getElementById('Label1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'sidebar', document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML6', 'sidebar', document.getElementById('HTML6'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML5', 'sidebar-bottom', document.getElementById('HTML5'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML1', 'sidebar-bottom', document.getElementById('HTML1'), {}, 'displayModeFull')); </script> </body> </html>