CINXE.COM

<!DOCTYPE html> <html class='v2 list-page' dir='ltr' itemscope='' itemtype='http://schema.org/Blog' lang='en' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'> <head> <link href='https://www.blogger.com/static/v1/widgets/3566091532-css_bundle_v2.css' rel='stylesheet' type='text/css'/> <title> Google Online Security Blog: August 2019 </title> <meta content='JPvErrROkJmNEh4Lr_QT6CD77GdfQr6cLFw6gIXg6kc' name='google-site-verification'/> <meta content='width=device-width, height=device-height, minimum-scale=1.0, initial-scale=1.0, user-scalable=0' name='viewport'/> <meta content='IE=Edge' http-equiv='X-UA-Compatible'/> <meta content='Google Online Security Blog' property='og:title'/> <meta content='en_US' property='og:locale'/> <meta content='https://security.googleblog.com/2019/08/' property='og:url'/> <meta content='Google Online Security Blog' property='og:site_name'/>  <meta content='Google Online Security Blog' property='og:title'/> <meta content='summary' name='twitter:card'/> <meta content='@google' name='twitter:creator'/> <link href='https://fonts.googleapis.com/css?family=Roboto:400italic,400,500,500italic,700,700italic' rel='stylesheet' type='text/css'/> <link href='https://fonts.googleapis.com/icon?family=Material+Icons' rel='stylesheet'/> <script src='https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js' type='text/javascript'></script>  <style id='page-skin-1' type='text/css'></style> <style id='template-skin-1' type='text/css'></style>  <meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/> <meta content='blogger' name='generator'/> <link href='https://security.googleblog.com/favicon.ico' rel='icon' type='image/x-icon'/> <link href='https://security.googleblog.com/2019/08/' rel='canonical'/> <link rel="alternate" type="application/atom+xml" title="Google Online Security Blog - Atom" href="https://security.googleblog.com/feeds/posts/default" /> <link rel="alternate" type="application/rss+xml" title="Google Online Security Blog - RSS" href="https://security.googleblog.com/feeds/posts/default?alt=rss" /> <link rel="service.post" type="application/atom+xml" title="Google Online Security Blog - Atom" href="https://www.blogger.com/feeds/1176949257541686127/posts/default" />  <meta content='https://security.googleblog.com/2019/08/' property='og:url'/> <meta content='Google Online Security Blog' property='og:title'/> <meta content='The latest news and insights from Google on security and safety on the Internet' property='og:description'/>  <base target='_self'/> <style> html { font-family: Roboto, sans-serif; -moz-osx-font-smoothing: grayscale; -webkit-font-smoothing: antialiased; } body { padding: 0; /* This ensures that the scroll bar is always present, which is needed */ /* because content render happens after page load; otherwise the header */ /* would "bounce" in-between states. */ min-height: 150%; } h2 { font-size: 16px; } h1, h2, h3, h4, h5 { line-height: 2em; } html, h4, h5, h6 { font-size: 14px; } a, a:visited { color: #4184F3; text-decoration: none; } a:focus, a:hover, a:active { text-decoration: none; } .Header { margin-top: 15px; } .Header h1 { font-size: 32px; font-weight: 300; line-height: 32px; height: 42px; } .header-inner .Header .titlewrapper { padding: 0; margin-top: 30px; } .header-inner .Header .descriptionwrapper { padding: 0; margin: 0; } .cols-wrapper { margin-top: 56px; } .header-outer, .cols-wrapper, .footer-outer, .google-footer-outer { padding: 0 60px; } .header-inner { height: 256px; position: relative; } html, .header-inner a { color: #212121; color: rgba(0,0,0,.87); } .header-inner .google-logo { display: inline-block; background-size: contain; z-index: 1; height: 46px; overflow: hidden; margin-top: 4px; margin-right: 8px; } .header-left { position: absolute; top: 50%; -webkit-transform: translateY(-50%); transform: translateY(-50%); margin-top: 12px; width: 100%; } .google-logo { margin-left: -4px; } #google-footer { position: relative; font-size: 13px; list-style: none; text-align: right; } #google-footer a { color: #444; } #google-footer ul { margin: 0; padding: 0; height: 144px; line-height: 144px; } #google-footer ul li { display: inline; } #google-footer ul li:before { color: #999; content: "\00b7"; font-weight: bold; margin: 5px; } #google-footer ul li:first-child:before { content: ''; } #google-footer .google-logo-dark { left: 0; margin-top: -16px; position: absolute; top: 50%; } /** Sitemap links. **/ .footer-inner-2 { font-size: 14px; padding-top: 42px; padding-bottom: 74px; } .footer-inner-2 .HTML h2 { color: #212121; color: rgba(0,0,0,.87); font-size: 14px; font-weight: 500; padding-left: 0; margin: 10px 0; } .footer-inner-2 .HTML ul { font-weight: normal; list-style: none; padding-left: 0; } .footer-inner-2 .HTML li { line-height: 24px; padding: 0; } .footer-inner-2 li a { color: rgba(65,132,243,.87); } /** Archive widget. **/ .BlogArchive { font-size: 13px; font-weight: normal; } .BlogArchive .widget-content { display: none; } .BlogArchive h2, .Label h2 { color: #4184F3; text-decoration: none; } .BlogArchive .hierarchy li { display: inline-block; } /* Specificity needed here to override widget CSS defaults. */ .BlogArchive #ArchiveList ul li, .BlogArchive #ArchiveList ul ul li { margin: 0; padding-left: 0; text-indent: 0; } .BlogArchive .intervalToggle { cursor: pointer; } .BlogArchive .expanded .intervalToggle .new-toggle { -ms-transform: rotate(180deg); transform: rotate(180deg); } .BlogArchive .new-toggle { float: right; padding-top: 3px; opacity: 0.87; } #ArchiveList { text-transform: uppercase; } #ArchiveList .expanded > ul:last-child { margin-bottom: 16px; } #ArchiveList .archivedate { width: 100%; } /* Months */ .BlogArchive .items { max-width: 150px; margin-left: -4px; } .BlogArchive .expanded .items { margin-bottom: 10px; overflow: hidden; } .BlogArchive .items > ul { float: left; height: 32px; } .BlogArchive .items a { padding: 0 4px; } .Label { font-size: 13px; font-weight: normal; } .sidebar-icon { display: inline-block; width: 24px; height: 24px; vertical-align: middle; margin-right: 12px; margin-top: -1px } .Label a { margin-right: 4px; } .Label .widget-content { display: none; } .FollowByEmail { font-size: 13px; font-weight: normal; } .FollowByEmail h2 { background: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAALCAYAAACZIGYHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUBJREFUeNrMkSGLAlEUhb+ZB4JFi8mx2cz+ApvhRUGTcUCrNqNJDYIi+DO0GUwmQXDK2DSIoGgZcSaIjDrzwrK4ssvChj1w0733O+fdp+m6PozH4yQSCfb7Pa7r8pOi0SjJZBLP8zgej4gAIMvlMuPxmADIYrHger1+C6lUKmo+NJ/NZojb7SZDWiwWo1qtks1msW2bw+HwZdkwDHq9HvV6nel0SqvVYrvdIh6Ph3Qch+VyqRYLhQJSSjRNw7IsfN9XgGKxSLfbJZfL0e/3aTabrFYr7vc7IujLcOh8PqunrNdr0uk0pVKJVCpFJBJRgEajweVyod1uMxgM2O12BAGUgRbU8DV2JpOhVquRz+cRQii3+XxOp9NRN3jVR5LPOp1OjEYjlSL8hclkgmmabDabt4d+m+S30vkD/R/IU4ABAPTZgnZdmG/PAAAAAElFTkSuQmCC"); background-repeat: no-repeat; background-position: 0 50%; text-indent: 30px; } .FollowByEmail .widget-content { display: none; } .searchBox input { border: 1px solid #eee; color: #212121; color: rgba(0,0,0,.87); font-size: 14px; padding: 8px 8px 8px 40px; width: 164px; font-family: Roboto, sans-serif; background: url("https://www.gstatic.com/images/icons/material/system/1x/search_grey600_24dp.png") 8px center no-repeat; } .searchBox ::-webkit-input-placeholder { /* WebKit, Blink, Edge */ color: rgba(0,0,0,.54); } .searchBox :-moz-placeholder { /* Mozilla Firefox 4 to 18 */ color: #000; opacity: 0.54; } .searchBox ::-moz-placeholder { /* Mozilla Firefox 19+ */ color: #000; opacity: 0.54; } .searchBox :-ms-input-placeholder { /* Internet Explorer 10-11 */ color: #757575; } .widget-item-control { margin-top: 0px; } .section { margin: 0; padding: 0; } #sidebar-top { border: 1px solid #eee; } #sidebar-top > div { margin: 16px 0; } .widget ul { line-height: 1.6; } /*main post*/ .post { margin-bottom:30px; } #main .post .title { margin: 0; } #main .post .title a { color: #212121; color: rgba(0,0,0,.87); font-weight: normal; font-size: 24px; } #main .post .title a:hover { text-decoration:none; color:#4184F3; } .message, #main .post .post-header { margin: 0; padding: 0; } #main .post .post-header .caption, #main .post .post-header .labels-caption, #main .post .post-footer .caption, #main .post .post-footer .labels-caption { color: #444; font-weight: 500; } #main .tr-caption-container td { text-align: left; } #main .post .tr-caption { color: #757575; color: rgba(0,0,0,.54); display: block; max-width: 560px; padding-bottom: 20px; } #main .post .tr-caption-container { line-height: 24px; margin: -1px 0 0 0 !important; padding: 4px 0; text-align: left; } #main .post .post-header .published{ font-size:11px; font-weight:bold; } .post-header .publishdate { font-size: 17px; font-weight:normal; color: #757575; color: rgba(0,0,0,.54); } #main .post .post-footer{ font-size:12px; padding-bottom: 21px; } .label-footer { margin-bottom: 12px; margin-top: 12px; } .comment-img { margin-right: 16px; opacity: 0.54; vertical-align: middle; } #main .post .post-header .published { margin-bottom: 40px; margin-top: -2px; } .post .post-content { color: #212121; color: rgba(0,0,0,.87); font-size: 17px; margin: 25px 0 36px 0; line-height: 32px; } .post-body .post-content ul, .post-body .post-content ol { margin: 16px 0; padding: 0 48px; } .post-summary { display: none; } /* Another old-style caption. */ .post-content div i, .post-content div + i { font-size: 14px; font-style: normal; color: #757575; color: rgba(0,0,0,.54); display: block; line-height: 24px; margin-bottom: 16px; text-align: left; } /* Another old-style caption (with link) */ .post-content a > i { color: #4184F3 !important; } /* Old-style captions for images. */ .post-content .separator + div:not(.separator) { margin-top: -16px; } /* Capture section headers. */ .post-content br + br + b, .post-content .space + .space + b, .post-content .separator + b { display: inline-block; margin-bottom: 8px; margin-top: 24px; } .post-content li { line-height: 32px; } /* Override all post images/videos to left align. */ .post-content .separator > a, .post-content .separator > span { margin-left: 0 !important; } .post-content img { max-width: 100%; height: auto; width: auto; } .post-content .tr-caption-container img { margin-bottom: 12px; } .post-content iframe, .post-content embed { max-width: 100%; } .post-content .carousel-container { margin-bottom: 48px; } #main .post-content b { font-weight: 500; } /* These are the main paragraph spacing tweaks. */ #main .post-content br { content: ' '; display: block; padding: 4px; } .post-content .space { display: block; height: 8px; } .post-content iframe + .space, .post-content iframe + br { padding: 0 !important; } #main .post .jump-link { margin-bottom:10px; } .post-content img, .post-content iframe { margin: 30px 0 20px 0; } .post-content > img:first-child, .post-content > iframe:first-child { margin-top: 0; } .col-right .section { padding: 0 16px; } #aside { background:#fff; border:1px solid #eee; border-top: 0; } #aside .widget { margin:0; } #aside .widget h2, #ArchiveList .toggle + a.post-count-link { color: #212121; color: rgba(0,0,0,.87); font-weight: 400 !important; margin: 0; } #ArchiveList .toggle { float: right; } #ArchiveList .toggle .material-icons { padding-top: 4px; } #sidebar .tab { cursor: pointer; } #sidebar .tab .arrow { display: inline-block; float: right; } #sidebar .tab .icon { display: inline-block; vertical-align: top; height: 24px; width: 24px; margin-right: 13px; margin-left: -1px; margin-top: 1px; color: #757575; color: rgba(0,0,0,.54); } #sidebar .widget-content > :first-child { padding-top: 8px; } #sidebar .active .tab .arrow { -ms-transform: rotate(180deg); transform: rotate(180deg); } #sidebar .arrow { color: #757575; color: rgba(0,0,0,.54); } #sidebar .widget h2 { font-size: 14px; line-height: 24px; display: inline-block; } #sidebar .widget .BlogArchive { padding-bottom: 8px; } #sidebar .widget { border-bottom: 1px solid #eee; box-shadow: 0px 1px 0 white; margin-bottom: 0; padding: 14px 0; min-height: 20px; } #sidebar .widget:last-child { border-bottom: none; box-shadow: none; margin-bottom: 0; } #sidebar ul { margin: 0; padding: 0; } #sidebar ul li { list-style:none; padding:0; } #sidebar ul li a { line-height: 32px; } #sidebar .archive { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAYCAYAAADzoH0MAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAE1JREFUeNpiNDY23s9AAWBioBCwYBM8c+YMVsUmJibEGYBNMS5DaeMFfDYSZQA2v9I3FrB5AZeriI4FmnrBccCT8mhmGs1MwyAzAQQYAKEWG9zm9QFEAAAAAElFTkSuQmCC"); height: 24px; line-height: 24px; padding-left: 30px; } #sidebar .labels { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAARCAYAAAA7bUf6AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUxJREFUeNpiNDY23s9AAMycOfM7UF05kHkZmzwTMkdSUhKrIcXFxZy3bt3qBjIN8RrS09PDsHnzZjCNDr58+cKQlpbGDjSoHcg1w2oIyAUODg5gARCNzUVIBrUCuVYYhjx//pzhwIEDYAEQDeJjA1CDWIAGNQK59jBxRuSABbkAlwHIgIeHh2HWrFn/1NTU2oDcvSgBS4wBSC5iArqoCsj1YGIgEyAZVMoEchqlBjEB/cZAiUHg2AEGznpKDAImxOeM////B4VLKtBvEUCngZ1ILKivr3/u6+ubBzJAGZQ9gC5aQoqLgAY8BhkAZL4BuQQkxgXE34A4BuiiZEIuAhrwEGhAEZD5DpzYoIaA2UAM4kQADUrHZRDUgAIg8wO2XAwzbQXQa5OweQ1owB10AyA6gS7BgX1u3ry5397eHow3bdo0EyjGi00tQIABANPgyAH1q1eaAAAAAElFTkSuQmCC"); height: 20px; line-height: 20px; padding-left: 30px; } #sidebar .rss a { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAASCAYAAABWzo5XAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAX5JREFUeNqsVDGSgkAQHL2rIiIikohIc/EBRkbwAIwuwgfwAXiAD9AHSI7kEkECRCb6AIyINDLx7K0aa6kT7uq0q7YYtnZ7umdnt7darXbr9Zpegeu61DNNc0dvwCcH4/GYJpMJnc9nOhwOVJbl/4hAAokMECZJQtvt9k+kH7qufyEYDAakqqqYxFdRFBqNRmTbNg2HQ0rTlK7XayvR0xqBdDqdkuM4dE/0ULhYLOh4PHYrknG5XGi/31MYhuL/nkwonM1mlGUZ1XXdrsiyLGEDhY7juJEZ1u5tIixDGdYhmYw+B7CAzPP5nDabjdgIAgCksMX1832/3drtdqPT6SQWapomiGEFNkDEdpDMMAzK81ys/7XYy+XyoQgq2WoURSIJ2iIIgp/WZCCTvFm2wgeAU31aI3Q2GhIDMeB53qPYPIcm5VrxXIOIOxsDMStjVawAc1VViRgN22lNBiuQN3GR+SY07hpOoStmFQAKXRRFY93bnpG+fONfedi+BRgAbkS8Fxp7QQIAAAAASUVORK5CYII="); } #sidebar .subscription a { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAALCAYAAACZIGYHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUBJREFUeNrMkSGLAlEUhb+ZB4JFi8mx2cz+ApvhRUGTcUCrNqNJDYIi+DO0GUwmQXDK2DSIoGgZcSaIjDrzwrK4ssvChj1w0733O+fdp+m6PozH4yQSCfb7Pa7r8pOi0SjJZBLP8zgej4gAIMvlMuPxmADIYrHger1+C6lUKmo+NJ/NZojb7SZDWiwWo1qtks1msW2bw+HwZdkwDHq9HvV6nel0SqvVYrvdIh6Ph3Qch+VyqRYLhQJSSjRNw7IsfN9XgGKxSLfbJZfL0e/3aTabrFYr7vc7IujLcOh8PqunrNdr0uk0pVKJVCpFJBJRgEajweVyod1uMxgM2O12BAGUgRbU8DV2JpOhVquRz+cRQii3+XxOp9NRN3jVR5LPOp1OjEYjlSL8hclkgmmabDabt4d+m+S30vkD/R/IU4ABAPTZgnZdmG/PAAAAAElFTkSuQmCC"); } #sidebar-bottom { background: #f5f5f5; border-top:1px solid #eee; } #sidebar-bottom .widget { border-bottom: 1px solid #e0e0e0; padding: 15px 0; text-align: center; } #sidebar-bottom > div:last-child { border-bottom: 0; } #sidebar-bottom .text { line-height: 20px; } /* Home, forward, and backward pagination. */ .blog-pager { border-top : 1px #e0e0e0 solid; padding-top: 10px; margin-top: 15px; text-align: right !important; } #blog-pager { margin-botom: 0; margin-top: -14px; padding: 16px 0 0 0; } #blog-pager a { display: inline-block; } .blog-pager i.disabled { opacity: 0.2 !important; } .blog-pager i { color: black; margin-left: 16px; opacity: 0.54; } .blog-pager i:hover, .blog-pager i:active { opacity: 0.87; } #blog-pager-older-link, #blog-pager-newer-link { float: none; } .gplus-profile { background-color: #fafafa; border: 1px solid #eee; overflow: hidden; width: 212px; } .gplus-profile-inner { margin-left: -1px; margin-top: -1px; } /* Sidebar follow buttons. */ .followgooglewrapper { padding: 12px 0 0 0; } .loading { visibility: hidden; } .detail-page .post-footer .cmt_iframe_holder { padding-top: 40px !important; } /** Desktop **/ @media (max-width: 900px) { .col-right { display: none; } .col-main { margin-right: 0; min-width: initial; } .footer-outer { display: none; } .cols-wrapper { min-width: initial; } .google-footer-outer { background-color: #f5f5f5; } } /** Tablet **/ @media (max-width: 712px) { .header-outer, .cols-wrapper, .footer-outer, .google-footer-outer { padding: 0 40px; } } /* An extra breakpoint accommodating for long blog titles. */ @media (max-width: 600px) { .header-left { height: 100%; top: inherit; margin-top: 0; -webkit-transform: initial; transform: initial; } .header-title { margin-top: 18px; } .header-inner .google-logo { height: 40px; margin-top: 3px; } .header-inner .google-logo img { height: 42px; } .header-title h2 { font-size: 32px; line-height: 40px; } .header-desc { bottom: 24px; position: absolute; } } /** Mobile/small desktop window; also landscape. **/ @media (max-width: 480px), (max-height: 480px) { .header-outer, .cols-wrapper, .footer-outer, .google-footer-outer { padding: 0 16px; } .cols-wrapper { margin-top: 0; } .post-header .publishdate, .post .post-content { font-size: 16px; } .post .post-content { line-height: 28px; margin-bottom: 30px; } .post { margin-top: 30px; } .byline-author { display: block; font-size: 12px; line-height: 24px; margin-top: 6px; } #main .post .title a { font-weight: 500; color: #4c4c4c; color: rgba(0,0,0,.70); } #main .post .post-header { padding-bottom: 12px; } #main .post .post-header .published { margin-bottom: -8px; margin-top: 3px; } .post .read-more { display: block; margin-top: 14px; } .post .tr-caption { font-size: 12px; } #main .post .title a { font-size: 20px; line-height: 30px; } .post-content iframe { /* iframe won't keep aspect ratio when scaled down. */ max-height: 240px; } .post-content .separator img, .post-content .tr-caption-container img, .post-content iframe { margin-left: -16px; max-width: inherit; width: calc(100% + 32px); } .post-content table, .post-content td { width: 100%; } #blog-pager { margin: 0; padding: 16px 0; } /** List page tweaks. **/ .list-page .post-original { display: none; } .list-page .post-summary { display: block; } .list-page .comment-container { display: none; } .list-page #blog-pager { padding-top: 0; border: 0; margin-top: -8px; } .list-page .label-footer { display: none; } .list-page #main .post .post-footer { border-bottom: 1px solid #eee; margin: -16px 0 0 0; padding: 0 0 20px 0; } .list-page .post .share { display: none; } /** Detail page tweaks. **/ .detail-page .post-footer .cmt_iframe_holder { padding-top: 32px !important; } .detail-page .label-footer { margin-bottom: 0; } .detail-page #main .post .post-footer { padding-bottom: 0; } .detail-page #comments { display: none; } } [data-about-pullquote], [data-is-preview], [data-about-syndication] { display: none; } </style> <noscript> <style> .loading { visibility: visible }</style> </noscript>  <script async='true' src='https://www.googletagmanager.com/gtag/js?id=G-K46T604G22'></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-K46T604G22'); </script> <link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1176949257541686127&zx=3087bdcb-1962-4cce-ae50-737c70a68c4e' media='none' onload='if(media!='all')media='all'' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1176949257541686127&zx=3087bdcb-1962-4cce-ae50-737c70a68c4e' rel='stylesheet'/></noscript> <meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/> <meta name='google-adsense-platform-domain' content='blogspot.com'/> </head> <body> <script type='text/javascript'> //<![CDATA[ var axel = Math.random() + ""; var a = axel * 10000000000000; document.write('<iframe src="https://2542116.fls.doubleclick.net/activityi;src=2542116;type=gblog;cat=googl0;ord=ord=' + a + '?" width="1" height="1" frameborder="0" style="display:none"></iframe>'); //]]> </script> <noscript> <img alt='' height='1' src='https://ad.doubleclick.net/ddm/activity/src=2542116;type=gblog;cat=googl0;ord=1?' width='1'/> </noscript>  <div class='header-outer'> <div class='header-inner'> <div class='section' id='header'><div class='widget Header' data-version='1' id='Header1'> <div class='header-left'> <div class='header-title'> <a class='google-logo' href='https://security.googleblog.com/'> <img height='50' src='https://www.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png'/> </a> <a href='/.'> <h2> Security Blog </h2> </a> </div> <div class='header-desc'> The latest news and insights from Google on security and safety on the Internet </div> </div> </div></div> </div> </div>  <div class='cols-wrapper loading'> <div class='col-main-wrapper'> <div class='col-main'> <div class='section' id='main'><div class='widget Blog' data-version='1' id='Blog1'> <div class='post' data-id='6853537089567770409' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2019/08/expanding-bug-bounties-on-google-play.html' itemprop='url' title='Expanding bug bounties on Google Play'> Expanding bug bounties on Google Play </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> August 29, 2019 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <p> <em>Posted by Adam Bacchus, Sebastian Porst, and Patrick Mutchler — Android Security & Privacy</em> </p> <p> <i>[Cross-posted from the <a href="https://android-developers.googleblog.com/2019/08/expanding-bug-bounties-on-google-play.html">Android Developers Blog</a>]</i><br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9YRRWBdcQNQVK2enJM7GnbVjh_OmfcsEu59dLnqUreLxPkx9FOkjdswLmwNEvvp04rsRpQEVFzWzaU29xjGAKk4AGH5qSnfysZexAxmen8W2ezE-IIm5ymVo4I93qRpRcQ8-C3KSl1cs/s1600/image1.png" imageanchor="1" ><img border="0" data-original-height="611" data-original-width="810" id="imgFull" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9YRRWBdcQNQVK2enJM7GnbVjh_OmfcsEu59dLnqUreLxPkx9FOkjdswLmwNEvvp04rsRpQEVFzWzaU29xjGAKk4AGH5qSnfysZexAxmen8W2ezE-IIm5ymVo4I93qRpRcQ8-C3KSl1cs/s1600/image1.png" /></a> </p> <p> We’re constantly looking for ways to further improve the security and privacy of our products, and the ecosystems they support. At Google, we understand the strength of open platforms and ecosystems, and that the best ideas don’t always come from within. It is for this reason that we offer a broad range of vulnerability reward programs, encouraging the community to help us improve security for everyone. Today, we’re expanding on those efforts with some big changes to<a href="https://hackerone.com/googleplay"> Google Play Security Reward Program (GPSRP)</a>, as well as the launch of the new<a href="https://hackerone.com/ddp_reward_program"> Developer Data Protection Reward Program (DDPRP)</a>. </p> <h4><strong>Google Play Security Reward Program Scope Increases</strong></h4> <p> We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program. In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community. </p> <p> Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of the<a href="https://developer.android.com/google/play/asi"> App Security Improvement (ASI)</a> program, which provides information on the vulnerability and how to fix it. Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users until the issue is fixed. </p> <p> To date, GPSRP has paid out over $265,000 in bounties. Recent scope and<a href="https://security.googleblog.com/2019/07/bigger-rewards-for-security-bugs.html"> reward increases</a> have resulted in $75,500 in rewards across July & August alone. With these changes, we anticipate even further engagement from the security research community to bolster the success of the program. </p> <h2><strong>Introducing the Developer Data Protection Reward Program</strong></h2> <p> Today, we are also launching the<a href="https://hackerone.com/ddp_reward_program"> Developer Data Protection Reward Program</a>. DDPRP is a bounty program, in collaboration with HackerOne, meant to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. It<a href="https://hackerone.com/ddp_reward_program/thanks"> recognizes</a> the contributions of individuals who help report apps that are violating Google Play, Google API, or Google Chrome Web Store Extensions program policies. </p> <p> The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent. If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed. While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty. </p> <p> As 2019 continues, we look forward to seeing what researchers find next. Thank you to the entire community for contributing to keeping our platforms and ecosystems safe. Happy bug hunting! </p> </p> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <p> <em>Posted by Adam Bacchus, Sebastian Porst, and Patrick Mutchler — Android Security & Privacy</em> </p> <p> <i>[Cross-posted from the <a href="https://android-developers.googleblog.com/2019/08/expanding-bug-bounties-on-google-play.html">Android Developers Blog</a>]</i><br /> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9YRRWBdcQNQVK2enJM7GnbVjh_OmfcsEu59dLnqUreLxPkx9FOkjdswLmwNEvvp04rsRpQEVFzWzaU29xjGAKk4AGH5qSnfysZexAxmen8W2ezE-IIm5ymVo4I93qRpRcQ8-C3KSl1cs/s1600/image1.png" imageanchor="1" ><img border="0" data-original-height="611" data-original-width="810" id="imgFull" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9YRRWBdcQNQVK2enJM7GnbVjh_OmfcsEu59dLnqUreLxPkx9FOkjdswLmwNEvvp04rsRpQEVFzWzaU29xjGAKk4AGH5qSnfysZexAxmen8W2ezE-IIm5ymVo4I93qRpRcQ8-C3KSl1cs/s1600/image1.png" /></a> </p> <p> We’re constantly looking for ways to further improve the security and privacy of our products, and the ecosystems they support. At Google, we understand the strength of open platforms and ecosystems, and that the best ideas don’t always come from within. It is for this reason that we offer a broad range of vulnerability reward programs, encouraging the community to help us improve security for everyone. Today, we’re expanding on those efforts with some big changes to<a href="https://hackerone.com/googleplay"> Google Play Security Reward Program (GPSRP)</a>, as well as the launch of the new<a href="https://hackerone.com/ddp_reward_program"> Developer Data Protection Reward Program (DDPRP)</a>. </p> <h4><strong>Google Play Security Reward Program Scope Increases</strong></h4> <p> We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs. These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program. In these scenarios, Google helps responsibly disclose identified vulnerabilities to the affected app developer. This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps. If the developers already have their own programs, researchers can collect rewards directly from them on top of the rewards from Google. We encourage app developers to start their own vulnerability disclosure or bug bounty program to work directly with the security researcher community. </p> <p> Vulnerability data from GPSRP helps Google create automated checks that scan all apps available in Google Play for similar vulnerabilities. Affected app developers are notified through the Play Console as part of the<a href="https://developer.android.com/google/play/asi"> App Security Improvement (ASI)</a> program, which provides information on the vulnerability and how to fix it. Over its lifetime, ASI has helped more than 300,000 developers fix more than 1,000,000 apps on Google Play. In 2018 alone, the program helped over 30,000 developers fix over 75,000 apps. The downstream effect means that those 75,000 vulnerable apps are not distributed to users until the issue is fixed. </p> <p> To date, GPSRP has paid out over $265,000 in bounties. Recent scope and<a href="https://security.googleblog.com/2019/07/bigger-rewards-for-security-bugs.html"> reward increases</a> have resulted in $75,500 in rewards across July & August alone. With these changes, we anticipate even further engagement from the security research community to bolster the success of the program. </p> <h2><strong>Introducing the Developer Data Protection Reward Program</strong></h2> <p> Today, we are also launching the<a href="https://hackerone.com/ddp_reward_program"> Developer Data Protection Reward Program</a>. DDPRP is a bounty program, in collaboration with HackerOne, meant to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. It<a href="https://hackerone.com/ddp_reward_program/thanks"> recognizes</a> the contributions of individuals who help report apps that are violating Google Play, Google API, or Google Chrome Web Store Extensions program policies. </p> <p> The program aims to reward anyone who can provide verifiably and unambiguous evidence of data abuse, in a similar model as Google’s other vulnerability reward programs. In particular, the program aims to identify situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent. If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store. In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed. While no reward table or maximum reward is listed at this time, depending on impact, a single report could net as large as a $50,000 bounty. </p> <p> As 2019 continues, we look forward to seeing what researchers find next. Thank you to the entire community for contributing to keeping our platforms and ecosystems safe. Happy bug hunting! </p> </p> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Expanding bug bounties on Google Play&url=https://security.googleblog.com/2019/08/expanding-bug-bounties-on-google-play.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2019/08/expanding-bug-bounties-on-google-play.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2019/08/expanding-bug-bounties-on-google-play.html' data-url='https://security.googleblog.com/2019/08/expanding-bug-bounties-on-google-play.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2019/08/expanding-bug-bounties-on-google-play.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> <span class='labels-caption'> Labels: </span> <span class='labels'> <a class='label' href='https://security.googleblog.com/search/label/android' rel='tag'> android </a> , <a class='label' href='https://security.googleblog.com/search/label/android%20security' rel='tag'> android security </a> , <a class='label' href='https://security.googleblog.com/search/label/Security' rel='tag'> Security </a> </span> </div> </div> </div> <div class='post' data-id='6559945585095176825' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2019/08/protecting-chrome-users-in-kazakhstan.html' itemprop='url' title='Protecting Chrome users in Kazakhstan'> Protecting Chrome users in Kazakhstan </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> August 21, 2019 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Andrew Whalley, Chrome Security</span><br /> <br /> When making secure connections, Chrome trusts certificates that have been locally installed on a user's computer or mobile device. This allows users to run tools to inspect and debug connections during website development, or for corporate environments to intercept and monitor internal traffic. It is not appropriate for this mechanism to be used to intercept traffic on the public internet.<br /> <br /> In response to <a href="https://censoredplanet.org/kazakhstan">recent actions</a> by the Kazakhstan government, Chrome, <a href="https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/">along with other browsers</a>, has taken steps to protect users from the interception or modification of TLS connections made to websites.<br /> <br /> Chrome will be blocking the certificate the Kazakhstan government required users to install:<br /> <br /> <div align="left" dir="ltr" style="margin-left: 0pt;"> <table style="border-collapse: collapse; border: none;"><colgroup><col width="166"></col><col width="390"></col></colgroup><tbody> <tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">Common Name</span></span></div> </td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">Qaznet Trust Network</span></span></div> </td></tr> <tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">SHA-256 Fingerprint</span></span></div> </td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">00:30:9C:73:6D:D6:61:DA:6F:1E:B2:41:73:AA:84:99:44:C1:68:A4:3A:15:</span></span></div> <div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">BF:FD:19:2E:EC:FD:B6:F8:DB:D2</span></span></div> </td></tr> <tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">SHA-256 of Subject Public Key Info</span></span></div> </td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">B5:BA:8D:D7:F8:95:64:C2:88:9D:3D:64:53:C8:49:98:C7:78:24:91:9B:64:</span></span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">EA:08:35:AA:62:98:65:91:BE:50</span></span></div> </td></tr> </tbody></table> </div> <br /> <br /> The certificate has been added to <a href="https://dev.chromium.org/Home/chromium-security/crlsets">CRLSet</a>. No action is needed by users to be protected. In addition, the certificate <a href="https://chromium.googlesource.com/chromium/src.git/+/f0596779e57f46fccb115a0fd65f0305894e3031">has been added</a> to a blocklist in the Chromium source code and thus should be included in other Chromium based browsers in due course. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Andrew Whalley, Chrome Security</span><br /> <br /> When making secure connections, Chrome trusts certificates that have been locally installed on a user's computer or mobile device. This allows users to run tools to inspect and debug connections during website development, or for corporate environments to intercept and monitor internal traffic. It is not appropriate for this mechanism to be used to intercept traffic on the public internet.<br /> <br /> In response to <a href="https://censoredplanet.org/kazakhstan">recent actions</a> by the Kazakhstan government, Chrome, <a href="https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/">along with other browsers</a>, has taken steps to protect users from the interception or modification of TLS connections made to websites.<br /> <br /> Chrome will be blocking the certificate the Kazakhstan government required users to install:<br /> <br /> <div align="left" dir="ltr" style="margin-left: 0pt;"> <table style="border-collapse: collapse; border: none;"><colgroup><col width="166"></col><col width="390"></col></colgroup><tbody> <tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">Common Name</span></span></div> </td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">Qaznet Trust Network</span></span></div> </td></tr> <tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">SHA-256 Fingerprint</span></span></div> </td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">00:30:9C:73:6D:D6:61:DA:6F:1E:B2:41:73:AA:84:99:44:C1:68:A4:3A:15:</span></span></div> <div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">BF:FD:19:2E:EC:FD:B6:F8:DB:D2</span></span></div> </td></tr> <tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">SHA-256 of Subject Public Key Info</span></span></div> </td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">B5:BA:8D:D7:F8:95:64:C2:88:9D:3D:64:53:C8:49:98:C7:78:24:91:9B:64:</span></span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">EA:08:35:AA:62:98:65:91:BE:50</span></span></div> </td></tr> </tbody></table> </div> <br /> <br /> The certificate has been added to <a href="https://dev.chromium.org/Home/chromium-security/crlsets">CRLSet</a>. No action is needed by users to be protected. In addition, the certificate <a href="https://chromium.googlesource.com/chromium/src.git/+/f0596779e57f46fccb115a0fd65f0305894e3031">has been added</a> to a blocklist in the Chromium source code and thus should be included in other Chromium based browsers in due course. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Protecting Chrome users in Kazakhstan&url=https://security.googleblog.com/2019/08/protecting-chrome-users-in-kazakhstan.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2019/08/protecting-chrome-users-in-kazakhstan.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2019/08/protecting-chrome-users-in-kazakhstan.html' data-url='https://security.googleblog.com/2019/08/protecting-chrome-users-in-kazakhstan.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2019/08/protecting-chrome-users-in-kazakhstan.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='1608500056046236991' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2019/08/how-google-adopted-beyondcorp-part-2.html' itemprop='url' title='How Google adopted BeyondCorp: Part 2 (devices)'> How Google adopted BeyondCorp: Part 2 (devices) </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> August 20, 2019 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author" style="font-family: inherit;">Posted by Matt McDonald, Software Engineer, and Sebastian Harl, Software Engineer </span><br /> <span style="font-family: inherit;"><br /></span> <span style="font-family: inherit;"><br /></span> <span style="font-family: inherit; font-size: large;"><b>Intro </b></span><br /> <span style="font-family: inherit; font-size: large;"><b><br /></b></span> <span style="font-family: inherit;">This is the second post in a series of four, in which we set out to revisit various <a href="https://cloud.google.com/beyondcorp/">BeyondCorp</a> topics and share lessons that were learnt along the internal implementation path at Google.<br /><br />The <a href="https://security.googleblog.com/2019/06/how-google-adopted-beyondcorp.html">first post</a> in this series focused on providing necessary context for how Google adopted BeyondCorp. This post will focus on managing devices - how we decide whether or not a device should be trusted and why that distinction is necessary. Device management provides both the data and guarantees required for making access decisions by securing the endpoints and providing additional context about it.</span><br /> <div> <span style="font-family: inherit;"><br /></span></div> <span style="font-family: inherit; font-size: large;"><b>How do we manage devices?</b></span><br /> <span style="font-family: inherit; font-size: large;"><b><br /></b></span> <span style="font-family: inherit;">At Google, we use the following principles to run our device fleet securely and at scale:</span><br /> <ul> <li><span style="font-family: inherit;">Secure default settings at depth with central enforcement</span></li> <li><span style="font-family: inherit;">Ensure a scalable process</span></li> <li><span style="font-family: inherit;">Invest in fleet testing, monitoring, and phased rollouts</span></li> <li><span style="font-family: inherit;">Ensure high quality data</span></li> </ul> <span style="font-family: inherit;"><u>Secure default settings</u><br /><br /><a href="https://en.wikipedia.org/wiki/Defense_in_depth_(computing)">Defense in depth</a> requires us to layer our security defenses such that an attacker would need to pass multiple controls in an attack. To uphold this defensive position at scale, we centrally manage and measure various qualities of our devices, covering all layers of the platform;</span><br /> <ul> <li><span style="font-family: inherit;">Hardware/firmware configuration</span></li> <li><span style="font-family: inherit;">Operating system and software</span></li> <li><span style="font-family: inherit;">User settings and modifications</span></li> </ul> <span style="font-family: inherit;">We use automated configuration management systems to continuously enforce our security and compliance policies. Independently, we observe the state of our hardware and software. This allows us to determine divergence from the expected state and verify whether it is an anomaly.<br /><br />Where possible, our platforms use native OS capabilities to protect against malicious software, and we extend those capabilities across our platforms with custom and commercial tooling.</span><br /> <i><span style="font-family: inherit;"><br /></span></i> <span style="font-family: inherit;"><u>Scalable process</u></span><br /> <div> <span style="font-family: inherit;"><br />Google manages a fleet of several hundred thousand client devices (workstations, laptops, mobile devices) for employees who are spread across the world. We scale the engineering teams who manage these devices by relying on reviewable, repeatable, and automated backend processes and minimizing GUI-based configuration tools. By using and developing open-source software and integrating it with internal solutions, we reach a level of flexibility that allows us to manage fleets at scale without sacrificing customizability for our users. The focus is on operating system agnostic server and client solutions, where possible, to avoid duplication of effort.<br /><br />Software for all platforms is provided by repositories which verify the integrity of software packages before making them available to users. The same system is used for distributing configuration settings and management tools, which enforce policies on client systems using the open-source configuration management system <a href="https://puppet.com/">Puppet</a>, running in standalone mode. In combination, this allows us to easily scale infrastructure and management horizontally as described in more detail and with examples in one of our BeyondCorp whitepapers, <a href="https://ai.google/research/pubs/pub46587">Fleet Management at Scale</a>.<br /><br />All device management policies are stored in centralized systems which allow settings to be applied both at the fleet and the individual device level. This way policy owners and device owners can manage sensible defaults or per-device overrides in the same system, allowing audits of settings and exceptions. Depending on the type of exception, they may either be managed self-service by the user, require approval from appropriate parties, or affect the trust level of the affected device. This way, we aim to guarantee user satisfaction and security simultaneously.</span><br /> <span style="font-family: inherit;"><br /></span> <span style="font-family: inherit;"><u>Fleet testing, monitoring, and phased rollouts</u><br /><br />Applying changes at scale to a large heterogeneous fleet can be challenging. At Google, we have automated test labs which allow us to test changes before we deploy them to the fleet. Rollouts to the client fleet usually follow multiple stages and random canarying, similar to common practices with service management. Furthermore, we monitor various status attributes of our fleet which allows us to detect issues before they spread widely.<br /><br /><u>High quality data</u><br /><br />Device management depends on the quality of device data. Both configuration and trust decisions are keyed off of inventory information. At Google, we track all devices in centralized asset management systems. This allows us to not only observe the current (runtime) state of a device, but also whether it’s a legitimate Google device. These systems store hardware attributes as well as the assignment and status of devices, which lets us match and compare prescribed values to those which are observed.<br /><br />Prior to implementing BeyondCorp, we performed a fleet-wide audit to ensure the quality of inventory data, and we perform smaller audits regularly across the fleet. Automation is key to achieving this, both for entering data initially and for detecting divergence at later points. For example, instead of having a human enter data into the system manually, we use digital manifests and barcode scanners as much as possible.</span><br /> <b style="font-family: inherit;"><span style="font-size: large;"><br /></span></b> <b style="font-family: inherit;"><span style="font-size: large;">How do we figure out whether devices are trustworthy?</span></b><br /> <span style="font-family: inherit;"><br /></span> <span style="font-family: inherit;">After appropriate management systems have been put in place, and data quality goals have been met, the pertinent security information related to a device can be used to establish a "trust" decision as to whether a given action should be allowed to be performed from the device.</span></div> <div> <span style="font-family: inherit;"><br /></span></div> <div style="text-align: center;"> <span style="font-family: inherit;"><br /></span></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-uuXSIjsIQZs/XVoRQf7rdcI/AAAAAAAAAvc/WrpLlfAKwTcmVCX30L_eIhH7Ea9FMmuXQCLcBGAs/s1600/byc1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" data-original-height="468" data-original-width="1258" height="148" src="https://1.bp.blogspot.com/-uuXSIjsIQZs/XVoRQf7rdcI/AAAAAAAAAvc/WrpLlfAKwTcmVCX30L_eIhH7Ea9FMmuXQCLcBGAs/s400/byc1.png" width="400" /></span></a></div> <div style="text-align: center;"> <span style="font-family: inherit;"><br /></span></div> <div style="text-align: center;"> <i><span style="font-family: inherit;">High level architecture for BeyondCorp</span></i></div> <div style="text-align: center;"> <span style="font-family: inherit;"><br /></span></div> <span style="font-family: inherit;"></span><br /> <div style="text-align: left;"> <span style="font-family: inherit;">This decision can be most effectively made when an abundance of information about the device is readily available. At Google, we use an aggregated data pipeline to gather information from various sources, which each contain a limited subset of knowledge about a device and its history, and make this data available at the point when a trust decision is being made.</span></div> <span style="font-family: inherit;"> <br />Various systems and repositories are employed within Google to perform collection and storage of device data that is relevant to security. These include tools like asset management repositories, device management solutions, vulnerability scanners, and internal directory services, which contain information and state about the multitude of physical device types (e.g., desktops, laptops, phones, tablets), as well as virtual desktops, used by employees at the company.<br /><br />Having data from these various types of information systems available when making a trust decision for a given device can certainly be advantageous. However, challenges can present themselves when attempting to correlate records from a diverse set of systems which may not have a clear, consistent way to reference the identity of a given device. The challenge of implementation has been offset by the gains in security policy flexibility and improvements in securing our data.</span><br /> <div> <span style="font-family: inherit;"><br /></span></div> <span style="font-family: inherit;"><b><span style="font-size: large;">What lessons did we learn?</span></b><br />As we rolled out BeyondCorp, we iteratively improved our fleet management and inventory processes as outlined above. These improvements are based on various lessons we learned around data quality challenges.<br /><br /><u>Audit your data ahead of implementing BeyondCorp</u><br /><br />Data quality issues and inaccuracies are almost certain to be present in an asset management system of any substantial size, and these issues must be corrected before the data can be utilized in a manner which will have a significant impact on user experience. Having the means to compare values that have been manually entered into such systems against similar data that has been collected from devices via automation can allow for the correction of discrepancies, which may interrupt the intended behavior of the system.</span><br /> <div> <span style="font-family: inherit;"><br /><u>Prepare to encounter unforeseen data quality challenges</u><br /><br />Numerous data incorrectness scenarios and challenging issues are likely to present themselves as the reliance on accurate data increases. For example, be prepared to encounter issues with data ingestion processes that rely on transcribing device identifier information, which is physically labeled on devices or their packaging, and may incorrectly differ from identifier data that is digitally imprinted on the device.<br /><br />In addition, over reliance on the assumed uniqueness of certain device identifiers can sometimes be problematic in the rare cases where conventionally unique attributes, like serial numbers, can appear more than once in the device fleet (this can be especially exacerbated in the case of virtual desktops, where such identifiers may be chosen by a user without regard for such concerns).<br /><br />Lastly, routine maintenance and hardware replacements performed on employee devices can result in ambiguous situations with regards to the "identity" of a device. When internal device components, like network adapters or mainboards, are found to be defective and replaced, the device's identity can be changed into a state which no longer matches the known inventory data if care is not taken to correctly reflect such changes. </span><br /> <div> <span style="font-family: inherit;"><br /><u>Implement controls to maintain high quality asset inventory</u><br /><br />After inventory data has been brought to an acceptable correctness level, mechanisms should be put into place to limit the ability for new inaccuracies to be introduced. For example, at Google, data correctness checks have been integrated into the provisioning process for new devices so that inventory records must be correct before a device can be successfully imaged with an operating system, ensuring that the device will meet required data accuracy standards before being delivered to an employee.</span></div> </div> <div> <span style="font-family: inherit;"><br /></span></div> <span style="font-family: inherit;"><b><span style="font-size: large;">Next time</span></b><br />In the next post in this series, we will discuss a tiered access approach, how to create rule-based trust and the lessons we’ve learned through that process.<br /><br />In the meantime, if you want to learn more, you can check out the <a href="https://cloud.google.com/beyondcorp/#researchPapers">BeyondCorp research papers</a>. In addition, getting started with BeyondCorp is now easier using zero trust solutions from <a href="https://cloud.google.com/context-aware-access/">Google Cloud (context-aware access)</a> and other enterprise providers.<br /><br /><i>Thank you to the editors of the BeyondCorp blog post series, Puneet Goel (Product Manager), Lior Tishbi (Program Manager), and Justin McWilliams (Engineering Manager).</i></span> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author" style="font-family: inherit;">Posted by Matt McDonald, Software Engineer, and Sebastian Harl, Software Engineer </span><br /> <span style="font-family: inherit;"><br /></span> <span style="font-family: inherit;"><br /></span> <span style="font-family: inherit; font-size: large;"><b>Intro </b></span><br /> <span style="font-family: inherit; font-size: large;"><b><br /></b></span> <span style="font-family: inherit;">This is the second post in a series of four, in which we set out to revisit various <a href="https://cloud.google.com/beyondcorp/">BeyondCorp</a> topics and share lessons that were learnt along the internal implementation path at Google.<br /><br />The <a href="https://security.googleblog.com/2019/06/how-google-adopted-beyondcorp.html">first post</a> in this series focused on providing necessary context for how Google adopted BeyondCorp. This post will focus on managing devices - how we decide whether or not a device should be trusted and why that distinction is necessary. Device management provides both the data and guarantees required for making access decisions by securing the endpoints and providing additional context about it.</span><br /> <div> <span style="font-family: inherit;"><br /></span></div> <span style="font-family: inherit; font-size: large;"><b>How do we manage devices?</b></span><br /> <span style="font-family: inherit; font-size: large;"><b><br /></b></span> <span style="font-family: inherit;">At Google, we use the following principles to run our device fleet securely and at scale:</span><br /> <ul> <li><span style="font-family: inherit;">Secure default settings at depth with central enforcement</span></li> <li><span style="font-family: inherit;">Ensure a scalable process</span></li> <li><span style="font-family: inherit;">Invest in fleet testing, monitoring, and phased rollouts</span></li> <li><span style="font-family: inherit;">Ensure high quality data</span></li> </ul> <span style="font-family: inherit;"><u>Secure default settings</u><br /><br /><a href="https://en.wikipedia.org/wiki/Defense_in_depth_(computing)">Defense in depth</a> requires us to layer our security defenses such that an attacker would need to pass multiple controls in an attack. To uphold this defensive position at scale, we centrally manage and measure various qualities of our devices, covering all layers of the platform;</span><br /> <ul> <li><span style="font-family: inherit;">Hardware/firmware configuration</span></li> <li><span style="font-family: inherit;">Operating system and software</span></li> <li><span style="font-family: inherit;">User settings and modifications</span></li> </ul> <span style="font-family: inherit;">We use automated configuration management systems to continuously enforce our security and compliance policies. Independently, we observe the state of our hardware and software. This allows us to determine divergence from the expected state and verify whether it is an anomaly.<br /><br />Where possible, our platforms use native OS capabilities to protect against malicious software, and we extend those capabilities across our platforms with custom and commercial tooling.</span><br /> <i><span style="font-family: inherit;"><br /></span></i> <span style="font-family: inherit;"><u>Scalable process</u></span><br /> <div> <span style="font-family: inherit;"><br />Google manages a fleet of several hundred thousand client devices (workstations, laptops, mobile devices) for employees who are spread across the world. We scale the engineering teams who manage these devices by relying on reviewable, repeatable, and automated backend processes and minimizing GUI-based configuration tools. By using and developing open-source software and integrating it with internal solutions, we reach a level of flexibility that allows us to manage fleets at scale without sacrificing customizability for our users. The focus is on operating system agnostic server and client solutions, where possible, to avoid duplication of effort.<br /><br />Software for all platforms is provided by repositories which verify the integrity of software packages before making them available to users. The same system is used for distributing configuration settings and management tools, which enforce policies on client systems using the open-source configuration management system <a href="https://puppet.com/">Puppet</a>, running in standalone mode. In combination, this allows us to easily scale infrastructure and management horizontally as described in more detail and with examples in one of our BeyondCorp whitepapers, <a href="https://ai.google/research/pubs/pub46587">Fleet Management at Scale</a>.<br /><br />All device management policies are stored in centralized systems which allow settings to be applied both at the fleet and the individual device level. This way policy owners and device owners can manage sensible defaults or per-device overrides in the same system, allowing audits of settings and exceptions. Depending on the type of exception, they may either be managed self-service by the user, require approval from appropriate parties, or affect the trust level of the affected device. This way, we aim to guarantee user satisfaction and security simultaneously.</span><br /> <span style="font-family: inherit;"><br /></span> <span style="font-family: inherit;"><u>Fleet testing, monitoring, and phased rollouts</u><br /><br />Applying changes at scale to a large heterogeneous fleet can be challenging. At Google, we have automated test labs which allow us to test changes before we deploy them to the fleet. Rollouts to the client fleet usually follow multiple stages and random canarying, similar to common practices with service management. Furthermore, we monitor various status attributes of our fleet which allows us to detect issues before they spread widely.<br /><br /><u>High quality data</u><br /><br />Device management depends on the quality of device data. Both configuration and trust decisions are keyed off of inventory information. At Google, we track all devices in centralized asset management systems. This allows us to not only observe the current (runtime) state of a device, but also whether it’s a legitimate Google device. These systems store hardware attributes as well as the assignment and status of devices, which lets us match and compare prescribed values to those which are observed.<br /><br />Prior to implementing BeyondCorp, we performed a fleet-wide audit to ensure the quality of inventory data, and we perform smaller audits regularly across the fleet. Automation is key to achieving this, both for entering data initially and for detecting divergence at later points. For example, instead of having a human enter data into the system manually, we use digital manifests and barcode scanners as much as possible.</span><br /> <b style="font-family: inherit;"><span style="font-size: large;"><br /></span></b> <b style="font-family: inherit;"><span style="font-size: large;">How do we figure out whether devices are trustworthy?</span></b><br /> <span style="font-family: inherit;"><br /></span> <span style="font-family: inherit;">After appropriate management systems have been put in place, and data quality goals have been met, the pertinent security information related to a device can be used to establish a "trust" decision as to whether a given action should be allowed to be performed from the device.</span></div> <div> <span style="font-family: inherit;"><br /></span></div> <div style="text-align: center;"> <span style="font-family: inherit;"><br /></span></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-uuXSIjsIQZs/XVoRQf7rdcI/AAAAAAAAAvc/WrpLlfAKwTcmVCX30L_eIhH7Ea9FMmuXQCLcBGAs/s1600/byc1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: inherit;"><img border="0" data-original-height="468" data-original-width="1258" height="148" src="https://1.bp.blogspot.com/-uuXSIjsIQZs/XVoRQf7rdcI/AAAAAAAAAvc/WrpLlfAKwTcmVCX30L_eIhH7Ea9FMmuXQCLcBGAs/s400/byc1.png" width="400" /></span></a></div> <div style="text-align: center;"> <span style="font-family: inherit;"><br /></span></div> <div style="text-align: center;"> <i><span style="font-family: inherit;">High level architecture for BeyondCorp</span></i></div> <div style="text-align: center;"> <span style="font-family: inherit;"><br /></span></div> <span style="font-family: inherit;"></span><br /> <div style="text-align: left;"> <span style="font-family: inherit;">This decision can be most effectively made when an abundance of information about the device is readily available. At Google, we use an aggregated data pipeline to gather information from various sources, which each contain a limited subset of knowledge about a device and its history, and make this data available at the point when a trust decision is being made.</span></div> <span style="font-family: inherit;"> <br />Various systems and repositories are employed within Google to perform collection and storage of device data that is relevant to security. These include tools like asset management repositories, device management solutions, vulnerability scanners, and internal directory services, which contain information and state about the multitude of physical device types (e.g., desktops, laptops, phones, tablets), as well as virtual desktops, used by employees at the company.<br /><br />Having data from these various types of information systems available when making a trust decision for a given device can certainly be advantageous. However, challenges can present themselves when attempting to correlate records from a diverse set of systems which may not have a clear, consistent way to reference the identity of a given device. The challenge of implementation has been offset by the gains in security policy flexibility and improvements in securing our data.</span><br /> <div> <span style="font-family: inherit;"><br /></span></div> <span style="font-family: inherit;"><b><span style="font-size: large;">What lessons did we learn?</span></b><br />As we rolled out BeyondCorp, we iteratively improved our fleet management and inventory processes as outlined above. These improvements are based on various lessons we learned around data quality challenges.<br /><br /><u>Audit your data ahead of implementing BeyondCorp</u><br /><br />Data quality issues and inaccuracies are almost certain to be present in an asset management system of any substantial size, and these issues must be corrected before the data can be utilized in a manner which will have a significant impact on user experience. Having the means to compare values that have been manually entered into such systems against similar data that has been collected from devices via automation can allow for the correction of discrepancies, which may interrupt the intended behavior of the system.</span><br /> <div> <span style="font-family: inherit;"><br /><u>Prepare to encounter unforeseen data quality challenges</u><br /><br />Numerous data incorrectness scenarios and challenging issues are likely to present themselves as the reliance on accurate data increases. For example, be prepared to encounter issues with data ingestion processes that rely on transcribing device identifier information, which is physically labeled on devices or their packaging, and may incorrectly differ from identifier data that is digitally imprinted on the device.<br /><br />In addition, over reliance on the assumed uniqueness of certain device identifiers can sometimes be problematic in the rare cases where conventionally unique attributes, like serial numbers, can appear more than once in the device fleet (this can be especially exacerbated in the case of virtual desktops, where such identifiers may be chosen by a user without regard for such concerns).<br /><br />Lastly, routine maintenance and hardware replacements performed on employee devices can result in ambiguous situations with regards to the "identity" of a device. When internal device components, like network adapters or mainboards, are found to be defective and replaced, the device's identity can be changed into a state which no longer matches the known inventory data if care is not taken to correctly reflect such changes. </span><br /> <div> <span style="font-family: inherit;"><br /><u>Implement controls to maintain high quality asset inventory</u><br /><br />After inventory data has been brought to an acceptable correctness level, mechanisms should be put into place to limit the ability for new inaccuracies to be introduced. For example, at Google, data correctness checks have been integrated into the provisioning process for new devices so that inventory records must be correct before a device can be successfully imaged with an operating system, ensuring that the device will meet required data accuracy standards before being delivered to an employee.</span></div> </div> <div> <span style="font-family: inherit;"><br /></span></div> <span style="font-family: inherit;"><b><span style="font-size: large;">Next time</span></b><br />In the next post in this series, we will discuss a tiered access approach, how to create rule-based trust and the lessons we’ve learned through that process.<br /><br />In the meantime, if you want to learn more, you can check out the <a href="https://cloud.google.com/beyondcorp/#researchPapers">BeyondCorp research papers</a>. In addition, getting started with BeyondCorp is now easier using zero trust solutions from <a href="https://cloud.google.com/context-aware-access/">Google Cloud (context-aware access)</a> and other enterprise providers.<br /><br /><i>Thank you to the editors of the BeyondCorp blog post series, Puneet Goel (Product Manager), Lior Tishbi (Program Manager), and Justin McWilliams (Engineering Manager).</i></span> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:How Google adopted BeyondCorp: Part 2 (devices)&url=https://security.googleblog.com/2019/08/how-google-adopted-beyondcorp-part-2.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2019/08/how-google-adopted-beyondcorp-part-2.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2019/08/how-google-adopted-beyondcorp-part-2.html' data-url='https://security.googleblog.com/2019/08/how-google-adopted-beyondcorp-part-2.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2019/08/how-google-adopted-beyondcorp-part-2.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='8865565997284811995' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2019/08/new-research-lessons-from-password.html' itemprop='url' title='New Research: Lessons from Password Checkup in action'> New Research: Lessons from Password Checkup in action </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> August 15, 2019 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Jennifer Pullman, Kurt Thomas, and Elie Bursztein, Spam and Abuse research</span><br /> <br /> Back in February, we <a href="https://security.googleblog.com/2019/02/protect-your-accounts-from-data.html">announced</a> the <a href="https://chrome.google.com/webstore/detail/password-checkup/pncabnpcffmalkkjpajodfhijclecjno">Password Checkup extension</a> for Chrome to help keep all your online accounts safe from hijacking. The extension displays a warning whenever you sign in to a site using one of over 4 billion usernames and passwords that Google knows to be unsafe due to a <a href="https://security.googleblog.com/2017/11/new-research-understanding-root-cause.html">third-party data breach</a>. Since our launch, over 650,000 people have participated in our early experiment. In the first month alone, we scanned 21 million usernames and passwords and flagged over 316,000 as unsafe---1.5% of sign-ins scanned by the extension.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1cWgO4xKJY3Nnh1eQR9sQhhsHJm_c-FAxwuXaNQbXlWRsK-Zld0vZUTXjfX8HFUwh_mmEXH5k7RQJOyAV9QaOhV7zMzkFut02GDdDt9MrfuIJnovgcUlyvAiCpzuJK0Lp18HV-MuUiaU/s1600/Desktop+HD.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1232" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1cWgO4xKJY3Nnh1eQR9sQhhsHJm_c-FAxwuXaNQbXlWRsK-Zld0vZUTXjfX8HFUwh_mmEXH5k7RQJOyAV9QaOhV7zMzkFut02GDdDt9MrfuIJnovgcUlyvAiCpzuJK0Lp18HV-MuUiaU/s640/Desktop+HD.png" width="640" /></a></div> Today, we are sharing our most recent lessons from the launch and announcing an updated set of features for the Password Checkup extension. Our full research study, available <a href="https://ai.google/research/pubs/pub48399">here</a>, will be presented this week as part of the <a href="https://www.usenix.org/conference/usenixsecurity19">USENIX Security Symposium</a>.<br /> <br /> <b>Which accounts are most at risk?</b><br /> <b><br /></b> Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach. If you use <a href="https://www.blog.google/technology/safety-security/five-things-you-can-do-right-now-to-stay-safer-online/">strong, unique passwords for all your accounts</a>, this risk disappears. Based on anonymous telemetry reported by the Password Checkup extension, we found that users reused breached, unsafe credentials for some of their most sensitive financial, government, and email accounts. This risk was even more prevalent on shopping sites (where users may save credit card details), news, and entertainment sites.<br /> <br /> In fact, outside the most popular web sites, users are 2.5X more likely to reuse vulnerable passwords, putting their account at risk of hijacking.<br /> <table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKue6GUGI18RwYs3ZPg20SeF4W4F1mhYJfKOfg9N_aWbaFyEmBllSEuL1olRv04oA0kPm040rxJxuyPjv_V8EZ6XyIg3RyXGcZx74096kDPN1qddpa8_sG1VL_A129sKKul1vYiG0Kd_Q/s1600/pasted+image+0+%25282%2529.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="814" data-original-width="1600" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKue6GUGI18RwYs3ZPg20SeF4W4F1mhYJfKOfg9N_aWbaFyEmBllSEuL1olRv04oA0kPm040rxJxuyPjv_V8EZ6XyIg3RyXGcZx74096kDPN1qddpa8_sG1VL_A129sKKul1vYiG0Kd_Q/s640/pasted+image+0+%25282%2529.png" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Anonymous telemetry reported by Password Checkup extension shows that users most often reuse vulnerable passwords on shopping, news, and entertainment sites.</td></tr> </tbody></table> <br /> <div style="text-align: center;"> <span style="font-weight: 700;"><br /></span></div> <b>Helping users re-secure their unsafe passwords</b><br /> <b><br /></b> Our research shows that users opt to reset 26% of the unsafe passwords flagged by the Password Checkup extension. Even better, 60% of new passwords are secure against guessing attacks—meaning it would take an attacker over a hundred million guesses before identifying the new password.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6HzyEwWcCLmOjdqoT3Rg1RQ9ZHLTS8nLIMGcntCvKXFZxaR3XYSTXmwTBP0xZvaPe9L10JJkQUZ-S4n9Jt-80TtP03zWmfDEVDdaFVjJO3Cltc2CoxPWXG94CGv-pmUqV96PTUzpzuzs/s1600/pasted+image+0+%25283%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1388" data-original-width="1600" height="554" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6HzyEwWcCLmOjdqoT3Rg1RQ9ZHLTS8nLIMGcntCvKXFZxaR3XYSTXmwTBP0xZvaPe9L10JJkQUZ-S4n9Jt-80TtP03zWmfDEVDdaFVjJO3Cltc2CoxPWXG94CGv-pmUqV96PTUzpzuzs/s640/pasted+image+0+%25283%2529.png" width="640" /></a></div> <b>Improving the Password Checkup extension</b><br /> <b><br /></b> Today, we are also releasing two new features for the Password Checkup extension. The first is a direct feedback mechanism where users can inform us about any issues that they are facing via a quick comment box. The second gives users even more control over their data. It allows users to opt-out of the anonymous telemetry that the extension reports, including the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage. By design, the Password Checkup extension ensures that Google never learns your username or password, regardless of whether you enable telemetry, but we still want to provide this option if users would prefer not to share this information.<br /> <br /> <br /> We're continuing to improve the Password Checkup extension and exploring ways to implement its technology into Google products. For help keeping all your online accounts safe from hijacking, you can install the Password Checkup extension <a href="https://chrome.google.com/webstore/detail/password-checkup/pncabnpcffmalkkjpajodfhijclecjno">here</a> today. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Jennifer Pullman, Kurt Thomas, and Elie Bursztein, Spam and Abuse research</span><br /> <br /> Back in February, we <a href="https://security.googleblog.com/2019/02/protect-your-accounts-from-data.html">announced</a> the <a href="https://chrome.google.com/webstore/detail/password-checkup/pncabnpcffmalkkjpajodfhijclecjno">Password Checkup extension</a> for Chrome to help keep all your online accounts safe from hijacking. The extension displays a warning whenever you sign in to a site using one of over 4 billion usernames and passwords that Google knows to be unsafe due to a <a href="https://security.googleblog.com/2017/11/new-research-understanding-root-cause.html">third-party data breach</a>. Since our launch, over 650,000 people have participated in our early experiment. In the first month alone, we scanned 21 million usernames and passwords and flagged over 316,000 as unsafe---1.5% of sign-ins scanned by the extension.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1cWgO4xKJY3Nnh1eQR9sQhhsHJm_c-FAxwuXaNQbXlWRsK-Zld0vZUTXjfX8HFUwh_mmEXH5k7RQJOyAV9QaOhV7zMzkFut02GDdDt9MrfuIJnovgcUlyvAiCpzuJK0Lp18HV-MuUiaU/s1600/Desktop+HD.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1232" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1cWgO4xKJY3Nnh1eQR9sQhhsHJm_c-FAxwuXaNQbXlWRsK-Zld0vZUTXjfX8HFUwh_mmEXH5k7RQJOyAV9QaOhV7zMzkFut02GDdDt9MrfuIJnovgcUlyvAiCpzuJK0Lp18HV-MuUiaU/s640/Desktop+HD.png" width="640" /></a></div> Today, we are sharing our most recent lessons from the launch and announcing an updated set of features for the Password Checkup extension. Our full research study, available <a href="https://ai.google/research/pubs/pub48399">here</a>, will be presented this week as part of the <a href="https://www.usenix.org/conference/usenixsecurity19">USENIX Security Symposium</a>.<br /> <br /> <b>Which accounts are most at risk?</b><br /> <b><br /></b> Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach. If you use <a href="https://www.blog.google/technology/safety-security/five-things-you-can-do-right-now-to-stay-safer-online/">strong, unique passwords for all your accounts</a>, this risk disappears. Based on anonymous telemetry reported by the Password Checkup extension, we found that users reused breached, unsafe credentials for some of their most sensitive financial, government, and email accounts. This risk was even more prevalent on shopping sites (where users may save credit card details), news, and entertainment sites.<br /> <br /> In fact, outside the most popular web sites, users are 2.5X more likely to reuse vulnerable passwords, putting their account at risk of hijacking.<br /> <table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKue6GUGI18RwYs3ZPg20SeF4W4F1mhYJfKOfg9N_aWbaFyEmBllSEuL1olRv04oA0kPm040rxJxuyPjv_V8EZ6XyIg3RyXGcZx74096kDPN1qddpa8_sG1VL_A129sKKul1vYiG0Kd_Q/s1600/pasted+image+0+%25282%2529.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="814" data-original-width="1600" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKue6GUGI18RwYs3ZPg20SeF4W4F1mhYJfKOfg9N_aWbaFyEmBllSEuL1olRv04oA0kPm040rxJxuyPjv_V8EZ6XyIg3RyXGcZx74096kDPN1qddpa8_sG1VL_A129sKKul1vYiG0Kd_Q/s640/pasted+image+0+%25282%2529.png" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Anonymous telemetry reported by Password Checkup extension shows that users most often reuse vulnerable passwords on shopping, news, and entertainment sites.</td></tr> </tbody></table> <br /> <div style="text-align: center;"> <span style="font-weight: 700;"><br /></span></div> <b>Helping users re-secure their unsafe passwords</b><br /> <b><br /></b> Our research shows that users opt to reset 26% of the unsafe passwords flagged by the Password Checkup extension. Even better, 60% of new passwords are secure against guessing attacks—meaning it would take an attacker over a hundred million guesses before identifying the new password.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6HzyEwWcCLmOjdqoT3Rg1RQ9ZHLTS8nLIMGcntCvKXFZxaR3XYSTXmwTBP0xZvaPe9L10JJkQUZ-S4n9Jt-80TtP03zWmfDEVDdaFVjJO3Cltc2CoxPWXG94CGv-pmUqV96PTUzpzuzs/s1600/pasted+image+0+%25283%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1388" data-original-width="1600" height="554" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6HzyEwWcCLmOjdqoT3Rg1RQ9ZHLTS8nLIMGcntCvKXFZxaR3XYSTXmwTBP0xZvaPe9L10JJkQUZ-S4n9Jt-80TtP03zWmfDEVDdaFVjJO3Cltc2CoxPWXG94CGv-pmUqV96PTUzpzuzs/s640/pasted+image+0+%25283%2529.png" width="640" /></a></div> <b>Improving the Password Checkup extension</b><br /> <b><br /></b> Today, we are also releasing two new features for the Password Checkup extension. The first is a direct feedback mechanism where users can inform us about any issues that they are facing via a quick comment box. The second gives users even more control over their data. It allows users to opt-out of the anonymous telemetry that the extension reports, including the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage. By design, the Password Checkup extension ensures that Google never learns your username or password, regardless of whether you enable telemetry, but we still want to provide this option if users would prefer not to share this information.<br /> <br /> <br /> We're continuing to improve the Password Checkup extension and exploring ways to implement its technology into Google products. For help keeping all your online accounts safe from hijacking, you can install the Password Checkup extension <a href="https://chrome.google.com/webstore/detail/password-checkup/pncabnpcffmalkkjpajodfhijclecjno">here</a> today. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:New Research: Lessons from Password Checkup in action&url=https://security.googleblog.com/2019/08/new-research-lessons-from-password.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2019/08/new-research-lessons-from-password.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2019/08/new-research-lessons-from-password.html' data-url='https://security.googleblog.com/2019/08/new-research-lessons-from-password.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2019/08/new-research-lessons-from-password.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='3766680943280619191' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2019/08/making-authentication-even-easier-with_12.html' itemprop='url' title='Making authentication even easier with FIDO2-based local user verification for Google Accounts'> Making authentication even easier with FIDO2-based local user verification for Google Accounts </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> August 12, 2019 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Dongjing He, Software Engineer and Christiaan Brand, Product Manager </span><br /> <span class="byline-author"><br /></span> <span style="font-family: inherit;">Passwords, combined with Google's automated protections, help secure billions of users around the world. But, new security technologies are surpassing passwords in terms of both strength and convenience. With this in mind, we are happy to announce that you can verify your identity by using your fingerprint or screen lock instead of a password when visiting certain Google services. The feature is available today on Pixel devices and coming to all Android 7+ devices over the next few days.</span><div> <span style="font-family: inherit;"><br /></span></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-d4hrpoIbUMY/XU4VfZIofBI/AAAAAAAAAt8/rQCZjdT9mA0Zx7sYgR4hYyjVU5CLHR0GwCPcBGAYYCw/s1600/luv1.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="800" height="320" src="https://1.bp.blogspot.com/-d4hrpoIbUMY/XU4VfZIofBI/AAAAAAAAAt8/rQCZjdT9mA0Zx7sYgR4hYyjVU5CLHR0GwCPcBGAYYCw/s320/luv1.gif" width="160" /></a></div> <div> <span style="font-family: inherit;"><br /></span></div> <br /><div style="text-align: center;"> <span style="font-family: inherit;"><i>Simpler authentication experience when viewing your saved password for a website on passwords.google.com</i></span></div> <br /><br /><span style="font-family: inherit;">These enhancements are built using the <a href="https://fidoalliance.org/fido2/">FIDO2</a> standards, <a href="https://www.w3.org/TR/webauthn/">W3C WebAuthn</a> and <a href="https://fidoalliance.org/fido2/">FIDO CTAP</a>, and are designed to provide simpler and more secure authentication experiences. They are a result of years of collaboration between Google and many other organizations in the FIDO Alliance and the W3C. <br /><br />An important benefit of using FIDO2 versus interacting with the native fingerprint APIs on Android is that these biometric capabilities are now, for the first time, available on the web, allowing the same credentials be used by both native apps and web services. This means that a user only has to register their fingerprint with a service once and then the fingerprint will work for both the native application and the web service.<br /><br />Note that your fingerprint is never sent to Google’s servers - it is securely stored on your device, and only a cryptographic proof that you’ve correctly scanned it is sent to Google’s servers. This is a <a href="https://fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf">fundamental part of the FIDO2 design</a>.</span><div> <br /><b><span style="font-family: inherit;">Here is how it works</span></b><div> <b><span style="font-family: inherit;"><br /></span></b><div> <span style="font-family: inherit;">Google is using the <a href="https://fidoalliance.org/android-now-fido2-certified-accelerating-global-migration-beyond-passwords/">FIDO2 capability on Android</a> to register a platform-bound FIDO credential. We remember the credential for that specific Android device. Now, when the user visits a compatible service, such as passwords.google.com, we issue a WebAuthn “Get” call, passing in the credentialId that we got when creating the credential. The result is a valid FIDO2 signature.</span></div> </div> <div> <span style="font-family: inherit;"><br /></span></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-TcLKwRz2RYQ/XU4V6JfuQpI/AAAAAAAAAuE/27ULALcQZA0zSZGz7pdKZnHAgjBU_N7UACPcBGAYYCw/s1600/luv2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="576" data-original-width="366" height="320" src="https://1.bp.blogspot.com/-TcLKwRz2RYQ/XU4V6JfuQpI/AAAAAAAAAuE/27ULALcQZA0zSZGz7pdKZnHAgjBU_N7UACPcBGAYYCw/s320/luv2.png" width="203" /></a></div> <div style="text-align: center;"> <br /></div> <i><div style="font-family: inherit; text-align: center;"> <i><span style="font-family: inherit;">High-level architecture of using fingerprint or screen lock on Android devices to verify a user’s identity without a password</span></i></div> </i><br /><b>Please follow the instructions below if you’d like to try it out.</b><br />Prerequisites<br /><ul> <li>Phone is running Android 7.0 (Nougat) or later</li> <li>Your personal Google Account is added to your Android device </li> <li>Valid screen lock is set up on your Android device</li> </ul> To try it<ul> <li>Open the Chrome app on your Android device</li> <li>Navigate to <a href="https://passwords.google.com/">https://passwords.google.com</a></li> <li>Choose a site to view or manage a saved password</li> <li>Follow the instructions to confirm that it’s you trying signing in</li> </ul> You can find more detailed instructions <a href="http://support.google.com/accounts?p=screenlock-verif-blog">here</a>.<br /><br /><span style="font-family: inherit;"><b>For additional security</b><br />Remember, Google's automated defenses securely block the overwhelming majority of sign-in attempts even if an attacker has your username or password. Further, you can protect your accounts with two-step verification (2SV), including <a href="https://security.googleblog.com/2019/07/titan-security-keys-are-now-available.html">Titan Security Keys</a> and <a href="https://security.googleblog.com/2019/06/use-your-android-phones-built-in.html">Android phone’s built-in security key</a>.<br /><br />Both security keys and local user verification based on biometrics use the FIDO2 standards. However, these two protections address different use cases. Security keys are used for bootstrapping a new device as a second factor as part of 2SV in order to make sure it’s the right owner of the account accessing it. Local user verification based on biometrics comes after bootstrapping a device and can be used for re-authentication during step-up flows to verify the identity of the already signed-in user.<b><br /></b></span></div> <div> <span style="font-family: inherit;"><br /></span></div> <div> <b>What’s next</b><span style="font-family: inherit;"><b><br /></b></span></div> <div> <span style="font-family: inherit;">This new capability marks another step on our journey to making authentication safer and easier for everyone to use. As we continue to embrace the FIDO2 standard, you will start seeing more places where local alternatives to passwords are accepted as an authentication mechanism for Google and Google Cloud services. Check out <a href="https://www.youtube.com/watch?v=fsFxbC543n8">this presentation</a> to get an early glimpse of the use cases that we are working to enable next.</span></div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Dongjing He, Software Engineer and Christiaan Brand, Product Manager </span><br /> <span class="byline-author"><br /></span> <span style="font-family: inherit;">Passwords, combined with Google's automated protections, help secure billions of users around the world. But, new security technologies are surpassing passwords in terms of both strength and convenience. With this in mind, we are happy to announce that you can verify your identity by using your fingerprint or screen lock instead of a password when visiting certain Google services. The feature is available today on Pixel devices and coming to all Android 7+ devices over the next few days.</span><div> <span style="font-family: inherit;"><br /></span></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-d4hrpoIbUMY/XU4VfZIofBI/AAAAAAAAAt8/rQCZjdT9mA0Zx7sYgR4hYyjVU5CLHR0GwCPcBGAYYCw/s1600/luv1.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="800" height="320" src="https://1.bp.blogspot.com/-d4hrpoIbUMY/XU4VfZIofBI/AAAAAAAAAt8/rQCZjdT9mA0Zx7sYgR4hYyjVU5CLHR0GwCPcBGAYYCw/s320/luv1.gif" width="160" /></a></div> <div> <span style="font-family: inherit;"><br /></span></div> <br /><div style="text-align: center;"> <span style="font-family: inherit;"><i>Simpler authentication experience when viewing your saved password for a website on passwords.google.com</i></span></div> <br /><br /><span style="font-family: inherit;">These enhancements are built using the <a href="https://fidoalliance.org/fido2/">FIDO2</a> standards, <a href="https://www.w3.org/TR/webauthn/">W3C WebAuthn</a> and <a href="https://fidoalliance.org/fido2/">FIDO CTAP</a>, and are designed to provide simpler and more secure authentication experiences. They are a result of years of collaboration between Google and many other organizations in the FIDO Alliance and the W3C. <br /><br />An important benefit of using FIDO2 versus interacting with the native fingerprint APIs on Android is that these biometric capabilities are now, for the first time, available on the web, allowing the same credentials be used by both native apps and web services. This means that a user only has to register their fingerprint with a service once and then the fingerprint will work for both the native application and the web service.<br /><br />Note that your fingerprint is never sent to Google’s servers - it is securely stored on your device, and only a cryptographic proof that you’ve correctly scanned it is sent to Google’s servers. This is a <a href="https://fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf">fundamental part of the FIDO2 design</a>.</span><div> <br /><b><span style="font-family: inherit;">Here is how it works</span></b><div> <b><span style="font-family: inherit;"><br /></span></b><div> <span style="font-family: inherit;">Google is using the <a href="https://fidoalliance.org/android-now-fido2-certified-accelerating-global-migration-beyond-passwords/">FIDO2 capability on Android</a> to register a platform-bound FIDO credential. We remember the credential for that specific Android device. Now, when the user visits a compatible service, such as passwords.google.com, we issue a WebAuthn “Get” call, passing in the credentialId that we got when creating the credential. The result is a valid FIDO2 signature.</span></div> </div> <div> <span style="font-family: inherit;"><br /></span></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-TcLKwRz2RYQ/XU4V6JfuQpI/AAAAAAAAAuE/27ULALcQZA0zSZGz7pdKZnHAgjBU_N7UACPcBGAYYCw/s1600/luv2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="576" data-original-width="366" height="320" src="https://1.bp.blogspot.com/-TcLKwRz2RYQ/XU4V6JfuQpI/AAAAAAAAAuE/27ULALcQZA0zSZGz7pdKZnHAgjBU_N7UACPcBGAYYCw/s320/luv2.png" width="203" /></a></div> <div style="text-align: center;"> <br /></div> <i><div style="font-family: inherit; text-align: center;"> <i><span style="font-family: inherit;">High-level architecture of using fingerprint or screen lock on Android devices to verify a user’s identity without a password</span></i></div> </i><br /><b>Please follow the instructions below if you’d like to try it out.</b><br />Prerequisites<br /><ul> <li>Phone is running Android 7.0 (Nougat) or later</li> <li>Your personal Google Account is added to your Android device </li> <li>Valid screen lock is set up on your Android device</li> </ul> To try it<ul> <li>Open the Chrome app on your Android device</li> <li>Navigate to <a href="https://passwords.google.com/">https://passwords.google.com</a></li> <li>Choose a site to view or manage a saved password</li> <li>Follow the instructions to confirm that it’s you trying signing in</li> </ul> You can find more detailed instructions <a href="http://support.google.com/accounts?p=screenlock-verif-blog">here</a>.<br /><br /><span style="font-family: inherit;"><b>For additional security</b><br />Remember, Google's automated defenses securely block the overwhelming majority of sign-in attempts even if an attacker has your username or password. Further, you can protect your accounts with two-step verification (2SV), including <a href="https://security.googleblog.com/2019/07/titan-security-keys-are-now-available.html">Titan Security Keys</a> and <a href="https://security.googleblog.com/2019/06/use-your-android-phones-built-in.html">Android phone’s built-in security key</a>.<br /><br />Both security keys and local user verification based on biometrics use the FIDO2 standards. However, these two protections address different use cases. Security keys are used for bootstrapping a new device as a second factor as part of 2SV in order to make sure it’s the right owner of the account accessing it. Local user verification based on biometrics comes after bootstrapping a device and can be used for re-authentication during step-up flows to verify the identity of the already signed-in user.<b><br /></b></span></div> <div> <span style="font-family: inherit;"><br /></span></div> <div> <b>What’s next</b><span style="font-family: inherit;"><b><br /></b></span></div> <div> <span style="font-family: inherit;">This new capability marks another step on our journey to making authentication safer and easier for everyone to use. As we continue to embrace the FIDO2 standard, you will start seeing more places where local alternatives to passwords are accepted as an authentication mechanism for Google and Google Cloud services. Check out <a href="https://www.youtube.com/watch?v=fsFxbC543n8">this presentation</a> to get an early glimpse of the use cases that we are working to enable next.</span></div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Making authentication even easier with FIDO2-based local user verification for Google Accounts&url=https://security.googleblog.com/2019/08/making-authentication-even-easier-with_12.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2019/08/making-authentication-even-easier-with_12.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2019/08/making-authentication-even-easier-with_12.html' data-url='https://security.googleblog.com/2019/08/making-authentication-even-easier-with_12.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2019/08/making-authentication-even-easier-with_12.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> <span class='labels-caption'> Labels: </span> <span class='labels'> <a class='label' href='https://security.googleblog.com/search/label/android%20security' rel='tag'> android security </a> </span> </div> </div> </div> <div class='post' data-id='6486914846500122710' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2019/08/awarding-google-cloud-vulnerability.html' itemprop='url' title='Awarding Google Cloud Vulnerability Research'> Awarding Google Cloud Vulnerability Research </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> August 8, 2019 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Felix Groebert, Information Security Engineering</span><br /> <br /> Today, we’re excited to announce a yearly Google Cloud Platform (GCP) VRP Prize to promote security research of GCP. A prize of $100,000.00 will be paid to the reporter of the best vulnerability affecting GCP reported through our Vulnerability Reward Program (<a href="//g.co/vulnz">g.co/vulnz</a>) and having a public write-up (nominations will be received <a href="https://docs.google.com/forms/d/e/1FAIpQLSd-kmz_l4VaEtTNAqccwXMJ9-H8F0CkTAKPl7Fgdis9Huac3g/viewform">here</a>).<br /> <br /> We’ve received vulnerability reports for various application security flaws in GCP over the years, but we felt research of our Cloud platform has been under-represented in our Vulnerability Reward Program. So, with the GCP VRP Prize, we hope to encourage even more researchers to focus on GCP products and help us identify even more security vulnerabilities.<br /> <br /> Note that we will continue to pay hundreds of thousands of dollars to our top bug hunters through our <a href="https://www.google.com/about/appsecurity/research-grants/">Vulnerability Research Grants Program</a> even when no bugs are found, and to reward <a href="https://www.cnbc.com/2018/05/26/teenager-wins-36k-from-google-bug-bounty-program.html">up to tens of thousands of dollars per bug</a> to the most impactful findings. This prize is meant to create an additional incentive for more people to focus on public, open security research on GCP who would otherwise not participate in the reward program.<br /> <br /> This competition draws on our previous contests, such as <a href="https://security.googleblog.com/2015/02/pwnium-v-never-ending-pwnium.html">Pwnium</a> and the <a href="https://googleprojectzero.blogspot.com/2017/03/project-zero-prize-conclusion.html">Project Zero Prize</a>, and rather than focusing bug hunters on collecting vulnerabilities for complex bug chains, we are attempting a slightly different twist and selecting a single winner out of all vulnerabilities we receive. That said, this approach comes with its own challenges, such as: defining the right incentives for bug hunters (both in terms of research as well as their communications with our team when reporting vulnerabilities); or ensuring there are no conflicting incentives, either when our own team is looking for similar vulnerabilities (since we aren't eligible for collecting the prize).<br /> <br /> For the rest of the year, we will be seeking feedback from our top bug hunters and the security community to help define what vulnerabilities are the most significant, and we hope we can work together to find the best way to incentivize, recognize, and reward open security research. To further incentivize research in 2019, we will be issuing GCP VRP grants summing up to $100,000 to our top 2018 researchers.<br /> <br /> Head over <a href="https://www.google.com/about/appsecurity/reward-program/GCP_PRIZE_2019.pdf">here</a> for the full details on the contest. Note that if you have budget constraints for access to testing environments, you can use the <a href="https://cloud.google.com/free/docs/gcp-free-tier">free tier of GCP</a>.<br /> <br /> We look forward to our Vulnerability Rewards Programs resulting in even more GCP customer protection in the following years thanks to the hard work of the security research community. Follow us on @GoogleVRP. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Felix Groebert, Information Security Engineering</span><br /> <br /> Today, we’re excited to announce a yearly Google Cloud Platform (GCP) VRP Prize to promote security research of GCP. A prize of $100,000.00 will be paid to the reporter of the best vulnerability affecting GCP reported through our Vulnerability Reward Program (<a href="//g.co/vulnz">g.co/vulnz</a>) and having a public write-up (nominations will be received <a href="https://docs.google.com/forms/d/e/1FAIpQLSd-kmz_l4VaEtTNAqccwXMJ9-H8F0CkTAKPl7Fgdis9Huac3g/viewform">here</a>).<br /> <br /> We’ve received vulnerability reports for various application security flaws in GCP over the years, but we felt research of our Cloud platform has been under-represented in our Vulnerability Reward Program. So, with the GCP VRP Prize, we hope to encourage even more researchers to focus on GCP products and help us identify even more security vulnerabilities.<br /> <br /> Note that we will continue to pay hundreds of thousands of dollars to our top bug hunters through our <a href="https://www.google.com/about/appsecurity/research-grants/">Vulnerability Research Grants Program</a> even when no bugs are found, and to reward <a href="https://www.cnbc.com/2018/05/26/teenager-wins-36k-from-google-bug-bounty-program.html">up to tens of thousands of dollars per bug</a> to the most impactful findings. This prize is meant to create an additional incentive for more people to focus on public, open security research on GCP who would otherwise not participate in the reward program.<br /> <br /> This competition draws on our previous contests, such as <a href="https://security.googleblog.com/2015/02/pwnium-v-never-ending-pwnium.html">Pwnium</a> and the <a href="https://googleprojectzero.blogspot.com/2017/03/project-zero-prize-conclusion.html">Project Zero Prize</a>, and rather than focusing bug hunters on collecting vulnerabilities for complex bug chains, we are attempting a slightly different twist and selecting a single winner out of all vulnerabilities we receive. That said, this approach comes with its own challenges, such as: defining the right incentives for bug hunters (both in terms of research as well as their communications with our team when reporting vulnerabilities); or ensuring there are no conflicting incentives, either when our own team is looking for similar vulnerabilities (since we aren't eligible for collecting the prize).<br /> <br /> For the rest of the year, we will be seeking feedback from our top bug hunters and the security community to help define what vulnerabilities are the most significant, and we hope we can work together to find the best way to incentivize, recognize, and reward open security research. To further incentivize research in 2019, we will be issuing GCP VRP grants summing up to $100,000 to our top 2018 researchers.<br /> <br /> Head over <a href="https://www.google.com/about/appsecurity/reward-program/GCP_PRIZE_2019.pdf">here</a> for the full details on the contest. Note that if you have budget constraints for access to testing environments, you can use the <a href="https://cloud.google.com/free/docs/gcp-free-tier">free tier of GCP</a>.<br /> <br /> We look forward to our Vulnerability Rewards Programs resulting in even more GCP customer protection in the following years thanks to the hard work of the security research community. Follow us on @GoogleVRP. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Awarding Google Cloud Vulnerability Research&url=https://security.googleblog.com/2019/08/awarding-google-cloud-vulnerability.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2019/08/awarding-google-cloud-vulnerability.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2019/08/awarding-google-cloud-vulnerability.html' data-url='https://security.googleblog.com/2019/08/awarding-google-cloud-vulnerability.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2019/08/awarding-google-cloud-vulnerability.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='1710733837749444130' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2019/08/understanding-why-phishing-attacks-are.html' itemprop='url' title='Understanding why phishing attacks are so effective and how to mitigate them'> Understanding why phishing attacks are so effective and how to mitigate them </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> August 8, 2019 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <h4> <span class="byline-author" style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Posted by</span><span class="byline-author" style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> </span><span style="font-weight: normal; white-space: pre-wrap;"><span style="color: #666666; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Elie Bursztein, Security & Anti-abuse Research Lead, Daniela Oliveira, Professor at the University of Florida</span></span></h4> <span style="white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></span> <span style="white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></span> <br /> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">Phishing attacks continue to be one of the common forms of account compromise threats. Every day, Gmail blocks more than 100 million phishing emails and Google Safe Browsing helps protect more than 4 billion devices against dangerous sites. </span></span></div> <span id="docs-internal-guid-f16df8a4-7fff-fb3a-a067-9fea545d8258"><span style="font-family: inherit;"><br /></span></span> <br /> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As part of our ongoing efforts to further protect users from phishing, we’re partnering with  </span><a href="http://www.daniela.ece.ufl.edu/Daniela_Oliveiras_Web_Page/Home.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Daniela Oliveira </span></a><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">from the University of Florida during a </span><a href="https://elie.net/talk/deconstructing-the-phishing-campaigns-that-target-gmail-users/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">talk at Black Hat 2019</span></a><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to explore the reasons why social engineering attacks remain effective phishing tactics, even though they have been around for decades.</span></span></div> <span style="font-size: 12pt; white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></span> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-nH2L9YiQNnQ/XUxd8PfSPjI/AAAAAAAAAtQ/K2vKuAZT0novA77dZpjeReYTeATUhvMmACLcBGAs/s1600/bh1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="343" data-original-width="957" height="228" src="https://1.bp.blogspot.com/-nH2L9YiQNnQ/XUxd8PfSPjI/AAAAAAAAAtQ/K2vKuAZT0novA77dZpjeReYTeATUhvMmACLcBGAs/s640/bh1.png" width="640" /></a></div> <br /> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">Overall, the research finds there are a few key factors that make phishing an effective attack vector:</span></span></div> <ul> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Phishing is constantly evolving</span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">: 68% of the phishing emails blocked by Gmail today are new variations that were never seen before. This fast pace adversarial evolution requires humans and machines to adapt very quickly to prevent them.</span></li> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Phishing is targeted:  </span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">Many of the campaigns targeting Gmail end-users and enterprise consumers only target a few dozen individuals. Enterprise users being 4.8x more targeted than end-users.</span></li> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Phishers are persuasion experts</span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">: As highlighted by </span><a href="http://www.daniela.ece.ufl.edu/Research_files/chi17.pdf" style="font-family: inherit; text-decoration-line: none; white-space: pre;"><span style="color: #1155cc; vertical-align: baseline; white-space: pre-wrap;">Daniela’s research</span></a><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;"> with Natalie Ebner </span><span style="font-family: inherit; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">et al.</span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;"> at the University of Florida, phishers have mastered the use of persuasion techniques, emotional salience and  gain or loss framing to trick users into reacting to phishing emails.</span></li> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">45% of users don’t understand what phishing is: </span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">After surveying Internet users, we found that 45% of them do not  understand what phishing is or the risk associated with it. This lack of awareness increases the risk of being phished and potentially hinders the adoption of 2-step verification.  </span></li> </ul> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-lD6PZnAc6Lc/XUxd1BAVQcI/AAAAAAAAAtM/w-qrq5eAe4ctARHxOhTzArWMj7H2BRBlwCLcBGAs/s1600/bh2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="234" data-original-width="512" height="291" src="https://1.bp.blogspot.com/-lD6PZnAc6Lc/XUxd1BAVQcI/AAAAAAAAAtM/w-qrq5eAe4ctARHxOhTzArWMj7H2BRBlwCLcBGAs/s640/bh2.png" width="640" /></a></div> <div> <span style="white-space: pre-wrap;"><br /></span></div> <br /> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">Protecting users against phishing requires a layered defense approach that includes:</span></span></div> <ul> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Educating users </span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">about phishing so they understand what it is, how to detect it and how to protect themselves.</span></li> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Leveraging the recent advances in AI </span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">to build robust phishing detections that can keep pace with fast  evolving phishing campaigns.</span></li> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Displaying actionable phishing warnings</span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;"> that are easy to understand by users so they know how to react when they see them.</span></li> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Using strong two factor authentication </span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">makes it more difficult  for phishers to compromise accounts. Two-factor technologies, as visible in the graph above, can be effective against the various forms of phishing, which highlights the importance of driving awareness and adoption among users.  </span></li> </ul> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">While technologies to help mitigate phishing exist, such as FIDO standard security keys, there is still work to be done to help users increase awareness understand how to protect themselves against phishing.</span></span></div> <span style="font-size: 12pt; white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></span> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <h4> <span class="byline-author" style="color: #444444; font-family: "arial" , "helvetica" , sans-serif;">Posted by</span><span class="byline-author" style="color: #444444; font-family: "arial" , "helvetica" , sans-serif; font-size: x-small;"> </span><span style="font-weight: normal; white-space: pre-wrap;"><span style="color: #666666; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Elie Bursztein, Security & Anti-abuse Research Lead, Daniela Oliveira, Professor at the University of Florida</span></span></h4> <span style="white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></span> <span style="white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></span> <br /> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">Phishing attacks continue to be one of the common forms of account compromise threats. Every day, Gmail blocks more than 100 million phishing emails and Google Safe Browsing helps protect more than 4 billion devices against dangerous sites. </span></span></div> <span id="docs-internal-guid-f16df8a4-7fff-fb3a-a067-9fea545d8258"><span style="font-family: inherit;"><br /></span></span> <br /> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: inherit;"><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As part of our ongoing efforts to further protect users from phishing, we’re partnering with  </span><a href="http://www.daniela.ece.ufl.edu/Daniela_Oliveiras_Web_Page/Home.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Daniela Oliveira </span></a><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">from the University of Florida during a </span><a href="https://elie.net/talk/deconstructing-the-phishing-campaigns-that-target-gmail-users/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">talk at Black Hat 2019</span></a><span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to explore the reasons why social engineering attacks remain effective phishing tactics, even though they have been around for decades.</span></span></div> <span style="font-size: 12pt; white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></span> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-nH2L9YiQNnQ/XUxd8PfSPjI/AAAAAAAAAtQ/K2vKuAZT0novA77dZpjeReYTeATUhvMmACLcBGAs/s1600/bh1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="343" data-original-width="957" height="228" src="https://1.bp.blogspot.com/-nH2L9YiQNnQ/XUxd8PfSPjI/AAAAAAAAAtQ/K2vKuAZT0novA77dZpjeReYTeATUhvMmACLcBGAs/s640/bh1.png" width="640" /></a></div> <br /> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">Overall, the research finds there are a few key factors that make phishing an effective attack vector:</span></span></div> <ul> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Phishing is constantly evolving</span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">: 68% of the phishing emails blocked by Gmail today are new variations that were never seen before. This fast pace adversarial evolution requires humans and machines to adapt very quickly to prevent them.</span></li> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Phishing is targeted:  </span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">Many of the campaigns targeting Gmail end-users and enterprise consumers only target a few dozen individuals. Enterprise users being 4.8x more targeted than end-users.</span></li> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Phishers are persuasion experts</span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">: As highlighted by </span><a href="http://www.daniela.ece.ufl.edu/Research_files/chi17.pdf" style="font-family: inherit; text-decoration-line: none; white-space: pre;"><span style="color: #1155cc; vertical-align: baseline; white-space: pre-wrap;">Daniela’s research</span></a><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;"> with Natalie Ebner </span><span style="font-family: inherit; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">et al.</span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;"> at the University of Florida, phishers have mastered the use of persuasion techniques, emotional salience and  gain or loss framing to trick users into reacting to phishing emails.</span></li> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">45% of users don’t understand what phishing is: </span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">After surveying Internet users, we found that 45% of them do not  understand what phishing is or the risk associated with it. This lack of awareness increases the risk of being phished and potentially hinders the adoption of 2-step verification.  </span></li> </ul> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-lD6PZnAc6Lc/XUxd1BAVQcI/AAAAAAAAAtM/w-qrq5eAe4ctARHxOhTzArWMj7H2BRBlwCLcBGAs/s1600/bh2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="234" data-original-width="512" height="291" src="https://1.bp.blogspot.com/-lD6PZnAc6Lc/XUxd1BAVQcI/AAAAAAAAAtM/w-qrq5eAe4ctARHxOhTzArWMj7H2BRBlwCLcBGAs/s640/bh2.png" width="640" /></a></div> <div> <span style="white-space: pre-wrap;"><br /></span></div> <br /> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">Protecting users against phishing requires a layered defense approach that includes:</span></span></div> <ul> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Educating users </span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">about phishing so they understand what it is, how to detect it and how to protect themselves.</span></li> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Leveraging the recent advances in AI </span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">to build robust phishing detections that can keep pace with fast  evolving phishing campaigns.</span></li> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Displaying actionable phishing warnings</span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;"> that are easy to understand by users so they know how to react when they see them.</span></li> <li><span style="font-family: inherit; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Using strong two factor authentication </span><span style="font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">makes it more difficult  for phishers to compromise accounts. Two-factor technologies, as visible in the graph above, can be effective against the various forms of phishing, which highlights the importance of driving awareness and adoption among users.  </span></li> </ul> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: inherit;">While technologies to help mitigate phishing exist, such as FIDO standard security keys, there is still work to be done to help users increase awareness understand how to protect themselves against phishing.</span></span></div> <span style="font-size: 12pt; white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></span> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Understanding why phishing attacks are so effective and how to mitigate them&url=https://security.googleblog.com/2019/08/understanding-why-phishing-attacks-are.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2019/08/understanding-why-phishing-attacks-are.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2019/08/understanding-why-phishing-attacks-are.html' data-url='https://security.googleblog.com/2019/08/understanding-why-phishing-attacks-are.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2019/08/understanding-why-phishing-attacks-are.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='7523930202087665251' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2019/08/adopting-arm-memory-tagging-extension.html' itemprop='url' title='Adopting the Arm Memory Tagging Extension in Android'> Adopting the Arm Memory Tagging Extension in Android </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> August 2, 2019 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Kostya Serebryany, Google Core Systems, and Sudhi Herle, Android Security & Privacy Team</span> <p> As part of our continuous commitment to improve the security of the Android ecosystem, we are partnering with Arm to design the <a href="https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/arm-a-profile-architecture-2018-developments-armv85a">memory tagging extension</a> (MTE). <a href="https://en.wikipedia.org/wiki/Memory_safety">Memory safety bugs</a>, common in C and C++, remain one of the largest vulnerabilities in the Android platform and although there have been previous <a href="https://security.googleblog.com/2019/05/queue-hardening-enhancements.html">hardening efforts</a>, memory safety bugs comprised more than half of the high priority security bugs in Android 9. Additionally, memory safety bugs manifest as hard to diagnose reliability problems, including sporadic crashes or silent data corruption. This reduces user satisfaction and <a href="https://www.nist.gov/sites/default/files/documents/director/planning/report02-3.pdf">increases the cost of software development</a>. Software testing tools, such as <a href="https://source.android.com/devices/tech/debug/asan">ASAN</a> and <a href="https://source.android.com/devices/tech/debug/hwasan">HWASAN</a> help, but their applicability on current hardware is limited due to noticeable overheads. </p> <p> MTE, a hardware feature, aims to further mitigate these memory safety bugs by enabling us to detect them with low overhead. It has two execution modes: </p> <ul> <li><strong>Precise mode</strong>: Provides more detailed information about the memory violation <li><strong>Imprecise mode</strong>: Has lower CPU overhead and is more suitable to be always-on. </li> </ul> <p> Arm recently published a <a href="https://developer.arm.com/architectures/cpu-architecture/a-profile#mte">whitepaper on MTE</a> and has added documentation to the Arm v8.5 <a href="https://developer.arm.com/docs/ddi0487/latest">Architecture Reference Manual</a>. </p> <p> We envision several different usage modes for MTE. </p> <ul> <li>MTE provides a version of <a href="https://source.android.com/devices/tech/debug/asan">ASAN</a>/<a href="https://source.android.com/devices/tech/debug/hwasan">HWASAN</a> that is easier to use for testing and fuzzing in laboratory environments. It will find more bugs in a fraction of the time and at a lower cost, reducing the complexity of the development process. In many cases, MTE will allow testing memory safety using the same binary as shipped to production. The bug reports produced by MTE will be as detailed and actionable as those from ASAN and HWASAN. <li>MTE will be used as a mechanism for testing complex software scenarios in production. App Developers and OEMs will be able to selectively turn on MTE for parts of the software stack. Where users have provided consent, bug reports will be available to developers via familiar mechanisms like <a href="https://developer.android.com/topic/performance/vitals/crash">Google Play Console</a>. <li>MTE can be used as a strong security mitigation in the Android System and applications for many classes of memory safety bugs. For most instances of such vulnerabilities, a probabilistic mitigation based on MTE could prevent exploitation with a higher than 90% chance of detecting each invalid memory access. By implementing these protections and ensuring that attackers can't make repeated attempts to exploit security-critical components, we can significantly reduce the risk to users posed by memory safety issues. </li> </ul> <p> We believe that memory tagging will detect the most common classes of memory safety bugs in the wild, helping vendors identify and fix them, discouraging malicious actors from exploiting them. During the past year, our team has been working to ensure readiness of the Android platform and application software for MTE. We have deployed HWASAN, a software implementation of the memory tagging concept, to test our entire platform and a few select apps. This deployment has uncovered close to 100 memory safety bugs. The majority of these bugs were detected on HWASAN enabled phones in everyday use. MTE will greatly improve upon this in terms of overhead, ease of deployment, and scale. In parallel, we have been working on supporting MTE <a href="https://reviews.llvm.org/D64169">in the LLVM compiler toolchain</a> and <a href="https://lkml.org/lkml/2019/7/23/728">in the Linux kernel</a>. The Android platform support for MTE will be complete by the time of silicon availability. </p> <p> Google is committed to supporting MTE throughout the Android software stack. We are working with select Arm System On Chip (SoC) partners to test MTE support and look forward to wider deployment of MTE in the Android software and hardware ecosystem. Based on the current data points, MTE provides tremendous benefits at acceptable performance costs. We are considering MTE as a possible foundational requirement for certain tiers of Android devices. </p> <p> <em>Thank you to Mitch Phillips, Evgenii Stepanov, Vlad Tsyrklevich, Mark Brand, and Serban Constantinescu for their contributions to this post.</em> </p> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Kostya Serebryany, Google Core Systems, and Sudhi Herle, Android Security & Privacy Team</span> <p> As part of our continuous commitment to improve the security of the Android ecosystem, we are partnering with Arm to design the <a href="https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/arm-a-profile-architecture-2018-developments-armv85a">memory tagging extension</a> (MTE). <a href="https://en.wikipedia.org/wiki/Memory_safety">Memory safety bugs</a>, common in C and C++, remain one of the largest vulnerabilities in the Android platform and although there have been previous <a href="https://security.googleblog.com/2019/05/queue-hardening-enhancements.html">hardening efforts</a>, memory safety bugs comprised more than half of the high priority security bugs in Android 9. Additionally, memory safety bugs manifest as hard to diagnose reliability problems, including sporadic crashes or silent data corruption. This reduces user satisfaction and <a href="https://www.nist.gov/sites/default/files/documents/director/planning/report02-3.pdf">increases the cost of software development</a>. Software testing tools, such as <a href="https://source.android.com/devices/tech/debug/asan">ASAN</a> and <a href="https://source.android.com/devices/tech/debug/hwasan">HWASAN</a> help, but their applicability on current hardware is limited due to noticeable overheads. </p> <p> MTE, a hardware feature, aims to further mitigate these memory safety bugs by enabling us to detect them with low overhead. It has two execution modes: </p> <ul> <li><strong>Precise mode</strong>: Provides more detailed information about the memory violation <li><strong>Imprecise mode</strong>: Has lower CPU overhead and is more suitable to be always-on. </li> </ul> <p> Arm recently published a <a href="https://developer.arm.com/architectures/cpu-architecture/a-profile#mte">whitepaper on MTE</a> and has added documentation to the Arm v8.5 <a href="https://developer.arm.com/docs/ddi0487/latest">Architecture Reference Manual</a>. </p> <p> We envision several different usage modes for MTE. </p> <ul> <li>MTE provides a version of <a href="https://source.android.com/devices/tech/debug/asan">ASAN</a>/<a href="https://source.android.com/devices/tech/debug/hwasan">HWASAN</a> that is easier to use for testing and fuzzing in laboratory environments. It will find more bugs in a fraction of the time and at a lower cost, reducing the complexity of the development process. In many cases, MTE will allow testing memory safety using the same binary as shipped to production. The bug reports produced by MTE will be as detailed and actionable as those from ASAN and HWASAN. <li>MTE will be used as a mechanism for testing complex software scenarios in production. App Developers and OEMs will be able to selectively turn on MTE for parts of the software stack. Where users have provided consent, bug reports will be available to developers via familiar mechanisms like <a href="https://developer.android.com/topic/performance/vitals/crash">Google Play Console</a>. <li>MTE can be used as a strong security mitigation in the Android System and applications for many classes of memory safety bugs. For most instances of such vulnerabilities, a probabilistic mitigation based on MTE could prevent exploitation with a higher than 90% chance of detecting each invalid memory access. By implementing these protections and ensuring that attackers can't make repeated attempts to exploit security-critical components, we can significantly reduce the risk to users posed by memory safety issues. </li> </ul> <p> We believe that memory tagging will detect the most common classes of memory safety bugs in the wild, helping vendors identify and fix them, discouraging malicious actors from exploiting them. During the past year, our team has been working to ensure readiness of the Android platform and application software for MTE. We have deployed HWASAN, a software implementation of the memory tagging concept, to test our entire platform and a few select apps. This deployment has uncovered close to 100 memory safety bugs. The majority of these bugs were detected on HWASAN enabled phones in everyday use. MTE will greatly improve upon this in terms of overhead, ease of deployment, and scale. In parallel, we have been working on supporting MTE <a href="https://reviews.llvm.org/D64169">in the LLVM compiler toolchain</a> and <a href="https://lkml.org/lkml/2019/7/23/728">in the Linux kernel</a>. The Android platform support for MTE will be complete by the time of silicon availability. </p> <p> Google is committed to supporting MTE throughout the Android software stack. We are working with select Arm System On Chip (SoC) partners to test MTE support and look forward to wider deployment of MTE in the Android software and hardware ecosystem. Based on the current data points, MTE provides tremendous benefits at acceptable performance costs. We are considering MTE as a possible foundational requirement for certain tiers of Android devices. </p> <p> <em>Thank you to Mitch Phillips, Evgenii Stepanov, Vlad Tsyrklevich, Mark Brand, and Serban Constantinescu for their contributions to this post.</em> </p> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Adopting the Arm Memory Tagging Extension in Android&url=https://security.googleblog.com/2019/08/adopting-arm-memory-tagging-extension.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2019/08/adopting-arm-memory-tagging-extension.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2019/08/adopting-arm-memory-tagging-extension.html' data-url='https://security.googleblog.com/2019/08/adopting-arm-memory-tagging-extension.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2019/08/adopting-arm-memory-tagging-extension.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> <span class='labels-caption'> Labels: </span> <span class='labels'> <a class='label' href='https://security.googleblog.com/search/label/android%20security' rel='tag'> android security </a> </span> </div> </div> </div> <div class='blog-pager' id='blog-pager'> <a class='home-link' href='https://security.googleblog.com/'> <i class='material-icons'>  </i> </a> <span id='blog-pager-newer-link'> <a class='blog-pager-newer-link' href='https://security.googleblog.com/search?updated-max=2019-11-07T13:35:00-05:00&max-results=10&reverse-paginate=true' id='Blog1_blog-pager-newer-link' title='Newer Posts'> <i class='material-icons'>  </i> </a> </span> <span id='blog-pager-older-link'> <a class='blog-pager-older-link' href='https://security.googleblog.com/search?updated-max=2019-08-02T11:40:00-04:00&max-results=10' id='Blog1_blog-pager-older-link' title='Older Posts'> <i class='material-icons'>  </i> </a> </span> </div> <div class='clear'></div> </div></div> </div> </div> <div class='col-right'> <div class='section' id='sidebar-top'><div class='widget HTML' data-version='1' id='HTML8'> <div class='widget-content'> <div class='searchBox'> <input type='text' title='Search This Blog' placeholder='Search blog ...' /> </div> </div> <div class='clear'></div> </div></div> <div id='aside'> <div class='section' id='sidebar'><div class='widget Label' data-version='1' id='Label1'> <div class='tab'> <img class='sidebar-icon' src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAYpJREFUeNrs2aFuwzAQBmAvKRkMKRjZA4QMDJaWFgyMjuzFRg37DIUlA3uFkoGQSaWzJU+tpri5O9+l/zSfdFJlpe59yTmyVedq1PjfcZMZ70NuQnaF8w8htyE/rABtpviXkLcK88c5HhLkMBfgVan43zfFBNGMjHVGT/s55KP2pAvidbGHd+nzKt1RKSLG3rKF1iPFv6UWiPke8i7kEqGdGsI1O+LYVdqJAjgirwkKYD0ytkJBUNbAMvX8V3q9PhUsYvU1sWD8SO/sQvx2ahxOiNoJCSBCoAHYCEQAC4EKICOQASQEOmAS8RcAFxFN5hiIiugpgC3wk9hQAHH/70EBHXUN7IER5EWMiBgo2+nzOKQv9SCAeEM/OQAkhE/ncccFICB87qzQMia5FsJfOui0zMnmRvipU1ormHQuxGTxUsAcCFLxJQBLBLn4UoAFglW8BkATwS5eC6CBEBWvCShBiIvXBkgQRcVbADiI4uKtABSESvGWgB9EzHt3+tNwyO0qa9SoIYtvAQYAqDJhaWWeMecAAAAASUVORK5CYII='/> <h2> Labels </h2> <i class='material-icons arrow'>  </i> </div> <div class='widget-content list-label-widget-content'> <ul> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/%23sharethemicincyber'> #sharethemicincyber </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/%23supplychain%20%23security%20%23opensource'> #supplychain #security #opensource </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/android'> android </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/android%20security'> android security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/android%20tr'> android tr </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/app%20security'> app security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/big%20data'> big data </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/biometrics'> biometrics </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/blackhat'> blackhat </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/C%2B%2B'> C++ </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/chrome'> chrome </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/chrome%20enterprise'> chrome enterprise </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/chrome%20security'> chrome security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/connected%20devices'> connected devices </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/CTF'> CTF </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/diversity'> diversity </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/encryption'> encryption </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/federated%20learning'> federated learning </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/fuzzing'> fuzzing </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Gboard'> Gboard </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/google%20play'> google play </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/google%20play%20protect'> google play protect </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/hacking'> hacking </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/interoperability'> interoperability </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/iot%20security'> iot security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/kubernetes'> kubernetes </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/linux%20kernel'> linux kernel </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/memory%20safety'> memory safety </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Open%20Source'> Open Source </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/pha%20family%20highlights'> pha family highlights </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/pixel'> pixel </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/privacy'> privacy </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/private%20compute%20core'> private compute core </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Rowhammer'> Rowhammer </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/rust'> rust </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Security'> Security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/security%20rewards%20program'> security rewards program </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/sigstore'> sigstore </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/spyware'> spyware </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/supply%20chain'> supply chain </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/targeted%20spyware'> targeted spyware </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/tensor'> tensor </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Titan%20M2'> Titan M2 </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/VDP'> VDP </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/vulnerabilities'> vulnerabilities </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/workshop'> workshop </a> </li> </ul> <div class='clear'></div> </div> </div><div class='widget BlogArchive' data-version='1' id='BlogArchive1'> <div class='tab'> <i class='material-icons icon'>  </i> <h2> Archive </h2> <i class='material-icons arrow'>  </i> </div> <div class='widget-content'> <div id='ArchiveList'> <div id='BlogArchive1_ArchiveList'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2024/'> 2024 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2023/'> 2023 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2022/'> 2022 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2021/'> 2021 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2020/'> 2020 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy toggle-open'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2019/'> 2019 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2018/'> 2018 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2017/'> 2017 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2016/'> 2016 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2015/'> 2015 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2014/'> 2014 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2013/'> 2013 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2012/'> 2012 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2011/'> 2011 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2010/'> 2010 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2009/'> 2009 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2008/'> 2008 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2007/'> 2007 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/05/'> May </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> </div> </div> <div class='clear'></div> </div> </div><div class='widget HTML' data-version='1' id='HTML6'> <div class='widget-content'> <a href="https://googleonlinesecurity.blogspot.com/atom.xml"> <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAihJREFUeNrsWa9Pw0AU7viRMDFRBAkzJDMIBIhJJhCzk7NILIqMv4AEhdz+BCY3OYssAlGBoAJREpZwAlHEBO8lr8nSvNeVbu1dyX3JlzTrXfa+u/e9d7c5joWFhYVO1Fa8PwH2gK6m+BRwAvSlAdsrgr8E1jUuMH73GTAEzrkBWymTewZlihhLmgDXIAFuHgGVQOUF7OSYM1p6PgTuA1vAZlUEvAnPdapcMY0VICECekQ0XRfYrqoHsAGNgXfAoMomRiFDEhOZkkL3S88hMaB2LwXp0bj+ps2edpToZpjfoIDQtBeU+xjoDzP2G/gCPKZ5f8WsCAFJoJgOCcFdWSTeL9YQMSvTA1h9BkI5jaiXhLpSCL/8mVZY0UpyJ9ZdOkniu1dmJ96BpzQu9w6s28gcOq9j6pwLdR8/36NK5CQKwJSMrb2MhhSglBpt4UjsrdsnNu0B3J0HCozbCc4TjyY2srEgos/4RQljCzNxl4ireQD8FOq+T+W0mTB2g7njhlR+Sy2jsXFvU658U8YTbeaGpdIu7mWkEAq5ZtIjIhFZdtfX7QHckSvB2B6zC3VdAkZk0kAQwaXTk/CzTXK3wjIExCs6ZJpTnE4uY1KV+KzFzA3KTiFPENHJkOPcsfpLhwe4btoSuvUqAR+6TOxlCE6ZfKUsJLgsqGW8OpqAGx2X+sLxrwUog+JUeQRMDBIwyXOcnlPtPnL0/UsT/8LnOxYWFhZG4leAAQAAQHEaYuzHbAAAAABJRU5ErkJggg==" class="sidebar-icon" /> <h2>Feed</h2> </a> </div> <div class='clear'></div> </div></div> <div class='section' id='sidebar-bottom'><div class='widget HTML' data-version='1' id='HTML5'> <div class='widget-content'> <div class='followgooglewrapper'> <script src="https://apis.google.com/js/plusone.js"></script> <div class="g-ytsubscribe" data-channel="Google" data-layout="full"></div> </div> <div class="share followgooglewrapper"> <button data-href="https://twitter.com/intent/follow?original_referer=http://googleonlinesecurity.blogspot.in/&screen_name=google" onclick='sharingPopup(this);' id='twitter-share'><span class="twitter-follow">Follow @google</span></button> <script> function sharingPopup (button) { var url = button.getAttribute("data-href"); window.open( url,'popUpWindow','height=500,width=500,left=10,top=10,resizable=yes,scrollbars=yes,toolbar=yes,menubar=no,location=no,directories=no,status=yes'); } </script> </div> <div class="fb-follow-button"> <a href="https://www.facebook.com/google" target="_blank"><img class="fb-follow" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmruMUNSjAUsU-iCQjxgiqufl2u1wHJfiVTn3wuiIZAK1VUSRsexREPAOLV0N4-4VVtaYbZL18UsVh5CUlUJWH5UurFiQKMkHlNnj3YYw-2UiYtbNbvBE7VsAhdtw9rwNuOc-riC1exNkp/s1600/facebook-logo.png" />Follow</a> </div> </div> <div class='clear'></div> </div><div class='widget HTML' data-version='1' id='HTML1'> <div class='widget-content'> Give us feedback in our <a href="https://support.google.com/bin/static.py?hl=en&page=portal_groups.cs">Product Forums</a>. </div> <div class='clear'></div> </div></div> </div> </div> <div style='clear:both;'></div> </div>  <div class='google-footer-outer loading'> <div id='google-footer'> <a href='//www.google.com/'> <img class='google-logo-dark' height='36' src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAALgAAABICAYAAABFoT/eAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAACLVJREFUeNrsXd+L20YQ3vOprdLqiMXFXE2qB7dcwEcTSB7ykIc+9A/PQx/yEMq1TWhNuYIpJriNr7XpmZ5IxFEvmW2EKs3Ornb1w50PxIFP0kiz387OzM6uhGAwGAxGP3Ho+f7x7ri1O7LdccPqZjSNA4dEHsLfaHcEFedJom93x9Xu2OyOFTcBo6sED3fHZHeMEELrkAHJF0B8Rr+gDFsZ5n0luLTQ95AXs4W06D/tjpR50xtM4CjD0y48YGB4rnyZxNOzyA7zBHr+nLnDaJLg0mo/ALekCasg3Z4XbM0ZdTEgnDPeHY8bIne+Qz2GvwyGNwsuyT218KWvIIBMcwGpLiipcolecjMxfBDchNyS1EvxLiOSIecp31q6IJ/C3yrIrMqMm4jhg+AxkdwbIO3aUO4KjqqMjCT3uaazMBhWBJfuxH3CtRfiXf66DhSRZWbmlMnNaILgZxrXJQO/eO3wORZwvwm4JUxuhheCjzVBYAbW1ces45YDSoZrFNOEE835M8FT6oyeEnws8Fz3QnBxFKPHBMem4GU+m6fPGb0leCTwWcM5B36MPgeZI01gudyDdw3hPeXfo8L/rmCUWnuMMdqUL2WqWeRbhf+twfVsO7YagZGNC79fw7OthEVtkiJ4jJzTd3KPwf3CRqhhiTu23AP5sl0/0xiwISQXpNwLIJK87mHF+U8ddzzdmgKlGzlPYjyxGJQouIhNT4k9AqWEFkqfguIvagTWbcq3KW1WE3xS3m8NtA9WS451xofwjKT5kkDoK/b6mDk5FfXr1lWDL4BofZEv2/SRsK/EHGlGdBdu8QNRb8HMCFwt7Yy3DDI/QP7fx5z3VLhdlJEIs4rKNuXXJXdxZPdB7kfCzWqwCO4V1LHgLjInX3tQ1KzCR52Cz+vDj1dydeRuS74rcvs2Pi6fT5H8OaaUQPQPYcWwRSGXyhhscn5dpAnEFMkuEZetbfkTAnlSuH4DxisE+aMGeJAQ3lFl7C4LJE6QWCaCd583ORQ1jYAwjFctal7nOs2ZZvicwvlZx+RHGrcoAwKUVX8uwcc/9TT65INeDOr5shL9LDRB6QTeIy3zwfdh3WOi6axLCEhSjXU7F3h6LqggUtvyJxpynwu8tDkD98fXApOxRj8zoZ9MnGveYVIVZKaGrkBXCY65BCYNN9NkjpKOyQ81Q79JgdxS+Jn3SDTEXRI7SWzaiSTB32oI3nU3BvMfM0urhOVYgwKhuiAfc4tM07wXwm1ZRoQYSl2NUwiu01fEAHVcpixd745FvVz4dzUUc0o8rwoLy8ZSwU6CyFx1RP5II9+1bFPEFs9HWbNLiimDXE+vCm7u1CS47cofzD3aEhVY57mxRo5zlqdt+RFC1JUH2S7bcVXg4liTMakaBZZVxiTICRoivcn1sEUBlk24JmaC6kxUbYmWoqvyfck2xZGGnDFYa9MMzkYQ1ijkCX6qidybrgePiQ0QIQqoi6qRLeqQfIoRsEHaQJLBdHOnLGetSdm/IPcymJuS1PAnbQPH0MOw/39C1vL11DiLOqIsbDI8QcHvGiLnySi2qUXBicaqUSxN5LEB0g7Jt3ENXJLPJ5S1tnaZBoWbpRqrmjRE7qHmpSmNHdQcYrEUadoh+TbBnc9ri7iycI1kzPeNcLDIvbiqXpez9Tmdq6zGREPuzECBoxrPMiI2WtvyNwhJba2wy3JZ6ky5dD1lSvmZS3e4SPA1wcf1VTFHKX+cGwZzdUYcqpvUtvwrD/InDttVlyZeAKlNN5MKbAiurHhKIPlUuJvlTCCiDjSKSCsUmCFWbGLZwCESfK07JB8LvMYWVtw0D00JEHV8Mq2HkqPbE0oHLvvK2g0o8ETg+4cfwTlZDT9JDoWygu4uQQE/ivIvtcnfPkaCqhiupz7jWOAzqL/vjtcdkv9G4MVMt+EaylfuImiPAXEUjRF3pjjaHiPPZ6If9TGGAO4ZY0am6jOCb+DQ+ZCqLkIpOIPrdNfIjnFPY6nyFut7TS/fanrziOBOKMupKw94WaLMtuVnSFt9CPrWWdJE6PeltCX432DEBoh+5Dv8RRhdis8YAv9uyq4/JAwtlEApgBe9Cw9xDD3tdk4Jn0MDfiHwPHcRPxBePCMER3GuIx7kGlv9fkZ4V9lolx2Uv4X7hEj7qJ3LDoAMGbTRMRibu4L2xQ8bgt8AyU+Q+x7nYrvDnH4iuO5LxKsYwPVbkPMvKF9Zky9wXzRfVWizi62r9X5VHf55h+WHhDjGBZ4WRhyTr6z5SlCoLMxLSpBZFsQ9F80uQFbF/6aFWi+Ev51vzzsuX+msyzuQXXjUz8zEBy+zpq9yweXAoxJW4JbYrDS6gYDqGHxPl+TKeiBfxj9/EBIElPYeOA4y8/qRQfknjvSzgRgtq0Pw/M1eQeMdOSb2Bnrhr6Led+1vcp2x7oTFHMnedFW+Ivlty062BUt74oHgSj+vHepnhunn0JJAMtBZgDI/qmGtMujRv8DDpo47zBJ8UtPOuAR/7rKn8t9AJ0tBdmBAmJ/Fu71yxp4I3qh+DhyRqbi5Y1ShVPlSb8X7bRNcfgZFl+WRGYo7uecrWq1r8X5bhmzP5OdlDwsGRm1suSxkg5rYm7ConyGQ3Zl+DgSD8V/kPwrWBMG9YcBtyShBnTLdTiHgttw7qAW7cqh/ZnmPKr/6ignOaKsdyxbsToT5UkPsW00bJjijDXficcX/JsLs6w2BwGtherdckH3w/kNXRPVI0OqJQoHX42/66IMfMj/2huRjxIidgKV/W0JS+bsstDoTeAHcrI8E5zTh/sDkqxL5rZup55/3USlswfcHf4IrQplVDgW9XFlOqnwr6pVPMMEZTuC60EttvdzbLbaZ4PsFVa3nohhO+vW+yn/ZB2fUhpysmQrzBcTSai9EszuZMcEZ1lCFVrp9zGXhm69iLyY4oxFIa178lPe12I/P2DAYDAaDwWAwGAwGg8FgMBgMBoPBYDD2Cf8IMADDRGoQTe+E9AAAAABJRU5ErkJggg==' style='margin-top: -16px;' width='92'/> </a> <ul> <li> <a href='//www.google.com/'> Google </a> </li> <li> <a href='//www.google.com/policies/privacy/'> Privacy </a> </li> <li> <a href='//www.google.com/policies/terms/'> Terms </a> </li> </ul> </div> </div> <script type='text/javascript'> //<![CDATA[ // Social sharing popups. var postEl = document.getElementsByClassName('social-wrapper'); var postCount = postEl.length; for(i=0; i<postCount;i++){ postEl[i].addEventListener("click", function(event){ var postUrl = this.getAttribute("data-href"); window.open( postUrl,'popUpWindow','height=500,width=500,left=10,top=10,resizable=yes,scrollbars=yes,toolbar=yes,menubar=no,location=no,directories=no,status=yes'); });} //]]> </script> <script type='text/javascript'> //<![CDATA[ var BreakpointHandler = function() { this.initted = false; this.isHomePage = false; this.isMobile = false; }; BreakpointHandler.prototype.finalizeSummary = function(summaryHtml, lastNode) { // Use $.trim for IE8 compatibility summaryHtml = $.trim(summaryHtml).replace(/(<br>|\s)+$/,''); if (lastNode.nodeType == 3) { var lastChar = summaryHtml.slice(-1); if (!lastChar.match(/[.”"?]/)) { if (!lastChar.match(/[A-Za-z]/)) { summaryHtml = summaryHtml.slice(0, -1); } summaryHtml += ' ...'; } } else if (lastNode.nodeType == 1 && (lastNode.nodeName == 'I' || lastNode.nodeName == 'A')) { summaryHtml += ' ...'; } return summaryHtml; }; BreakpointHandler.prototype.generateSummaryFromContent = function(content, numWords) { var seenWords = 0; var summaryHtml = ''; for (var i=0; i < content.childNodes.length; i++) { var node = content.childNodes[i]; var nodeText; if (node.nodeType == 1) { if (node.hasAttribute('data-about-pullquote')) { continue; } nodeText = node.textContent; if (nodeText === undefined) { // innerText for IE8 nodeText = node.innerText; } if (node.nodeName == 'DIV' || node.nodeName == 'B') { // Don't end early if we haven't seen enough words. if (seenWords < 10) { continue; } if (i > 0) { summaryHtml = this.finalizeSummary(summaryHtml, content.childNodes[i-1]); } break; } summaryHtml += node.outerHTML; } else if (node.nodeType == 3) { nodeText = node.nodeValue; summaryHtml += nodeText + ' '; } var words = nodeText.match(/\S+\s*/g); if (!words) { continue; } var remain = numWords - seenWords; if (words.length >= remain) { summaryHtml = this.finalizeSummary(summaryHtml, node); break; } seenWords += words.length; } return summaryHtml; }; BreakpointHandler.prototype.detect = function() { var match, pl = /\+/g, search = /([^&=]+)=?([^&]*)/g, decode = function (s) { return decodeURIComponent(s.replace(pl, " ")); }, query = window.location.search.substring(1); var urlParams = {}; while (match = search.exec(query)) urlParams[decode(match[1])] = decode(match[2]); this.isListPage = $('html').hasClass('list-page'); this.isMobile = urlParams['m'] === '1'; this.isHomePage = window.location.pathname == '/'; }; BreakpointHandler.prototype.initContent = function() { var self = this; $('.post').each(function(index) { var body = $(this).children('.post-body')[0]; var content = $(body).children('.post-content')[0]; $(content).addClass('post-original'); var data = $(content).children('script').html(); data = self.rewriteForSSL(data); if (document.body.className.indexOf('is-preview') !== -1) { // If exists, extract specified editor's preview. var match = data.match(/([\s\S]+?)<div data-is-preview.+?>([\s\S]+)<\/div>/m); if (match) { data = match[1]; } } // Prevent big images from loading when they aren't needed. // This must be done as a pre-injection step, since image loading can't be // canceled once embedded into the DOM. if (self.isListPage && self.isMobile) { data = data.replace(/<(img|iframe) .+?>/g, ''); } // Insert template to be rendered as nodes. content.innerHTML = data; if (self.isListPage) { var summary = document.createElement('div'); $(summary).addClass('post-content'); $(summary).addClass('post-summary'); body.insertBefore(summary, content); if (match) { // Use provided summary. summary.innerHTML = match[2]; } else { // Generate a summary. // Summary generation relies on DOM, so it must occur after content is // inserted into the page. summary.innerHTML = self.generateSummaryFromContent(content, 30); } // Add read more link to summary. var titleAnchor = $(this).find('.title a')[0]; var link = titleAnchor.cloneNode(true); link.innerHTML = 'Read More'; $(link).addClass('read-more'); summary.appendChild(link); } }); // Firefox does not allow for proper styling of BR. if (navigator.userAgent.indexOf('Firefox') > -1) { $('.post-content br').replaceWith('<span class="space"></span>'); } $('.loading').removeClass('loading'); }; BreakpointHandler.prototype.process = function() { if (!this.initted) { var makeInsecureImageRegex = function(hosts) { var whitelist = hosts.join('|').replace(/\./g,'\\.'); // Normal image tags, plus input images (yes, this is possible!) return new RegExp('(<(img|input)[^>]+?src=("|\'))http:\/\/(' + whitelist +')', 'g'); }; this.sslImageRegex = makeInsecureImageRegex(BreakpointHandler.KNOWN_HTTPS_HOSTS); this.sslImageCurrentDomainRegex = makeInsecureImageRegex([window.location.hostname]); this.detect(); this.initContent(); this.initted = true; } }; BreakpointHandler.KNOWN_HTTPS_HOSTS = [ "www.google.org", "www.google.com", "services.google.com", "blogger.com", "draft.blogger.com", "www.blogger.com", "photos1.blogger.com", "photos2.blogger.com", "photos3.blogger.com", "blogblog.com", "img1.blogblog.com", "img2.blogblog.com", "www.blogblog.com", "www1.blogblog.com", "www2.blogblog.com", "0.bp.blogspot.com", "1.bp.blogspot.com", "2.bp.blogspot.com", "3.bp.blogspot.com", "4.bp.blogspot.com", "lh3.googleusercontent.com", "lh4.googleusercontent.com", "lh5.googleusercontent.com", "lh6.googleusercontent.com", "themes.googleusercontent.com", ]; BreakpointHandler.prototype.rewriteForSSL = function(html) { // Handle HTTP -> HTTPS source replacement of images, movies, and other embedded content. return html.replace(this.sslImageRegex, '$1https://$4') .replace(this.sslImageCurrentDomainRegex, '$1//$4') .replace(/(<(embed|iframe)[^>]+?src=("|'))http:\/\/([^"']*?(youtube|picasaweb\.google)\.com)/g, '$1https://$4') // Slideshow SWF takes a image host, so we need to rewrite that parameter. .replace(/(<embed[^>]+?feed=http(?=[^s]))/g, '$1s'); }; $(document).ready(function() { var handler = new BreakpointHandler(); handler.process(); // Top-level navigation. $(".BlogArchive .tab").click(function(ev) { ev.preventDefault(); $(this).parent().toggleClass('active'); $(this).siblings().slideToggle(300); }); $(".Label .tab").click(function(ev) { ev.preventDefault(); $(this).parent().toggleClass('active'); $(this).siblings().slideToggle(300); }); // Blog archive year expansion. $('.BlogArchive .intervalToggle').click(function(ev) { ev.preventDefault(); if ($(this).parent().hasClass('collapsed')) { $(this).parent().removeClass('collapsed'); $(this).parent().addClass('expanded'); } else { $(this).parent().removeClass('expanded'); $(this).parent().addClass('collapsed'); } }); // Reverse order of months. $('.BlogArchive .intervalToggle + div').each(function(_, items) { var year = $(this); year.children().each(function(_, month) { year.prepend(month); }); }); // Set anchors to open in new tab. $('.post-content img').parent().each(function(_, node) { if (node.nodeName == 'A') { $(this).attr('target', '_blank'); } }); // Process search requests. $('.searchBox input').on("keypress", function(ev) { if (ev.which == 13) { window.location.href = 'https://www.google.com/search?q=site%3A' + window.location.hostname + '%20' + encodeURIComponent ($(this).val()); } }); }); //]]> </script> <script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/984859869-widgets.js"></script> <script type='text/javascript'> window['__wavt'] = 'AOuZoY69po-IkvTEwVi5nJBv2VkX2o9gjQ:1732387478405';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d1176949257541686127','//security.googleblog.com/2019/08/','1176949257541686127'); _WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '1176949257541686127', 'title': 'Google Online Security Blog', 'url': 'https://security.googleblog.com/2019/08/', 'canonicalUrl': 'https://security.googleblog.com/2019/08/', 'homepageUrl': 'https://security.googleblog.com/', 'searchUrl': 'https://security.googleblog.com/search', 'canonicalHomepageUrl': 'https://security.googleblog.com/', 'blogspotFaviconUrl': 'https://security.googleblog.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': false, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': 'G-K46T604G22', 'analytics4': true, 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Google Online Security Blog - Atom\x22 href\x3d\x22https://security.googleblog.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Google Online Security Blog - RSS\x22 href\x3d\x22https://security.googleblog.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Google Online Security Blog - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/1176949257541686127/posts/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/d78375fb222d99b3', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'X', 'key': 'twitter', 'shareMessage': 'Share to X', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'archive', 'pageName': 'August 2019', 'pageTitle': 'Google Online Security Blog: August 2019'}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Google Online Security Blog', 'description': 'The latest news and insights from Google on security and safety on the Internet', 'url': 'https://security.googleblog.com/2019/08/', 'type': 'feed', 'isSingleItem': false, 'isMultipleItems': true, 'isError': false, 'isPage': false, 'isPost': false, 'isHomepage': false, 'isArchive': true, 'isLabelSearch': false, 'archive': {'year': 2019, 'month': 8, 'rangeMessage': 'Showing posts from August, 2019'}}}]); _WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML8', 'sidebar-top', document.getElementById('HTML8'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_LabelView', new _WidgetInfo('Label1', 'sidebar', document.getElementById('Label1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'sidebar', document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML6', 'sidebar', document.getElementById('HTML6'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML5', 'sidebar-bottom', document.getElementById('HTML5'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML1', 'sidebar-bottom', document.getElementById('HTML1'), {}, 'displayModeFull')); </script> </body> </html>