CINXE.COM

<!DOCTYPE html> <html class='v2 list-page' dir='ltr' itemscope='' itemtype='http://schema.org/Blog' lang='en' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'> <head> <link href='https://www.blogger.com/static/v1/widgets/3566091532-css_bundle_v2.css' rel='stylesheet' type='text/css'/> <title> Google Online Security Blog: September 2016 </title> <meta content='JPvErrROkJmNEh4Lr_QT6CD77GdfQr6cLFw6gIXg6kc' name='google-site-verification'/> <meta content='width=device-width, height=device-height, minimum-scale=1.0, initial-scale=1.0, user-scalable=0' name='viewport'/> <meta content='IE=Edge' http-equiv='X-UA-Compatible'/> <meta content='Google Online Security Blog' property='og:title'/> <meta content='en_US' property='og:locale'/> <meta content='https://security.googleblog.com/2016/09/' property='og:url'/> <meta content='Google Online Security Blog' property='og:site_name'/>  <meta content='Google Online Security Blog' property='og:title'/> <meta content='summary' name='twitter:card'/> <meta content='@google' name='twitter:creator'/> <link href='https://fonts.googleapis.com/css?family=Roboto:400italic,400,500,500italic,700,700italic' rel='stylesheet' type='text/css'/> <link href='https://fonts.googleapis.com/icon?family=Material+Icons' rel='stylesheet'/> <script src='https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js' type='text/javascript'></script>  <style id='page-skin-1' type='text/css'></style> <style id='template-skin-1' type='text/css'></style>  <meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/> <meta content='blogger' name='generator'/> <link href='https://security.googleblog.com/favicon.ico' rel='icon' type='image/x-icon'/> <link href='https://security.googleblog.com/2016/09/' rel='canonical'/> <link rel="alternate" type="application/atom+xml" title="Google Online Security Blog - Atom" href="https://security.googleblog.com/feeds/posts/default" /> <link rel="alternate" type="application/rss+xml" title="Google Online Security Blog - RSS" href="https://security.googleblog.com/feeds/posts/default?alt=rss" /> <link rel="service.post" type="application/atom+xml" title="Google Online Security Blog - Atom" href="https://www.blogger.com/feeds/1176949257541686127/posts/default" />  <meta content='https://security.googleblog.com/2016/09/' property='og:url'/> <meta content='Google Online Security Blog' property='og:title'/> <meta content='The latest news and insights from Google on security and safety on the Internet' property='og:description'/>  <base target='_self'/> <style> html { font-family: Roboto, sans-serif; -moz-osx-font-smoothing: grayscale; -webkit-font-smoothing: antialiased; } body { padding: 0; /* This ensures that the scroll bar is always present, which is needed */ /* because content render happens after page load; otherwise the header */ /* would "bounce" in-between states. */ min-height: 150%; } h2 { font-size: 16px; } h1, h2, h3, h4, h5 { line-height: 2em; } html, h4, h5, h6 { font-size: 14px; } a, a:visited { color: #4184F3; text-decoration: none; } a:focus, a:hover, a:active { text-decoration: none; } .Header { margin-top: 15px; } .Header h1 { font-size: 32px; font-weight: 300; line-height: 32px; height: 42px; } .header-inner .Header .titlewrapper { padding: 0; margin-top: 30px; } .header-inner .Header .descriptionwrapper { padding: 0; margin: 0; } .cols-wrapper { margin-top: 56px; } .header-outer, .cols-wrapper, .footer-outer, .google-footer-outer { padding: 0 60px; } .header-inner { height: 256px; position: relative; } html, .header-inner a { color: #212121; color: rgba(0,0,0,.87); } .header-inner .google-logo { display: inline-block; background-size: contain; z-index: 1; height: 46px; overflow: hidden; margin-top: 4px; margin-right: 8px; } .header-left { position: absolute; top: 50%; -webkit-transform: translateY(-50%); transform: translateY(-50%); margin-top: 12px; width: 100%; } .google-logo { margin-left: -4px; } #google-footer { position: relative; font-size: 13px; list-style: none; text-align: right; } #google-footer a { color: #444; } #google-footer ul { margin: 0; padding: 0; height: 144px; line-height: 144px; } #google-footer ul li { display: inline; } #google-footer ul li:before { color: #999; content: "\00b7"; font-weight: bold; margin: 5px; } #google-footer ul li:first-child:before { content: ''; } #google-footer .google-logo-dark { left: 0; margin-top: -16px; position: absolute; top: 50%; } /** Sitemap links. **/ .footer-inner-2 { font-size: 14px; padding-top: 42px; padding-bottom: 74px; } .footer-inner-2 .HTML h2 { color: #212121; color: rgba(0,0,0,.87); font-size: 14px; font-weight: 500; padding-left: 0; margin: 10px 0; } .footer-inner-2 .HTML ul { font-weight: normal; list-style: none; padding-left: 0; } .footer-inner-2 .HTML li { line-height: 24px; padding: 0; } .footer-inner-2 li a { color: rgba(65,132,243,.87); } /** Archive widget. **/ .BlogArchive { font-size: 13px; font-weight: normal; } .BlogArchive .widget-content { display: none; } .BlogArchive h2, .Label h2 { color: #4184F3; text-decoration: none; } .BlogArchive .hierarchy li { display: inline-block; } /* Specificity needed here to override widget CSS defaults. */ .BlogArchive #ArchiveList ul li, .BlogArchive #ArchiveList ul ul li { margin: 0; padding-left: 0; text-indent: 0; } .BlogArchive .intervalToggle { cursor: pointer; } .BlogArchive .expanded .intervalToggle .new-toggle { -ms-transform: rotate(180deg); transform: rotate(180deg); } .BlogArchive .new-toggle { float: right; padding-top: 3px; opacity: 0.87; } #ArchiveList { text-transform: uppercase; } #ArchiveList .expanded > ul:last-child { margin-bottom: 16px; } #ArchiveList .archivedate { width: 100%; } /* Months */ .BlogArchive .items { max-width: 150px; margin-left: -4px; } .BlogArchive .expanded .items { margin-bottom: 10px; overflow: hidden; } .BlogArchive .items > ul { float: left; height: 32px; } .BlogArchive .items a { padding: 0 4px; } .Label { font-size: 13px; font-weight: normal; } .sidebar-icon { display: inline-block; width: 24px; height: 24px; vertical-align: middle; margin-right: 12px; margin-top: -1px } .Label a { margin-right: 4px; } .Label .widget-content { display: none; } .FollowByEmail { font-size: 13px; font-weight: normal; } .FollowByEmail h2 { background: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAALCAYAAACZIGYHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUBJREFUeNrMkSGLAlEUhb+ZB4JFi8mx2cz+ApvhRUGTcUCrNqNJDYIi+DO0GUwmQXDK2DSIoGgZcSaIjDrzwrK4ssvChj1w0733O+fdp+m6PozH4yQSCfb7Pa7r8pOi0SjJZBLP8zgej4gAIMvlMuPxmADIYrHger1+C6lUKmo+NJ/NZojb7SZDWiwWo1qtks1msW2bw+HwZdkwDHq9HvV6nel0SqvVYrvdIh6Ph3Qch+VyqRYLhQJSSjRNw7IsfN9XgGKxSLfbJZfL0e/3aTabrFYr7vc7IujLcOh8PqunrNdr0uk0pVKJVCpFJBJRgEajweVyod1uMxgM2O12BAGUgRbU8DV2JpOhVquRz+cRQii3+XxOp9NRN3jVR5LPOp1OjEYjlSL8hclkgmmabDabt4d+m+S30vkD/R/IU4ABAPTZgnZdmG/PAAAAAElFTkSuQmCC"); background-repeat: no-repeat; background-position: 0 50%; text-indent: 30px; } .FollowByEmail .widget-content { display: none; } .searchBox input { border: 1px solid #eee; color: #212121; color: rgba(0,0,0,.87); font-size: 14px; padding: 8px 8px 8px 40px; width: 164px; font-family: Roboto, sans-serif; background: url("https://www.gstatic.com/images/icons/material/system/1x/search_grey600_24dp.png") 8px center no-repeat; } .searchBox ::-webkit-input-placeholder { /* WebKit, Blink, Edge */ color: rgba(0,0,0,.54); } .searchBox :-moz-placeholder { /* Mozilla Firefox 4 to 18 */ color: #000; opacity: 0.54; } .searchBox ::-moz-placeholder { /* Mozilla Firefox 19+ */ color: #000; opacity: 0.54; } .searchBox :-ms-input-placeholder { /* Internet Explorer 10-11 */ color: #757575; } .widget-item-control { margin-top: 0px; } .section { margin: 0; padding: 0; } #sidebar-top { border: 1px solid #eee; } #sidebar-top > div { margin: 16px 0; } .widget ul { line-height: 1.6; } /*main post*/ .post { margin-bottom:30px; } #main .post .title { margin: 0; } #main .post .title a { color: #212121; color: rgba(0,0,0,.87); font-weight: normal; font-size: 24px; } #main .post .title a:hover { text-decoration:none; color:#4184F3; } .message, #main .post .post-header { margin: 0; padding: 0; } #main .post .post-header .caption, #main .post .post-header .labels-caption, #main .post .post-footer .caption, #main .post .post-footer .labels-caption { color: #444; font-weight: 500; } #main .tr-caption-container td { text-align: left; } #main .post .tr-caption { color: #757575; color: rgba(0,0,0,.54); display: block; max-width: 560px; padding-bottom: 20px; } #main .post .tr-caption-container { line-height: 24px; margin: -1px 0 0 0 !important; padding: 4px 0; text-align: left; } #main .post .post-header .published{ font-size:11px; font-weight:bold; } .post-header .publishdate { font-size: 17px; font-weight:normal; color: #757575; color: rgba(0,0,0,.54); } #main .post .post-footer{ font-size:12px; padding-bottom: 21px; } .label-footer { margin-bottom: 12px; margin-top: 12px; } .comment-img { margin-right: 16px; opacity: 0.54; vertical-align: middle; } #main .post .post-header .published { margin-bottom: 40px; margin-top: -2px; } .post .post-content { color: #212121; color: rgba(0,0,0,.87); font-size: 17px; margin: 25px 0 36px 0; line-height: 32px; } .post-body .post-content ul, .post-body .post-content ol { margin: 16px 0; padding: 0 48px; } .post-summary { display: none; } /* Another old-style caption. */ .post-content div i, .post-content div + i { font-size: 14px; font-style: normal; color: #757575; color: rgba(0,0,0,.54); display: block; line-height: 24px; margin-bottom: 16px; text-align: left; } /* Another old-style caption (with link) */ .post-content a > i { color: #4184F3 !important; } /* Old-style captions for images. */ .post-content .separator + div:not(.separator) { margin-top: -16px; } /* Capture section headers. */ .post-content br + br + b, .post-content .space + .space + b, .post-content .separator + b { display: inline-block; margin-bottom: 8px; margin-top: 24px; } .post-content li { line-height: 32px; } /* Override all post images/videos to left align. */ .post-content .separator > a, .post-content .separator > span { margin-left: 0 !important; } .post-content img { max-width: 100%; height: auto; width: auto; } .post-content .tr-caption-container img { margin-bottom: 12px; } .post-content iframe, .post-content embed { max-width: 100%; } .post-content .carousel-container { margin-bottom: 48px; } #main .post-content b { font-weight: 500; } /* These are the main paragraph spacing tweaks. */ #main .post-content br { content: ' '; display: block; padding: 4px; } .post-content .space { display: block; height: 8px; } .post-content iframe + .space, .post-content iframe + br { padding: 0 !important; } #main .post .jump-link { margin-bottom:10px; } .post-content img, .post-content iframe { margin: 30px 0 20px 0; } .post-content > img:first-child, .post-content > iframe:first-child { margin-top: 0; } .col-right .section { padding: 0 16px; } #aside { background:#fff; border:1px solid #eee; border-top: 0; } #aside .widget { margin:0; } #aside .widget h2, #ArchiveList .toggle + a.post-count-link { color: #212121; color: rgba(0,0,0,.87); font-weight: 400 !important; margin: 0; } #ArchiveList .toggle { float: right; } #ArchiveList .toggle .material-icons { padding-top: 4px; } #sidebar .tab { cursor: pointer; } #sidebar .tab .arrow { display: inline-block; float: right; } #sidebar .tab .icon { display: inline-block; vertical-align: top; height: 24px; width: 24px; margin-right: 13px; margin-left: -1px; margin-top: 1px; color: #757575; color: rgba(0,0,0,.54); } #sidebar .widget-content > :first-child { padding-top: 8px; } #sidebar .active .tab .arrow { -ms-transform: rotate(180deg); transform: rotate(180deg); } #sidebar .arrow { color: #757575; color: rgba(0,0,0,.54); } #sidebar .widget h2 { font-size: 14px; line-height: 24px; display: inline-block; } #sidebar .widget .BlogArchive { padding-bottom: 8px; } #sidebar .widget { border-bottom: 1px solid #eee; box-shadow: 0px 1px 0 white; margin-bottom: 0; padding: 14px 0; min-height: 20px; } #sidebar .widget:last-child { border-bottom: none; box-shadow: none; margin-bottom: 0; } #sidebar ul { margin: 0; padding: 0; } #sidebar ul li { list-style:none; padding:0; } #sidebar ul li a { line-height: 32px; } #sidebar .archive { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAYCAYAAADzoH0MAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAE1JREFUeNpiNDY23s9AAWBioBCwYBM8c+YMVsUmJibEGYBNMS5DaeMFfDYSZQA2v9I3FrB5AZeriI4FmnrBccCT8mhmGs1MwyAzAQQYAKEWG9zm9QFEAAAAAElFTkSuQmCC"); height: 24px; line-height: 24px; padding-left: 30px; } #sidebar .labels { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAARCAYAAAA7bUf6AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUxJREFUeNpiNDY23s9AAMycOfM7UF05kHkZmzwTMkdSUhKrIcXFxZy3bt3qBjIN8RrS09PDsHnzZjCNDr58+cKQlpbGDjSoHcg1w2oIyAUODg5gARCNzUVIBrUCuVYYhjx//pzhwIEDYAEQDeJjA1CDWIAGNQK59jBxRuSABbkAlwHIgIeHh2HWrFn/1NTU2oDcvSgBS4wBSC5iArqoCsj1YGIgEyAZVMoEchqlBjEB/cZAiUHg2AEGznpKDAImxOeM////B4VLKtBvEUCngZ1ILKivr3/u6+ubBzJAGZQ9gC5aQoqLgAY8BhkAZL4BuQQkxgXE34A4BuiiZEIuAhrwEGhAEZD5DpzYoIaA2UAM4kQADUrHZRDUgAIg8wO2XAwzbQXQa5OweQ1owB10AyA6gS7BgX1u3ry5397eHow3bdo0EyjGi00tQIABANPgyAH1q1eaAAAAAElFTkSuQmCC"); height: 20px; line-height: 20px; padding-left: 30px; } #sidebar .rss a { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAASCAYAAABWzo5XAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAX5JREFUeNqsVDGSgkAQHL2rIiIikohIc/EBRkbwAIwuwgfwAXiAD9AHSI7kEkECRCb6AIyINDLx7K0aa6kT7uq0q7YYtnZ7umdnt7darXbr9Zpegeu61DNNc0dvwCcH4/GYJpMJnc9nOhwOVJbl/4hAAokMECZJQtvt9k+kH7qufyEYDAakqqqYxFdRFBqNRmTbNg2HQ0rTlK7XayvR0xqBdDqdkuM4dE/0ULhYLOh4PHYrknG5XGi/31MYhuL/nkwonM1mlGUZ1XXdrsiyLGEDhY7juJEZ1u5tIixDGdYhmYw+B7CAzPP5nDabjdgIAgCksMX1832/3drtdqPT6SQWapomiGEFNkDEdpDMMAzK81ys/7XYy+XyoQgq2WoURSIJ2iIIgp/WZCCTvFm2wgeAU31aI3Q2GhIDMeB53qPYPIcm5VrxXIOIOxsDMStjVawAc1VViRgN22lNBiuQN3GR+SY07hpOoStmFQAKXRRFY93bnpG+fONfedi+BRgAbkS8Fxp7QQIAAAAASUVORK5CYII="); } #sidebar .subscription a { background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABEAAAALCAYAAACZIGYHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAUBJREFUeNrMkSGLAlEUhb+ZB4JFi8mx2cz+ApvhRUGTcUCrNqNJDYIi+DO0GUwmQXDK2DSIoGgZcSaIjDrzwrK4ssvChj1w0733O+fdp+m6PozH4yQSCfb7Pa7r8pOi0SjJZBLP8zgej4gAIMvlMuPxmADIYrHger1+C6lUKmo+NJ/NZojb7SZDWiwWo1qtks1msW2bw+HwZdkwDHq9HvV6nel0SqvVYrvdIh6Ph3Qch+VyqRYLhQJSSjRNw7IsfN9XgGKxSLfbJZfL0e/3aTabrFYr7vc7IujLcOh8PqunrNdr0uk0pVKJVCpFJBJRgEajweVyod1uMxgM2O12BAGUgRbU8DV2JpOhVquRz+cRQii3+XxOp9NRN3jVR5LPOp1OjEYjlSL8hclkgmmabDabt4d+m+S30vkD/R/IU4ABAPTZgnZdmG/PAAAAAElFTkSuQmCC"); } #sidebar-bottom { background: #f5f5f5; border-top:1px solid #eee; } #sidebar-bottom .widget { border-bottom: 1px solid #e0e0e0; padding: 15px 0; text-align: center; } #sidebar-bottom > div:last-child { border-bottom: 0; } #sidebar-bottom .text { line-height: 20px; } /* Home, forward, and backward pagination. */ .blog-pager { border-top : 1px #e0e0e0 solid; padding-top: 10px; margin-top: 15px; text-align: right !important; } #blog-pager { margin-botom: 0; margin-top: -14px; padding: 16px 0 0 0; } #blog-pager a { display: inline-block; } .blog-pager i.disabled { opacity: 0.2 !important; } .blog-pager i { color: black; margin-left: 16px; opacity: 0.54; } .blog-pager i:hover, .blog-pager i:active { opacity: 0.87; } #blog-pager-older-link, #blog-pager-newer-link { float: none; } .gplus-profile { background-color: #fafafa; border: 1px solid #eee; overflow: hidden; width: 212px; } .gplus-profile-inner { margin-left: -1px; margin-top: -1px; } /* Sidebar follow buttons. */ .followgooglewrapper { padding: 12px 0 0 0; } .loading { visibility: hidden; } .detail-page .post-footer .cmt_iframe_holder { padding-top: 40px !important; } /** Desktop **/ @media (max-width: 900px) { .col-right { display: none; } .col-main { margin-right: 0; min-width: initial; } .footer-outer { display: none; } .cols-wrapper { min-width: initial; } .google-footer-outer { background-color: #f5f5f5; } } /** Tablet **/ @media (max-width: 712px) { .header-outer, .cols-wrapper, .footer-outer, .google-footer-outer { padding: 0 40px; } } /* An extra breakpoint accommodating for long blog titles. */ @media (max-width: 600px) { .header-left { height: 100%; top: inherit; margin-top: 0; -webkit-transform: initial; transform: initial; } .header-title { margin-top: 18px; } .header-inner .google-logo { height: 40px; margin-top: 3px; } .header-inner .google-logo img { height: 42px; } .header-title h2 { font-size: 32px; line-height: 40px; } .header-desc { bottom: 24px; position: absolute; } } /** Mobile/small desktop window; also landscape. **/ @media (max-width: 480px), (max-height: 480px) { .header-outer, .cols-wrapper, .footer-outer, .google-footer-outer { padding: 0 16px; } .cols-wrapper { margin-top: 0; } .post-header .publishdate, .post .post-content { font-size: 16px; } .post .post-content { line-height: 28px; margin-bottom: 30px; } .post { margin-top: 30px; } .byline-author { display: block; font-size: 12px; line-height: 24px; margin-top: 6px; } #main .post .title a { font-weight: 500; color: #4c4c4c; color: rgba(0,0,0,.70); } #main .post .post-header { padding-bottom: 12px; } #main .post .post-header .published { margin-bottom: -8px; margin-top: 3px; } .post .read-more { display: block; margin-top: 14px; } .post .tr-caption { font-size: 12px; } #main .post .title a { font-size: 20px; line-height: 30px; } .post-content iframe { /* iframe won't keep aspect ratio when scaled down. */ max-height: 240px; } .post-content .separator img, .post-content .tr-caption-container img, .post-content iframe { margin-left: -16px; max-width: inherit; width: calc(100% + 32px); } .post-content table, .post-content td { width: 100%; } #blog-pager { margin: 0; padding: 16px 0; } /** List page tweaks. **/ .list-page .post-original { display: none; } .list-page .post-summary { display: block; } .list-page .comment-container { display: none; } .list-page #blog-pager { padding-top: 0; border: 0; margin-top: -8px; } .list-page .label-footer { display: none; } .list-page #main .post .post-footer { border-bottom: 1px solid #eee; margin: -16px 0 0 0; padding: 0 0 20px 0; } .list-page .post .share { display: none; } /** Detail page tweaks. **/ .detail-page .post-footer .cmt_iframe_holder { padding-top: 32px !important; } .detail-page .label-footer { margin-bottom: 0; } .detail-page #main .post .post-footer { padding-bottom: 0; } .detail-page #comments { display: none; } } [data-about-pullquote], [data-is-preview], [data-about-syndication] { display: none; } </style> <noscript> <style> .loading { visibility: visible }</style> </noscript>  <script async='true' src='https://www.googletagmanager.com/gtag/js?id=G-K46T604G22'></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-K46T604G22'); </script> <link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1176949257541686127&zx=0f7b9d63-190f-4056-9792-6827b49e724a' media='none' onload='if(media!='all')media='all'' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1176949257541686127&zx=0f7b9d63-190f-4056-9792-6827b49e724a' rel='stylesheet'/></noscript> <meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/> <meta name='google-adsense-platform-domain' content='blogspot.com'/> </head> <body> <script type='text/javascript'> //<![CDATA[ var axel = Math.random() + ""; var a = axel * 10000000000000; document.write('<iframe src="https://2542116.fls.doubleclick.net/activityi;src=2542116;type=gblog;cat=googl0;ord=ord=' + a + '?" width="1" height="1" frameborder="0" style="display:none"></iframe>'); //]]> </script> <noscript> <img alt='' height='1' src='https://ad.doubleclick.net/ddm/activity/src=2542116;type=gblog;cat=googl0;ord=1?' width='1'/> </noscript>  <div class='header-outer'> <div class='header-inner'> <div class='section' id='header'><div class='widget Header' data-version='1' id='Header1'> <div class='header-left'> <div class='header-title'> <a class='google-logo' href='https://security.googleblog.com/'> <img height='50' src='https://www.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png'/> </a> <a href='/.'> <h2> Security Blog </h2> </a> </div> <div class='header-desc'> The latest news and insights from Google on security and safety on the Internet </div> </div> </div></div> </div> </div>  <div class='cols-wrapper loading'> <div class='col-main-wrapper'> <div class='col-main'> <div class='section' id='main'><div class='widget Blog' data-version='1' id='Blog1'> <div class='post' data-id='3894697889805631214' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2016/09/onhub-powerful-protection-for-peace-of.html' itemprop='url' title='OnHub: Powerful protection for peace of mind'> OnHub: Powerful protection for peace of mind </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> September 27, 2016 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Chris Millikin, Public Defender (Security Engineering Manager)</span><br /> <i>[Cross-posted from the <a href="https://on.google.com/hub/blog/2016-09-27/onhub-powerful-protection-for-peace-of-mind/">Official OnHub Blog</a>]</i><br /> Since OnHub launched, we've highlighted a variety of features that enable users to do the things they love online without having to deal with the annoying router issues that we've all experienced at one time or another. These include: Fast, reliable Wi-Fi for more than 100 devices at a time, easy streaming and sharing, and wide-ranging coverage that helps eliminate dead zones.<br /> <br /> We haven't, however, highlighted one of OnHub's most powerful features: Industry-leading security. Your router is the first line of defense for your online world. Because bad actors are aware of the critical position routers occupy in the network, routers are frequently the target of security attacks.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7HesgPPZikQH43zepPCS-XrO2bjfwb6iCKnDa5jrlKyd-jmVVY9FjWqJHE49xLbHiid-knyoDhjjVsMzLzdUkvQP8fbz0nKj2HLMDCt9imh3gnJwe6U7ost46K3jzt4hI54zku8xoUpay/s1600/router-network3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7HesgPPZikQH43zepPCS-XrO2bjfwb6iCKnDa5jrlKyd-jmVVY9FjWqJHE49xLbHiid-knyoDhjjVsMzLzdUkvQP8fbz0nKj2HLMDCt9imh3gnJwe6U7ost46K3jzt4hI54zku8xoUpay/s400/router-network3.png" width="400" /></a></div> OnHub’s security features go beyond those of the typical router: OnHub is hardened against a variety of attacks, protecting your home network from many online threats. Three features in particular help ensure OnHub protects your data and devices from a variety of threats.<br /> <br /> <b>Three Security features that set OnHub apart</b><br /> <b><br /></b> <b>1. Defense in Depth</b><br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQVsqQnhKbXl2oMiREaktVYpANAr9GKZoZjQ0LeiQeoIpbrtWJXf-2p5AMEzR_0PCB-QDvMrj1bbx3lPajg81d0yGlJ-URchuff7X0HBkhQWZvtmIx-uZ92tsizJOnZ6-1S68J9jBDIa8e/s1600/security-graphic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQVsqQnhKbXl2oMiREaktVYpANAr9GKZoZjQ0LeiQeoIpbrtWJXf-2p5AMEzR_0PCB-QDvMrj1bbx3lPajg81d0yGlJ-URchuff7X0HBkhQWZvtmIx-uZ92tsizJOnZ6-1S68J9jBDIa8e/s320/security-graphic.png" width="320" /></a></div> There are many elements that go into creating a robust defense in depth.<br /> <br /> Auto updates: OnHub regularly downloads automatic updates without you having to do anything--a long-established practice on mobile devices and software like Chrome, but one that appliances haven’t caught up with yet. These updates provide regular maintenance fixes and address critical vulnerabilities. They’re like the seatbelts of online security— <a href="https://security.googleblog.com/2015/07/new-research-comparing-how-security.html">internet security experts</a> recommend that users always accept updates.<br /> <br /> However, when updates don’t happen automatically, many people don’t bother. OnHub communicates directly with Google, and makes sure all software is signed and verified. For instance, when a vulnerability was found in a software library (<a href="https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html">glibc</a>) earlier this year, we were able to update OnHub’s entire fleet of devices within just a few days. In comparison, the vast majority of other routers require active user intervention to protect against such threats.<br /> <br /> Verified Boot: Verified Boot protects you by preventing compromised OnHubs from booting. We use this technology in Chromebooks, <a href="https://security.googleblog.com/2016/09/keeping-android-safe-security.html">strictly enforce it in Android Nougat</a>, and we implemented it in OnHub from the very beginning. This makes OnHub extremely difficult to attack or compromise. For instance, the device runs software that has been cryptographically signed by Google.<br /> <br /> Cloud administration: A traditional router is commonly attacked through its local administration web interface, where attackers have taken advantage of exploits like <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF</a> to remotely take control and change critical settings like DNS, so we eliminated that from the beginning. Instead OnHub is managed through the cloud, with strong authentication and authorization, using a simple phone app. A read-only API is available only on the internal network, to provide important data to the OnHub app during setup and when troubleshooting.<br /> <br /> Process isolation: We also layer multiple techniques such as process isolation (uid/gid separation, namespaces, capability whitelists) and <a href="https://en.wikipedia.org/wiki/Seccomp">seccomp</a> filtering to isolate network-facing services, which helps reduce potential attack scenarios in a given application by preventing an attacker from making lateral movements in the system.<br /> <br /> <b>2. Hardware Provenance</b><br /> Modern hardware devices include many types of chips, drivers, and firmware. It’s important to know what each part is doing and where it came from. Our security team works to track the origins of all hardware, software, and firmware that goes into OnHub, including those from third-party sources. If a vulnerability is ever found, OnHub security works to fix the problem immediately.<br /> <br /> The same goes for the open source components of OnHub. Before shipping, we do comprehensive code reviews of critical attack surfaces (i.e. network facing daemons), looking for security vulnerabilities. For example, we reviewed miniupnpd, hostapd, and dnsmasq. As a result of those reviews, Google reported security bugs to the open source project maintainers and offered patches. Here are three that we fixed: <a href="http://w1.fi/security/2015-2/">bugs</a> <a href="http://w1.fi/security/2015-3/">in</a> <a href="http://w1.fi/security/2015-4/">hosted</a>.<br /> <br /> <b>3. Cloud Intelligence</b><br /> We use anonymized metrics from our fleet of OnHubs to quickly detect and counter potential threats. For example, since we know that DNS is often a target of attacks, we monitor DNS settings on all OnHub routers for activity that could indicate a security compromise. This is “cloud intelligence” – a benefit that Google is uniquely able to deliver. By connecting OnHub to the Google cloud, we provide the same level of protection you expect across all your Google apps and devices. Because you manage your router through the cloud using your secure Google identity, you don’t have to remember yet another password for managing your OnHub, and you don’t have to be at home to control it.<br /> <br /> <b>Security Improvements, Automatically</b><br /> OnHub also participates in <a href="https://security.googleblog.com/2016/01/google-security-rewards-2015-year-in.html">Google’s Vulnerability Reward Program</a>, which started in 2010 to honor all of the cutting-edge external contributions that help us keep our users safe. Through this program, if you can find a qualifying bug in OnHub’s security, rewards range from $100 to $20,000. Click <a href="https://www.google.com/about/appsecurity/reward-program/">here</a> for an outline of the rewards for the most common classes of bugs.<br /> <br /> When it comes to security, not all routers are created equal. OnHub protects you and your network with security that continues to adapt to threats. We’re always improving OnHub security, and automatically update without users having to take any actions. As cybersecurity evolves and new threats emerge, OnHub will be ready to meet the latest challenges for years to come. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Chris Millikin, Public Defender (Security Engineering Manager)</span><br /> <i>[Cross-posted from the <a href="https://on.google.com/hub/blog/2016-09-27/onhub-powerful-protection-for-peace-of-mind/">Official OnHub Blog</a>]</i><br /> Since OnHub launched, we've highlighted a variety of features that enable users to do the things they love online without having to deal with the annoying router issues that we've all experienced at one time or another. These include: Fast, reliable Wi-Fi for more than 100 devices at a time, easy streaming and sharing, and wide-ranging coverage that helps eliminate dead zones.<br /> <br /> We haven't, however, highlighted one of OnHub's most powerful features: Industry-leading security. Your router is the first line of defense for your online world. Because bad actors are aware of the critical position routers occupy in the network, routers are frequently the target of security attacks.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7HesgPPZikQH43zepPCS-XrO2bjfwb6iCKnDa5jrlKyd-jmVVY9FjWqJHE49xLbHiid-knyoDhjjVsMzLzdUkvQP8fbz0nKj2HLMDCt9imh3gnJwe6U7ost46K3jzt4hI54zku8xoUpay/s1600/router-network3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7HesgPPZikQH43zepPCS-XrO2bjfwb6iCKnDa5jrlKyd-jmVVY9FjWqJHE49xLbHiid-knyoDhjjVsMzLzdUkvQP8fbz0nKj2HLMDCt9imh3gnJwe6U7ost46K3jzt4hI54zku8xoUpay/s400/router-network3.png" width="400" /></a></div> OnHub’s security features go beyond those of the typical router: OnHub is hardened against a variety of attacks, protecting your home network from many online threats. Three features in particular help ensure OnHub protects your data and devices from a variety of threats.<br /> <br /> <b>Three Security features that set OnHub apart</b><br /> <b><br /></b> <b>1. Defense in Depth</b><br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQVsqQnhKbXl2oMiREaktVYpANAr9GKZoZjQ0LeiQeoIpbrtWJXf-2p5AMEzR_0PCB-QDvMrj1bbx3lPajg81d0yGlJ-URchuff7X0HBkhQWZvtmIx-uZ92tsizJOnZ6-1S68J9jBDIa8e/s1600/security-graphic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQVsqQnhKbXl2oMiREaktVYpANAr9GKZoZjQ0LeiQeoIpbrtWJXf-2p5AMEzR_0PCB-QDvMrj1bbx3lPajg81d0yGlJ-URchuff7X0HBkhQWZvtmIx-uZ92tsizJOnZ6-1S68J9jBDIa8e/s320/security-graphic.png" width="320" /></a></div> There are many elements that go into creating a robust defense in depth.<br /> <br /> Auto updates: OnHub regularly downloads automatic updates without you having to do anything--a long-established practice on mobile devices and software like Chrome, but one that appliances haven’t caught up with yet. These updates provide regular maintenance fixes and address critical vulnerabilities. They’re like the seatbelts of online security— <a href="https://security.googleblog.com/2015/07/new-research-comparing-how-security.html">internet security experts</a> recommend that users always accept updates.<br /> <br /> However, when updates don’t happen automatically, many people don’t bother. OnHub communicates directly with Google, and makes sure all software is signed and verified. For instance, when a vulnerability was found in a software library (<a href="https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html">glibc</a>) earlier this year, we were able to update OnHub’s entire fleet of devices within just a few days. In comparison, the vast majority of other routers require active user intervention to protect against such threats.<br /> <br /> Verified Boot: Verified Boot protects you by preventing compromised OnHubs from booting. We use this technology in Chromebooks, <a href="https://security.googleblog.com/2016/09/keeping-android-safe-security.html">strictly enforce it in Android Nougat</a>, and we implemented it in OnHub from the very beginning. This makes OnHub extremely difficult to attack or compromise. For instance, the device runs software that has been cryptographically signed by Google.<br /> <br /> Cloud administration: A traditional router is commonly attacked through its local administration web interface, where attackers have taken advantage of exploits like <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF</a> to remotely take control and change critical settings like DNS, so we eliminated that from the beginning. Instead OnHub is managed through the cloud, with strong authentication and authorization, using a simple phone app. A read-only API is available only on the internal network, to provide important data to the OnHub app during setup and when troubleshooting.<br /> <br /> Process isolation: We also layer multiple techniques such as process isolation (uid/gid separation, namespaces, capability whitelists) and <a href="https://en.wikipedia.org/wiki/Seccomp">seccomp</a> filtering to isolate network-facing services, which helps reduce potential attack scenarios in a given application by preventing an attacker from making lateral movements in the system.<br /> <br /> <b>2. Hardware Provenance</b><br /> Modern hardware devices include many types of chips, drivers, and firmware. It’s important to know what each part is doing and where it came from. Our security team works to track the origins of all hardware, software, and firmware that goes into OnHub, including those from third-party sources. If a vulnerability is ever found, OnHub security works to fix the problem immediately.<br /> <br /> The same goes for the open source components of OnHub. Before shipping, we do comprehensive code reviews of critical attack surfaces (i.e. network facing daemons), looking for security vulnerabilities. For example, we reviewed miniupnpd, hostapd, and dnsmasq. As a result of those reviews, Google reported security bugs to the open source project maintainers and offered patches. Here are three that we fixed: <a href="http://w1.fi/security/2015-2/">bugs</a> <a href="http://w1.fi/security/2015-3/">in</a> <a href="http://w1.fi/security/2015-4/">hosted</a>.<br /> <br /> <b>3. Cloud Intelligence</b><br /> We use anonymized metrics from our fleet of OnHubs to quickly detect and counter potential threats. For example, since we know that DNS is often a target of attacks, we monitor DNS settings on all OnHub routers for activity that could indicate a security compromise. This is “cloud intelligence” – a benefit that Google is uniquely able to deliver. By connecting OnHub to the Google cloud, we provide the same level of protection you expect across all your Google apps and devices. Because you manage your router through the cloud using your secure Google identity, you don’t have to remember yet another password for managing your OnHub, and you don’t have to be at home to control it.<br /> <br /> <b>Security Improvements, Automatically</b><br /> OnHub also participates in <a href="https://security.googleblog.com/2016/01/google-security-rewards-2015-year-in.html">Google’s Vulnerability Reward Program</a>, which started in 2010 to honor all of the cutting-edge external contributions that help us keep our users safe. Through this program, if you can find a qualifying bug in OnHub’s security, rewards range from $100 to $20,000. Click <a href="https://www.google.com/about/appsecurity/reward-program/">here</a> for an outline of the rewards for the most common classes of bugs.<br /> <br /> When it comes to security, not all routers are created equal. OnHub protects you and your network with security that continues to adapt to threats. We’re always improving OnHub security, and automatically update without users having to take any actions. As cybersecurity evolves and new threats emerge, OnHub will be ready to meet the latest challenges for years to come. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:OnHub: Powerful protection for peace of mind&url=https://security.googleblog.com/2016/09/onhub-powerful-protection-for-peace-of.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2016/09/onhub-powerful-protection-for-peace-of.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2016/09/onhub-powerful-protection-for-peace-of.html' data-url='https://security.googleblog.com/2016/09/onhub-powerful-protection-for-peace-of.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2016/09/onhub-powerful-protection-for-peace-of.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='2144047422147855652' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2016/09/reshaping-web-defenses-with-strict.html' itemprop='url' title='Reshaping web defenses with strict Content Security Policy'> Reshaping web defenses with strict Content Security Policy </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> September 26, 2016 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Artur Janc, Michele Spagnuolo, Lukas Weichselbaum, and David Ross, Information Security Engineers</span><br /> <br /> <a href="https://www.google.com/about/appsecurity/learning/xss/">Cross-site scripting</a> — the ability to inject undesired scripts into a trusted web application — has been one of the top web security vulnerabilities for over a decade. Just in the past 2 years Google has awarded researchers over $1.2 million for reporting XSS bugs in our applications via the <a href="https://www.google.com/about/appsecurity/reward-program/index.html">Vulnerability Reward Program</a>. Modern web technologies such as <a href="https://queue.acm.org/detail.cfm?id=2663760">strict contextual auto-escaping</a> help developers avoid mistakes which lead to XSS, and <a href="https://cloudplatform.googleblog.com/2015/02/using-google-cloud-platform-for.html">automated scanners</a> can catch classes of vulnerabilities during the testing process. However, in complex applications bugs inevitably slip by, allowing attacks ranging from harmless pranks to malicious <a href="https://security.googleblog.com/2011/03/mhtml-vulnerability-under-active.html">targeted exploits</a>.<br /> <br /> Content Security Policy (CSP) is a mechanism designed to step in precisely when such bugs happen; it provides developers the ability to restrict which scripts are allowed to execute so that even if attackers can inject HTML into a vulnerable page, they should not be able to load malicious scripts and other types of resources. CSP is a flexible tool allowing developers to set a wide range of policies; it is supported — though not always in its entirety — by all modern browsers.<br /> <br /> However, the flexibility of CSP also leads to its biggest problem: it makes it easy to set policies which appear to work, but offer no real security benefit. In a <a href="https://research.google.com/pubs/pub45542.html">recent Internet-wide study</a> we analyzed over 1 billion domains and found that 95% of deployed CSP policies are ineffective as a protection against XSS. One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections. We believe it's important to improve this, and help the web ecosystem make full use of the potential of CSP.<br /> <br /> <b>Towards safer CSP policies</b><br /> To help developers craft policies which meaningfully protect their applications, today we’re releasing the <a href="https://csp-evaluator.withgoogle.com/">CSP Evaluator</a>, a tool to visualize the effect of setting a policy and detect subtle misconfigurations. CSP Evaluator is used by security engineers and developers at Google to make sure policies provide a meaningful security benefit and cannot be subverted by attackers.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkRJ3mQxc_iFMYeAMnSGHbZmqsSbuIwE9mg1V7TbVeiSgd3l4-rD48u7xOY9fKXlmNPe1TM3PCRzxLHS5I_aiHdYZ3EnE-QtwpFNifFoZR14Xs6uc1qQgEWsG1iXb8hDZ47nk_c8tZZYMI/s1600/pasted+image+0+%25288%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkRJ3mQxc_iFMYeAMnSGHbZmqsSbuIwE9mg1V7TbVeiSgd3l4-rD48u7xOY9fKXlmNPe1TM3PCRzxLHS5I_aiHdYZ3EnE-QtwpFNifFoZR14Xs6uc1qQgEWsG1iXb8hDZ47nk_c8tZZYMI/s640/pasted+image+0+%25288%2529.png" width="640" /></a></div> Even with such a helpful tool, building a safe script whitelist for a complex application is often all but impossible due to the number of popular domains with resources that allow CSP to be bypassed. Here’s where the idea of a nonce-based CSP policy comes in. Instead of whitelisting all allowed script locations, it’s often simpler to modify the application to prove that a script is trusted by the developer by giving it a nonce -- an unpredictable, single-use token which has to match a value set in the policy:<br /> <br /> <span style="font-family: "courier new" , "courier" , monospace;">Content-Security-Policy: script-src 'nonce-random123'</span><br /> <span style="font-family: "courier new" , "courier" , monospace;"><br /></span> <span style="font-family: "courier new" , "courier" , monospace;"><script nonce='random123'>alert('This script will run')</script></span><br /> <span style="font-family: "courier new" , "courier" , monospace;"><script>alert('Will not run: missing nonce')</script></span><br /> <span style="font-family: "courier new" , "courier" , monospace;"><script nonce='bad123'>alert("Won't run: invalid nonce")</script></span><br /> <span style="font-family: "courier new" , "courier" , monospace;"><br /></span> With '<a href="https://www.w3.org/TR/CSP3/#strict-dynamic-usage">strict-dynamic'</a>, a part of the upcoming CSP3 specification already <a href="https://www.chromestatus.com/feature/5633814718054400">supported</a> by Chrome and Opera (and coming soon to Firefox), adopting such policies in complex, modern applications becomes much easier. Developers can now set a single, short policy such as:<br /> <br /> <span style="font-family: "courier new" , "courier" , monospace;">script-src 'nonce-random123' 'strict-dynamic'; object-src 'none'</span><br /> <span style="font-family: "courier new" , "courier" , monospace;"><br /></span> and make sure that all static <span style="font-family: "courier new" , "courier" , monospace;"><script></span> elements contain a matching nonce attribute — in many cases this is all that’s needed to enjoy added protection against XSS since ‘strict-dynamic’ will take care of loading any trusted scripts added at runtime. This approach allows setting policies which are <a href="https://csp.withgoogle.com/docs/strict-csp.html#example">backwards-compatible</a> with all CSP-aware browsers, and <a href="https://csp.withgoogle.com/docs/faq.html#strict-dynamic-with-whitelists">plays well</a> with applications which already use a traditional CSP policy; it also simplifies the process of adopting CSP and doesn’t require changing the policy as the application evolves.<br /> <br /> <b>Adopting strict CSP</b><br /> In the past months we’ve deployed this approach in several large Google applications, including <a href="https://console.developers.google.com/">Cloud Console</a>, <a href="https://photos.google.com/">Photos</a>, <a href="https://myactivity.google.com/myactivity">History</a>, <a href="https://www.google.com/about/careers/jobs">Careers Search</a>, <a href="https://www.google.com/maps/timeline">Maps Timeline</a>, <a href="https://www.google.com/culturalinstitute/">Cultural Institute</a> and are working on many more. We believe this approach can also help other developers so today we’re publishing documentation discussing the <a href="https://csp.withgoogle.com/docs/strict-csp.html">best strategies for implementing CSP</a>, including an overview of the <a href="https://csp.withgoogle.com/docs/why-csp.html">benefits of CSP</a>, sample policies, and examples of common <a href="https://csp.withgoogle.com/docs/adopting-csp.html#code-changes">code changes</a>.<br /> <br /> Further, today we’re releasing <a href="https://chrome.google.com/webstore/detail/csp-mitigator/gijlobangojajlbodabkpjpheeeokhfa">CSP Mitigator</a>, a Chrome extension that helps developers review an application for compatibility with nonce-based CSP. The extension can be enabled for any URL prefix and will collect data about any programming patterns that need to be refactored to support CSP. This includes identifying scripts which do not have the correct nonce attribute, detecting inline event handlers, javascript: URIs, and several other more subtle patterns which might need attention.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKuluySG_8sc1T4dY9aNn8Lup3X3zvDMAZe5yPyp5wuX2UAEGmuuhuqf7gdywrp3Lh5J0B3Fi-PA6D_F1cQ8ul8UnVimZ47DbVFWHL9NvpWPX-9_rlSk-FE78ZalNgloBamJN0cAzFnzdo/s1600/pasted+image+0+%25289%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKuluySG_8sc1T4dY9aNn8Lup3X3zvDMAZe5yPyp5wuX2UAEGmuuhuqf7gdywrp3Lh5J0B3Fi-PA6D_F1cQ8ul8UnVimZ47DbVFWHL9NvpWPX-9_rlSk-FE78ZalNgloBamJN0cAzFnzdo/s640/pasted+image+0+%25289%2529.png" width="640" /></a></div> As with the CSP Evaluator, we use the extension with our applications to help speed up the process of adopting nonce-based CSP policies nonce-based policies across Google.<br /> <br /> <b>Encouraging broader use of strict CSP</b><br /> Finally, today we’re including CSP adoption efforts in the scope of the <a href="https://www.google.com/about/appsecurity/patch-rewards/">Patch Reward Program</a>; proactive work to help make popular open-source web frameworks compatible with nonce-based CSP can qualify for rewards (but please read the <a href="https://www.google.com/about/appsecurity/patch-rewards/#content">program rules</a> and <a href="https://csp.withgoogle.com/docs/faq.html#csp-patches">CSP refactoring tips</a> first). We hope that increased attention to this area will also encourage researchers to find new, creative ways to circumvent CSP restrictions, and help us further improve the mechanism so that we can better protect Internet users from web threats.<br /> <br /> To reach out to us, email more-csp@google.com. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Artur Janc, Michele Spagnuolo, Lukas Weichselbaum, and David Ross, Information Security Engineers</span><br /> <br /> <a href="https://www.google.com/about/appsecurity/learning/xss/">Cross-site scripting</a> — the ability to inject undesired scripts into a trusted web application — has been one of the top web security vulnerabilities for over a decade. Just in the past 2 years Google has awarded researchers over $1.2 million for reporting XSS bugs in our applications via the <a href="https://www.google.com/about/appsecurity/reward-program/index.html">Vulnerability Reward Program</a>. Modern web technologies such as <a href="https://queue.acm.org/detail.cfm?id=2663760">strict contextual auto-escaping</a> help developers avoid mistakes which lead to XSS, and <a href="https://cloudplatform.googleblog.com/2015/02/using-google-cloud-platform-for.html">automated scanners</a> can catch classes of vulnerabilities during the testing process. However, in complex applications bugs inevitably slip by, allowing attacks ranging from harmless pranks to malicious <a href="https://security.googleblog.com/2011/03/mhtml-vulnerability-under-active.html">targeted exploits</a>.<br /> <br /> Content Security Policy (CSP) is a mechanism designed to step in precisely when such bugs happen; it provides developers the ability to restrict which scripts are allowed to execute so that even if attackers can inject HTML into a vulnerable page, they should not be able to load malicious scripts and other types of resources. CSP is a flexible tool allowing developers to set a wide range of policies; it is supported — though not always in its entirety — by all modern browsers.<br /> <br /> However, the flexibility of CSP also leads to its biggest problem: it makes it easy to set policies which appear to work, but offer no real security benefit. In a <a href="https://research.google.com/pubs/pub45542.html">recent Internet-wide study</a> we analyzed over 1 billion domains and found that 95% of deployed CSP policies are ineffective as a protection against XSS. One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections. We believe it's important to improve this, and help the web ecosystem make full use of the potential of CSP.<br /> <br /> <b>Towards safer CSP policies</b><br /> To help developers craft policies which meaningfully protect their applications, today we’re releasing the <a href="https://csp-evaluator.withgoogle.com/">CSP Evaluator</a>, a tool to visualize the effect of setting a policy and detect subtle misconfigurations. CSP Evaluator is used by security engineers and developers at Google to make sure policies provide a meaningful security benefit and cannot be subverted by attackers.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkRJ3mQxc_iFMYeAMnSGHbZmqsSbuIwE9mg1V7TbVeiSgd3l4-rD48u7xOY9fKXlmNPe1TM3PCRzxLHS5I_aiHdYZ3EnE-QtwpFNifFoZR14Xs6uc1qQgEWsG1iXb8hDZ47nk_c8tZZYMI/s1600/pasted+image+0+%25288%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkRJ3mQxc_iFMYeAMnSGHbZmqsSbuIwE9mg1V7TbVeiSgd3l4-rD48u7xOY9fKXlmNPe1TM3PCRzxLHS5I_aiHdYZ3EnE-QtwpFNifFoZR14Xs6uc1qQgEWsG1iXb8hDZ47nk_c8tZZYMI/s640/pasted+image+0+%25288%2529.png" width="640" /></a></div> Even with such a helpful tool, building a safe script whitelist for a complex application is often all but impossible due to the number of popular domains with resources that allow CSP to be bypassed. Here’s where the idea of a nonce-based CSP policy comes in. Instead of whitelisting all allowed script locations, it’s often simpler to modify the application to prove that a script is trusted by the developer by giving it a nonce -- an unpredictable, single-use token which has to match a value set in the policy:<br /> <br /> <span style="font-family: "courier new" , "courier" , monospace;">Content-Security-Policy: script-src 'nonce-random123'</span><br /> <span style="font-family: "courier new" , "courier" , monospace;"><br /></span> <span style="font-family: "courier new" , "courier" , monospace;"><script nonce='random123'>alert('This script will run')</script></span><br /> <span style="font-family: "courier new" , "courier" , monospace;"><script>alert('Will not run: missing nonce')</script></span><br /> <span style="font-family: "courier new" , "courier" , monospace;"><script nonce='bad123'>alert("Won't run: invalid nonce")</script></span><br /> <span style="font-family: "courier new" , "courier" , monospace;"><br /></span> With '<a href="https://www.w3.org/TR/CSP3/#strict-dynamic-usage">strict-dynamic'</a>, a part of the upcoming CSP3 specification already <a href="https://www.chromestatus.com/feature/5633814718054400">supported</a> by Chrome and Opera (and coming soon to Firefox), adopting such policies in complex, modern applications becomes much easier. Developers can now set a single, short policy such as:<br /> <br /> <span style="font-family: "courier new" , "courier" , monospace;">script-src 'nonce-random123' 'strict-dynamic'; object-src 'none'</span><br /> <span style="font-family: "courier new" , "courier" , monospace;"><br /></span> and make sure that all static <span style="font-family: "courier new" , "courier" , monospace;"><script></span> elements contain a matching nonce attribute — in many cases this is all that’s needed to enjoy added protection against XSS since ‘strict-dynamic’ will take care of loading any trusted scripts added at runtime. This approach allows setting policies which are <a href="https://csp.withgoogle.com/docs/strict-csp.html#example">backwards-compatible</a> with all CSP-aware browsers, and <a href="https://csp.withgoogle.com/docs/faq.html#strict-dynamic-with-whitelists">plays well</a> with applications which already use a traditional CSP policy; it also simplifies the process of adopting CSP and doesn’t require changing the policy as the application evolves.<br /> <br /> <b>Adopting strict CSP</b><br /> In the past months we’ve deployed this approach in several large Google applications, including <a href="https://console.developers.google.com/">Cloud Console</a>, <a href="https://photos.google.com/">Photos</a>, <a href="https://myactivity.google.com/myactivity">History</a>, <a href="https://www.google.com/about/careers/jobs">Careers Search</a>, <a href="https://www.google.com/maps/timeline">Maps Timeline</a>, <a href="https://www.google.com/culturalinstitute/">Cultural Institute</a> and are working on many more. We believe this approach can also help other developers so today we’re publishing documentation discussing the <a href="https://csp.withgoogle.com/docs/strict-csp.html">best strategies for implementing CSP</a>, including an overview of the <a href="https://csp.withgoogle.com/docs/why-csp.html">benefits of CSP</a>, sample policies, and examples of common <a href="https://csp.withgoogle.com/docs/adopting-csp.html#code-changes">code changes</a>.<br /> <br /> Further, today we’re releasing <a href="https://chrome.google.com/webstore/detail/csp-mitigator/gijlobangojajlbodabkpjpheeeokhfa">CSP Mitigator</a>, a Chrome extension that helps developers review an application for compatibility with nonce-based CSP. The extension can be enabled for any URL prefix and will collect data about any programming patterns that need to be refactored to support CSP. This includes identifying scripts which do not have the correct nonce attribute, detecting inline event handlers, javascript: URIs, and several other more subtle patterns which might need attention.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKuluySG_8sc1T4dY9aNn8Lup3X3zvDMAZe5yPyp5wuX2UAEGmuuhuqf7gdywrp3Lh5J0B3Fi-PA6D_F1cQ8ul8UnVimZ47DbVFWHL9NvpWPX-9_rlSk-FE78ZalNgloBamJN0cAzFnzdo/s1600/pasted+image+0+%25289%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKuluySG_8sc1T4dY9aNn8Lup3X3zvDMAZe5yPyp5wuX2UAEGmuuhuqf7gdywrp3Lh5J0B3Fi-PA6D_F1cQ8ul8UnVimZ47DbVFWHL9NvpWPX-9_rlSk-FE78ZalNgloBamJN0cAzFnzdo/s640/pasted+image+0+%25289%2529.png" width="640" /></a></div> As with the CSP Evaluator, we use the extension with our applications to help speed up the process of adopting nonce-based CSP policies nonce-based policies across Google.<br /> <br /> <b>Encouraging broader use of strict CSP</b><br /> Finally, today we’re including CSP adoption efforts in the scope of the <a href="https://www.google.com/about/appsecurity/patch-rewards/">Patch Reward Program</a>; proactive work to help make popular open-source web frameworks compatible with nonce-based CSP can qualify for rewards (but please read the <a href="https://www.google.com/about/appsecurity/patch-rewards/#content">program rules</a> and <a href="https://csp.withgoogle.com/docs/faq.html#csp-patches">CSP refactoring tips</a> first). We hope that increased attention to this area will also encourage researchers to find new, creative ways to circumvent CSP restrictions, and help us further improve the mechanism so that we can better protect Internet users from web threats.<br /> <br /> To reach out to us, email more-csp@google.com. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Reshaping web defenses with strict Content Security Policy&url=https://security.googleblog.com/2016/09/reshaping-web-defenses-with-strict.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2016/09/reshaping-web-defenses-with-strict.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2016/09/reshaping-web-defenses-with-strict.html' data-url='https://security.googleblog.com/2016/09/reshaping-web-defenses-with-strict.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2016/09/reshaping-web-defenses-with-strict.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='1409570212597124929' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2016/09/even-more-safe-browsing-on-android.html' itemprop='url' title='Even More Safe Browsing on Android!'> Even More Safe Browsing on Android! </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> September 15, 2016 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Stephan Somogyi, Safe Browsing Team & William Luh, Android Security Team</span><br /> During Google I/O in June, we <a href="https://www.youtube.com/watch?v=gwbmGvur5VE&t=29m16s">told everyone</a> that we were going to make a device-local Safe Browsing API available to all Android developers later in the year. That time has come!<br /> <br /> Starting with <a href="https://developers.google.com/android/guides/releases#august_1_-_v94">Google Play Services version 9.4</a>, all Android developers can use our privacy-preserving, and highly network as well as power-efficient on-device Safe Browsing infrastructure to protect all of their apps’ users. Even better, <a href="https://developer.android.com/training/safebrowsing/index.html">the API is simple and straightforward to use</a>.<br /> <br /> Since we introduced client-side Safe Browsing on Android, updated our <a href="https://developers.google.com/safe-browsing/">documentation for Safe Browsing Protocol Version 4</a> (pver4), and also released our <a href="https://github.com/google/safebrowsing/">reference pver4 implementation in Go</a>, we’ve been able to see how much protection this new technology provides to all our users. Since <a href="https://security.googleblog.com/2015/12/protecting-hundreds-of-millions-more.html">our initial launch</a> we’ve shown hundreds of millions of warnings, actively warning many millions of mobile users about badness before they’re exposed to it.<br /> <br /> We look forward to all Android developers extending this same protection to their users, too. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Stephan Somogyi, Safe Browsing Team & William Luh, Android Security Team</span><br /> During Google I/O in June, we <a href="https://www.youtube.com/watch?v=gwbmGvur5VE&t=29m16s">told everyone</a> that we were going to make a device-local Safe Browsing API available to all Android developers later in the year. That time has come!<br /> <br /> Starting with <a href="https://developers.google.com/android/guides/releases#august_1_-_v94">Google Play Services version 9.4</a>, all Android developers can use our privacy-preserving, and highly network as well as power-efficient on-device Safe Browsing infrastructure to protect all of their apps’ users. Even better, <a href="https://developer.android.com/training/safebrowsing/index.html">the API is simple and straightforward to use</a>.<br /> <br /> Since we introduced client-side Safe Browsing on Android, updated our <a href="https://developers.google.com/safe-browsing/">documentation for Safe Browsing Protocol Version 4</a> (pver4), and also released our <a href="https://github.com/google/safebrowsing/">reference pver4 implementation in Go</a>, we’ve been able to see how much protection this new technology provides to all our users. Since <a href="https://security.googleblog.com/2015/12/protecting-hundreds-of-millions-more.html">our initial launch</a> we’ve shown hundreds of millions of warnings, actively warning many millions of mobile users about badness before they’re exposed to it.<br /> <br /> We look forward to all Android developers extending this same protection to their users, too. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Even More Safe Browsing on Android!&url=https://security.googleblog.com/2016/09/even-more-safe-browsing-on-android.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2016/09/even-more-safe-browsing-on-android.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2016/09/even-more-safe-browsing-on-android.html' data-url='https://security.googleblog.com/2016/09/even-more-safe-browsing-on-android.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2016/09/even-more-safe-browsing-on-android.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='2948041650503172649' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html' itemprop='url' title='Moving towards a more secure web'> Moving towards a more secure web </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> September 8, 2016 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Emily Schechter, Chrome Security Team</span><br /> <i>[Updated on 12/5/16 with instructions for developers]</i><br /> <b>Developers</b>: Read more about how to update your sites <a href="https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn">here</a>.<br /> <br /> To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.<br /> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdXHzKELA-WR0NGGEQqMFVh0U2LP2DDKzGQgRGE-1fCJlzVxFi2u2Uaa8OYu4PULQglVd1HxmIFayWyeuk6nY86AU4h_LDCbgEzy4XZvFYOLyCq10FoL2LjKciCWy1CdzimMd9Y3Wb4Fer/s1600/blog+image+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdXHzKELA-WR0NGGEQqMFVh0U2LP2DDKzGQgRGE-1fCJlzVxFi2u2Uaa8OYu4PULQglVd1HxmIFayWyeuk6nY86AU4h_LDCbgEzy4XZvFYOLyCq10FoL2LjKciCWy1CdzimMd9Y3Wb4Fer/s640/blog+image+1.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;">Chrome currently indicates HTTP connections with a neutral indicator. This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or <a href="http://webpolicy.org/2015/08/25/att-hotspots-now-with-advertising-injection/">modify</a> the site before it gets to you.</div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;">A substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing. We recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS. In addition, since the time we <a href="https://www.google.com/transparencyreport/https/grid/">released our HTTPS report</a> in February, 12 more of the top 100 websites have changed their serving default from HTTP to HTTPS.</div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;">Studies show that users <a href="https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-porter-felt.pdf">do not perceive</a> the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. <a href="https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure">Our plan</a> to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature.</div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;">In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSJ6zN_npYFk9MGREnrX0dS97rCcslk2LEUWxFHPb7plEWMwuKAi3ycCkDuLAZc7Rj5sw8eZtiLeUtBb09E5PQbLHya95AltVJWOgB6JYMjg4NIYlc6YUTQAzB4nH6p3lfR2_j6D-iEkWF/s1600/blog+image+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSJ6zN_npYFk9MGREnrX0dS97rCcslk2LEUWxFHPb7plEWMwuKAi3ycCkDuLAZc7Rj5sw8eZtiLeUtBb09E5PQbLHya95AltVJWOgB6JYMjg4NIYlc6YUTQAzB4nH6p3lfR2_j6D-iEkWF/s1600/blog+image+2.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /> </div><div class="separator" style="clear: both; text-align: left;">We will publish updates to this plan as we approach future releases, but don’t wait to get started moving to HTTPS. HTTPS is <a href="https://www.youtube.com/watch?v=e6DUrH56g14">easier and cheaper than ever before</a>, and enables both the <a href="https://istlsfastyet.com/">best</a> <a href="https://www.httpvshttps.com/">performance</a> the web offers and <a href="https://developer.mozilla.org/en-US/docs/Web/API/Navigator/getUserMedia">powerful</a> <a href="http://www.html5rocks.com/en/tutorials/service-worker/introduction/">new</a> <a href="https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins">features</a> that are too sensitive for HTTP. Check out our <a href="https://developers.google.com/web/fundamentals/security/encrypt-in-transit/?hl=en">set-up guides</a> to get started.</div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Emily Schechter, Chrome Security Team</span><br /> <i>[Updated on 12/5/16 with instructions for developers]</i><br /> <b>Developers</b>: Read more about how to update your sites <a href="https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn">here</a>.<br /> <br /> To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Beginning in January 2017 (Chrome 56), we’ll mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.<br /> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdXHzKELA-WR0NGGEQqMFVh0U2LP2DDKzGQgRGE-1fCJlzVxFi2u2Uaa8OYu4PULQglVd1HxmIFayWyeuk6nY86AU4h_LDCbgEzy4XZvFYOLyCq10FoL2LjKciCWy1CdzimMd9Y3Wb4Fer/s1600/blog+image+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdXHzKELA-WR0NGGEQqMFVh0U2LP2DDKzGQgRGE-1fCJlzVxFi2u2Uaa8OYu4PULQglVd1HxmIFayWyeuk6nY86AU4h_LDCbgEzy4XZvFYOLyCq10FoL2LjKciCWy1CdzimMd9Y3Wb4Fer/s640/blog+image+1.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;">Chrome currently indicates HTTP connections with a neutral indicator. This doesn’t reflect the true lack of security for HTTP connections. When you load a website over HTTP, someone else on the network can look at or <a href="http://webpolicy.org/2015/08/25/att-hotspots-now-with-advertising-injection/">modify</a> the site before it gets to you.</div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;">A substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing. We recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS. In addition, since the time we <a href="https://www.google.com/transparencyreport/https/grid/">released our HTTPS report</a> in February, 12 more of the top 100 websites have changed their serving default from HTTP to HTTPS.</div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;">Studies show that users <a href="https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-porter-felt.pdf">do not perceive</a> the lack of a “secure” icon as a warning, but also that users become blind to warnings that occur too frequently. <a href="https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure">Our plan</a> to label HTTP sites more clearly and accurately as non-secure will take place in gradual steps, based on increasingly stringent criteria. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as "not secure," given their particularly sensitive nature.</div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;"><br /> </div><div class="separator" style="clear: both; text-align: left;">In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSJ6zN_npYFk9MGREnrX0dS97rCcslk2LEUWxFHPb7plEWMwuKAi3ycCkDuLAZc7Rj5sw8eZtiLeUtBb09E5PQbLHya95AltVJWOgB6JYMjg4NIYlc6YUTQAzB4nH6p3lfR2_j6D-iEkWF/s1600/blog+image+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSJ6zN_npYFk9MGREnrX0dS97rCcslk2LEUWxFHPb7plEWMwuKAi3ycCkDuLAZc7Rj5sw8eZtiLeUtBb09E5PQbLHya95AltVJWOgB6JYMjg4NIYlc6YUTQAzB4nH6p3lfR2_j6D-iEkWF/s1600/blog+image+2.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /> </div><div class="separator" style="clear: both; text-align: left;">We will publish updates to this plan as we approach future releases, but don’t wait to get started moving to HTTPS. HTTPS is <a href="https://www.youtube.com/watch?v=e6DUrH56g14">easier and cheaper than ever before</a>, and enables both the <a href="https://istlsfastyet.com/">best</a> <a href="https://www.httpvshttps.com/">performance</a> the web offers and <a href="https://developer.mozilla.org/en-US/docs/Web/API/Navigator/getUserMedia">powerful</a> <a href="http://www.html5rocks.com/en/tutorials/service-worker/introduction/">new</a> <a href="https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins">features</a> that are too sensitive for HTTP. Check out our <a href="https://developers.google.com/web/fundamentals/security/encrypt-in-transit/?hl=en">set-up guides</a> to get started.</div> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Moving towards a more secure web&url=https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html' data-url='https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='8466127698804839680' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2016/09/keeping-android-safe-security.html' itemprop='url' title='Keeping Android safe: Security enhancements in Nougat'> Keeping Android safe: Security enhancements in Nougat </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> September 6, 2016 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Xiaowen Xin, Android Security Team</span><br /> <i>[Cross-posted from the <a href="https://android-developers.blogspot.com/2016/09/security-enhancements-in-nougat.html">Android Developers Blog</a>]</i><br /> <br /> Over the course of the summer, we previewed a variety of security enhancements in Android 7.0 Nougat: an increased focus on security with our <a href="https://android-developers.blogspot.com/2016/06/one-year-of-android-security-rewards.html">vulnerability rewards program</a>, a new <a href="https://android-developers.blogspot.com/2016/04/developing-for-direct-boot.html">Direct Boot mode</a>, re-architected mediaserver and <a href="https://android-developers.blogspot.com/2016/05/hardening-media-stack.html">hardened media stack</a>, apps that are protected from <a href="https://android-developers.blogspot.com/2016/04/protecting-against-unintentional.html">accidental regressions to cleartext traffic</a>, an update to the way Android handles <a href="https://android-developers.blogspot.com/2016/07/changes-to-trusted-certificate.html">trusted certificate authorities</a>, strict enforcement of <a href="https://android-developers.blogspot.com/2016/07/strictly-enforced-verified-boot-with.html">verified boot</a> with error correction, and <a href="https://android-developers.blogspot.com/2016/07/protecting-android-with-more-linux.html">updates to the Linux kernel to reduce the attack surface and increase memory protection</a>. Phew!<br /> <br /> Now that Nougat has begun to roll out, we wanted to recap these updates in a single overview and highlight a few new improvements.<br /> <b>Direct Boot and encryption</b><br /> <b><br /></b> In previous versions of Android, users with encrypted devices would have to enter their PIN/pattern/password by default during the boot process to decrypt their storage area and finish booting. With Android 7.0 Nougat, we’ve updated the underlying encryption scheme and streamlined the boot process to speed up rebooting your phone. Now your phone’s main features, like the phone app and your alarm clock, are ready right away before you even type your PIN, so people can call you and your alarm clock can wake you up. We call this feature <a href="https://android-developers.blogspot.com/2016/04/developing-for-direct-boot.html">Direct Boot</a>.<br /> <br /> Under the hood, file-based encryption enables this improved user experience. With this new encryption scheme, the system storage area, as well as each user profile storage area, are all encrypted separately. Unlike with full-disk encryption, where all data was encrypted as a single unit, per-profile-based encryption enables the system to reboot normally into a functional state using just device keys. Essential apps can opt-in to run in a limited state after reboot, and when you enter your lock screen credential, these apps then get access your user data to provide full functionality.<br /> <br /> File-based encryption better isolates and protects individual users and profiles on a device by encrypting data at a finer granularity. Each profile is encrypted using a unique key that can only be unlocked by your PIN or password, so that your data can only be decrypted by you.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoxm8kt1KYhvqS2KQopirssbeUg-3GWbqR1FzWt3TuyS0sEh0G_cs3ZzfNafILLQVFHjZ3Kn34zLNzNXjApiynRXitMEIzf-4kaJUuuy09O6w0kesOx0yDezWXBR_nsdJlJfPyFe034kA6/s1600/image00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="381" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoxm8kt1KYhvqS2KQopirssbeUg-3GWbqR1FzWt3TuyS0sEh0G_cs3ZzfNafILLQVFHjZ3Kn34zLNzNXjApiynRXitMEIzf-4kaJUuuy09O6w0kesOx0yDezWXBR_nsdJlJfPyFe034kA6/s400/image00.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: left;"> Encryption support is getting stronger across the Android ecosystem as well. Starting with Marshmallow, all capable devices were required to support encryption. Many devices, like Nexus 5X and 6P also use unique keys that are accessible only with trusted hardware, such as the ARM TrustZone. Now with 7.0 Nougat, all new capable Android devices must also have this kind of hardware support for key storage and provide brute force protection while verifying your lock screen credential before these keys can be used. This way, all of your data can only be decrypted on that exact device and only by you.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> <b><br /></b></div> <div class="separator" style="clear: both; text-align: left;"> <b>The media stack and platform hardening</b></div> <div class="separator" style="clear: both; text-align: left;"> <b><br /></b></div> <div class="separator" style="clear: both; text-align: left;"> In Android Nougat, we’ve both hardened and <a href="https://android-developers.blogspot.com/2016/05/hardening-media-stack.html">re-architected</a> mediaserver, one of the main system services that processes untrusted input. First, by incorporating integer overflow sanitization, part of Clang’s <a href="http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html">UndefinedBehaviorSanitizer</a>, we prevent an entire class of vulnerabilities, which comprise the majority of reported libstagefright bugs. As soon as an integer overflow is detected, we shut down the process so an attack is stopped. Second, we’ve modularized the media stack to put different components into individual sandboxes and tightened the privileges of each sandbox to have the minimum privileges required to perform its job. With this containment technique, a compromise in many parts of the stack grants the attacker access to significantly fewer permissions and significantly reduced exposed kernel attack surface.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> In addition to hardening the mediaserver, we’ve added a large list of protections for the platform, including:</div> <div class="separator" style="clear: both; text-align: left;"> </div> <ul> <li>Verified Boot: Verified Boot is now strictly enforced to prevent compromised devices from booting; it supports <a href="https://android-developers.blogspot.com/2016/07/strictly-enforced-verified-boot-with.html">error correction</a> to improve reliability against non-malicious data corruption.</li> <li>SELinux: Updated SELinux configuration and increased Seccomp coverage further locks down the application sandbox and reduces attack surface. Library load order randomization and improved ASLR: Increased randomness makes some code-reuse attacks less reliable.</li> <li><a href="https://android-developers.blogspot.com/2016/07/protecting-android-with-more-linux.html">Kernel hardening</a>: Added additional memory protection for newer kernels by <a href="https://android-review.googlesource.com/#/q/status:merged+project:kernel/common+branch:android-3.18+topic:arm64-ronx">marking portions of kernel memory as read-only</a>, <a href="https://android-review.googlesource.com/#/q/status:merged+project:kernel/common+branch:android-4.1+topic:sw_PAN">restricting kernel access to userspace addresses</a>, and further reducing the existing attack surface.</li> <li><a href="https://developer.android.com/preview/api-overview.html?utm_campaign=android_discussion_security_090616&utm_source=anddev&utm_medium=blog#apk_signature_v2">APK signature scheme v2</a>: Introduced a whole-file signature scheme that improves <a href="https://source.android.com/security/apksigning/v2.html#verification">verification speed</a> and strengthens integrity guarantees.</li> </ul> <div> <b>App security improvements</b></div> <div> <b><br /></b></div> <div> Android Nougat is the safest and easiest version of Android for application developers to use.</div> <div> <ul> <li>Apps that want to share data with other apps now must explicitly opt-in by offering their files through a <a href="https://developer.android.com/guide/topics/providers/content-providers.html?utm_campaign=android_discussion_security_090616&utm_source=anddev&utm_medium=blog">Content Provider</a>, like <a href="https://developer.android.com/reference/android/support/v4/content/FileProvider.html?utm_campaign=android_discussion_security_090616&utm_source=anddev&utm_medium=blog">FileProvider</a>. The application private directory (usually /data/data/) is now set to Linux permission 0700 for apps targeting API Level 24+.</li> <li>To make it easier for apps to control access to their secure network traffic, user-installed certificate authorities and those installed through Device Admin APIs are <a href="https://android-developers.blogspot.com/2016/07/changes-to-trusted-certificate.html">no longer trusted by default</a> for apps targeting API Level 24+. Additionally, all new Android devices must ship with the <a href="https://source.android.com/security/overview/app-security.html#certificate-authorities">same trusted CA store</a>.</li> <li>With <a href="https://developer.android.com/preview/features/security-config.html?utm_campaign=android_discussion_security_090616&utm_source=anddev&utm_medium=blog">Network Security Config</a>, developers can more easily configure network security policy through a declarative configuration file. This includes blocking cleartext traffic, configuring the set of trusted CAs and certificates, and setting up a separate debug configuration.</li> </ul> <div> We’ve also continued to refine app permissions and capabilities to protect you from potentially harmful apps.</div> </div> <div> <ul> <li>To improve device privacy, we have further restricted and removed access to persistent device identifiers such as MAC addresses.</li> <li>User interface overlays can no longer be displayed on top of permissions dialogs. This “clickjacking” technique was used by some apps to attempt to gain permissions improperly.</li> <li>We’ve reduced the power of device admin applications so they can no longer change your lockscreen if you have a lockscreen set, and device admin will no longer be notified of impending disable via <a href="https://developer.android.com/reference/android/app/admin/DeviceAdminReceiver.html?utm_campaign=android_discussion_security_090616&utm_source=anddev&utm_medium=blog#onDisableRequested(android.content.Context,%20android.content.Intent)">onDisableRequested()</a>. These were tactics used by some ransomware to gain control of a device.</li> </ul> <div> <b>System Updates</b></div> </div> <div> <br /></div> <div> Lastly, we've made significant enhancements to the OTA update system to keep your device up-to-date much more easily with the latest system software and security patches. We've made the install time for OTAs faster, and the OTA size smaller for security updates. You no longer have to wait for the optimizing apps step, which was one of the slowest parts of the update process, because the new JIT compiler has been <a href="https://developer.android.com/about/versions/nougat/android-7.0.html?utm_campaign=android_discussion_security_090616&utm_source=anddev&utm_medium=blog#doze_on_the_go">optimized</a> to make installs and updates lightning fast.</div> <div> <br /></div> <div> The update experience is even faster for new Android devices running Nougat with updated firmware. Like they do with Chromebooks, updates are applied in the background while the device continues to run normally. These updates are applied to a different system partition, and when you reboot, it will seamlessly switch to that new partition running the new system software version.</div> <div> <br /></div> <div> We’re constantly working to improve Android security and Android Nougat brings significant security improvements across all fronts. As always, we appreciate feedback on our work and welcome suggestions for how we can improve Android. Contact us at <a href="mailto:security@android.com">security@android.com</a>.</div> <br /> <br /> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Xiaowen Xin, Android Security Team</span><br /> <i>[Cross-posted from the <a href="https://android-developers.blogspot.com/2016/09/security-enhancements-in-nougat.html">Android Developers Blog</a>]</i><br /> <br /> Over the course of the summer, we previewed a variety of security enhancements in Android 7.0 Nougat: an increased focus on security with our <a href="https://android-developers.blogspot.com/2016/06/one-year-of-android-security-rewards.html">vulnerability rewards program</a>, a new <a href="https://android-developers.blogspot.com/2016/04/developing-for-direct-boot.html">Direct Boot mode</a>, re-architected mediaserver and <a href="https://android-developers.blogspot.com/2016/05/hardening-media-stack.html">hardened media stack</a>, apps that are protected from <a href="https://android-developers.blogspot.com/2016/04/protecting-against-unintentional.html">accidental regressions to cleartext traffic</a>, an update to the way Android handles <a href="https://android-developers.blogspot.com/2016/07/changes-to-trusted-certificate.html">trusted certificate authorities</a>, strict enforcement of <a href="https://android-developers.blogspot.com/2016/07/strictly-enforced-verified-boot-with.html">verified boot</a> with error correction, and <a href="https://android-developers.blogspot.com/2016/07/protecting-android-with-more-linux.html">updates to the Linux kernel to reduce the attack surface and increase memory protection</a>. Phew!<br /> <br /> Now that Nougat has begun to roll out, we wanted to recap these updates in a single overview and highlight a few new improvements.<br /> <b>Direct Boot and encryption</b><br /> <b><br /></b> In previous versions of Android, users with encrypted devices would have to enter their PIN/pattern/password by default during the boot process to decrypt their storage area and finish booting. With Android 7.0 Nougat, we’ve updated the underlying encryption scheme and streamlined the boot process to speed up rebooting your phone. Now your phone’s main features, like the phone app and your alarm clock, are ready right away before you even type your PIN, so people can call you and your alarm clock can wake you up. We call this feature <a href="https://android-developers.blogspot.com/2016/04/developing-for-direct-boot.html">Direct Boot</a>.<br /> <br /> Under the hood, file-based encryption enables this improved user experience. With this new encryption scheme, the system storage area, as well as each user profile storage area, are all encrypted separately. Unlike with full-disk encryption, where all data was encrypted as a single unit, per-profile-based encryption enables the system to reboot normally into a functional state using just device keys. Essential apps can opt-in to run in a limited state after reboot, and when you enter your lock screen credential, these apps then get access your user data to provide full functionality.<br /> <br /> File-based encryption better isolates and protects individual users and profiles on a device by encrypting data at a finer granularity. Each profile is encrypted using a unique key that can only be unlocked by your PIN or password, so that your data can only be decrypted by you.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoxm8kt1KYhvqS2KQopirssbeUg-3GWbqR1FzWt3TuyS0sEh0G_cs3ZzfNafILLQVFHjZ3Kn34zLNzNXjApiynRXitMEIzf-4kaJUuuy09O6w0kesOx0yDezWXBR_nsdJlJfPyFe034kA6/s1600/image00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="381" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoxm8kt1KYhvqS2KQopirssbeUg-3GWbqR1FzWt3TuyS0sEh0G_cs3ZzfNafILLQVFHjZ3Kn34zLNzNXjApiynRXitMEIzf-4kaJUuuy09O6w0kesOx0yDezWXBR_nsdJlJfPyFe034kA6/s400/image00.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: left;"> Encryption support is getting stronger across the Android ecosystem as well. Starting with Marshmallow, all capable devices were required to support encryption. Many devices, like Nexus 5X and 6P also use unique keys that are accessible only with trusted hardware, such as the ARM TrustZone. Now with 7.0 Nougat, all new capable Android devices must also have this kind of hardware support for key storage and provide brute force protection while verifying your lock screen credential before these keys can be used. This way, all of your data can only be decrypted on that exact device and only by you.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> <b><br /></b></div> <div class="separator" style="clear: both; text-align: left;"> <b>The media stack and platform hardening</b></div> <div class="separator" style="clear: both; text-align: left;"> <b><br /></b></div> <div class="separator" style="clear: both; text-align: left;"> In Android Nougat, we’ve both hardened and <a href="https://android-developers.blogspot.com/2016/05/hardening-media-stack.html">re-architected</a> mediaserver, one of the main system services that processes untrusted input. First, by incorporating integer overflow sanitization, part of Clang’s <a href="http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html">UndefinedBehaviorSanitizer</a>, we prevent an entire class of vulnerabilities, which comprise the majority of reported libstagefright bugs. As soon as an integer overflow is detected, we shut down the process so an attack is stopped. Second, we’ve modularized the media stack to put different components into individual sandboxes and tightened the privileges of each sandbox to have the minimum privileges required to perform its job. With this containment technique, a compromise in many parts of the stack grants the attacker access to significantly fewer permissions and significantly reduced exposed kernel attack surface.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> In addition to hardening the mediaserver, we’ve added a large list of protections for the platform, including:</div> <div class="separator" style="clear: both; text-align: left;"> </div> <ul> <li>Verified Boot: Verified Boot is now strictly enforced to prevent compromised devices from booting; it supports <a href="https://android-developers.blogspot.com/2016/07/strictly-enforced-verified-boot-with.html">error correction</a> to improve reliability against non-malicious data corruption.</li> <li>SELinux: Updated SELinux configuration and increased Seccomp coverage further locks down the application sandbox and reduces attack surface. Library load order randomization and improved ASLR: Increased randomness makes some code-reuse attacks less reliable.</li> <li><a href="https://android-developers.blogspot.com/2016/07/protecting-android-with-more-linux.html">Kernel hardening</a>: Added additional memory protection for newer kernels by <a href="https://android-review.googlesource.com/#/q/status:merged+project:kernel/common+branch:android-3.18+topic:arm64-ronx">marking portions of kernel memory as read-only</a>, <a href="https://android-review.googlesource.com/#/q/status:merged+project:kernel/common+branch:android-4.1+topic:sw_PAN">restricting kernel access to userspace addresses</a>, and further reducing the existing attack surface.</li> <li><a href="https://developer.android.com/preview/api-overview.html?utm_campaign=android_discussion_security_090616&utm_source=anddev&utm_medium=blog#apk_signature_v2">APK signature scheme v2</a>: Introduced a whole-file signature scheme that improves <a href="https://source.android.com/security/apksigning/v2.html#verification">verification speed</a> and strengthens integrity guarantees.</li> </ul> <div> <b>App security improvements</b></div> <div> <b><br /></b></div> <div> Android Nougat is the safest and easiest version of Android for application developers to use.</div> <div> <ul> <li>Apps that want to share data with other apps now must explicitly opt-in by offering their files through a <a href="https://developer.android.com/guide/topics/providers/content-providers.html?utm_campaign=android_discussion_security_090616&utm_source=anddev&utm_medium=blog">Content Provider</a>, like <a href="https://developer.android.com/reference/android/support/v4/content/FileProvider.html?utm_campaign=android_discussion_security_090616&utm_source=anddev&utm_medium=blog">FileProvider</a>. The application private directory (usually /data/data/) is now set to Linux permission 0700 for apps targeting API Level 24+.</li> <li>To make it easier for apps to control access to their secure network traffic, user-installed certificate authorities and those installed through Device Admin APIs are <a href="https://android-developers.blogspot.com/2016/07/changes-to-trusted-certificate.html">no longer trusted by default</a> for apps targeting API Level 24+. Additionally, all new Android devices must ship with the <a href="https://source.android.com/security/overview/app-security.html#certificate-authorities">same trusted CA store</a>.</li> <li>With <a href="https://developer.android.com/preview/features/security-config.html?utm_campaign=android_discussion_security_090616&utm_source=anddev&utm_medium=blog">Network Security Config</a>, developers can more easily configure network security policy through a declarative configuration file. This includes blocking cleartext traffic, configuring the set of trusted CAs and certificates, and setting up a separate debug configuration.</li> </ul> <div> We’ve also continued to refine app permissions and capabilities to protect you from potentially harmful apps.</div> </div> <div> <ul> <li>To improve device privacy, we have further restricted and removed access to persistent device identifiers such as MAC addresses.</li> <li>User interface overlays can no longer be displayed on top of permissions dialogs. This “clickjacking” technique was used by some apps to attempt to gain permissions improperly.</li> <li>We’ve reduced the power of device admin applications so they can no longer change your lockscreen if you have a lockscreen set, and device admin will no longer be notified of impending disable via <a href="https://developer.android.com/reference/android/app/admin/DeviceAdminReceiver.html?utm_campaign=android_discussion_security_090616&utm_source=anddev&utm_medium=blog#onDisableRequested(android.content.Context,%20android.content.Intent)">onDisableRequested()</a>. These were tactics used by some ransomware to gain control of a device.</li> </ul> <div> <b>System Updates</b></div> </div> <div> <br /></div> <div> Lastly, we've made significant enhancements to the OTA update system to keep your device up-to-date much more easily with the latest system software and security patches. We've made the install time for OTAs faster, and the OTA size smaller for security updates. You no longer have to wait for the optimizing apps step, which was one of the slowest parts of the update process, because the new JIT compiler has been <a href="https://developer.android.com/about/versions/nougat/android-7.0.html?utm_campaign=android_discussion_security_090616&utm_source=anddev&utm_medium=blog#doze_on_the_go">optimized</a> to make installs and updates lightning fast.</div> <div> <br /></div> <div> The update experience is even faster for new Android devices running Nougat with updated firmware. Like they do with Chromebooks, updates are applied in the background while the device continues to run normally. These updates are applied to a different system partition, and when you reboot, it will seamlessly switch to that new partition running the new system software version.</div> <div> <br /></div> <div> We’re constantly working to improve Android security and Android Nougat brings significant security improvements across all fronts. As always, we appreciate feedback on our work and welcome suggestions for how we can improve Android. Contact us at <a href="mailto:security@android.com">security@android.com</a>.</div> <br /> <br /> <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:Keeping Android safe: Security enhancements in Nougat&url=https://security.googleblog.com/2016/09/keeping-android-safe-security.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2016/09/keeping-android-safe-security.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2016/09/keeping-android-safe-security.html' data-url='https://security.googleblog.com/2016/09/keeping-android-safe-security.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2016/09/keeping-android-safe-security.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='post' data-id='661133319731957702' itemscope='' itemtype='http://schema.org/BlogPosting'> <h2 class='title' itemprop='name'> <a href='https://security.googleblog.com/2016/09/more-safe-browsing-help-for-webmasters.html' itemprop='url' title='More Safe Browsing Help for Webmasters'> More Safe Browsing Help for Webmasters </a> </h2> <div class='post-header'> <div class='published'> <span class='publishdate' itemprop='datePublished'> September 6, 2016 </span> </div> </div> <div class='post-body'> <div class='post-content' itemprop='articleBody'> <script type='text/template'> <span class="byline-author">Posted by Kelly Hope Harrington, Safe Browsing Team</span><br /> For more than <a href="https://webmasters.googleblog.com/2007/08/malware-reviews-via-webmaster-tools.html">nine years</a>, Safe Browsing has helped webmasters via Search Console with information about how to fix security issues with their sites. This includes relevant Help Center articles, example URLs to assist in diagnosing the presence of harmful content, and a process for webmasters to request reviews of their site after security issues are addressed. Over time, Safe Browsing has expanded its protection to cover additional threats to user safety such as <a href="https://security.googleblog.com/2015/11/safe-browsing-protection-from-even-more.html">Deceptive Sites</a> and <a href="https://security.googleblog.com/2015/02/more-protection-from-unwanted-software.html">Unwanted Software</a>.<br /> <br /> To help webmasters be even more successful in resolving issues, we’re happy to announce that we’ve updated the information available in Search Console in the Security Issues report.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1BYDukWyKV1P7eavUNahaTWDkd4K_2iWVBwL7QBaemHA2zRp1gbA9yts_Pek9WtOaAGXE7y1SCAhBhWU6JScejFMD-aFj3rMxUtpX7WS_EaBO2vadIiBt78FXXCY0AQRKEgN3NYNzTzju/s1600/Screen+Shot+2016-08-26+at+1.04.29+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1BYDukWyKV1P7eavUNahaTWDkd4K_2iWVBwL7QBaemHA2zRp1gbA9yts_Pek9WtOaAGXE7y1SCAhBhWU6JScejFMD-aFj3rMxUtpX7WS_EaBO2vadIiBt78FXXCY0AQRKEgN3NYNzTzju/s640/Screen+Shot+2016-08-26+at+1.04.29+PM.png" width="640" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> The updated information provides more specific explanations of six different security issues detected by Safe Browsing, including <a href="https://developers.google.com/webmasters/hacked/">malware</a>, <a href="https://support.google.com/webmasters/answer/6350487">deceptive pages</a>, <a href="https://support.google.com/webmasters/answer/3258249">harmful downloads</a>, and <a href="https://support.google.com/webmasters/answer/3258249#if_uncommon">uncommon downloads</a>. These explanations give webmasters more context and detail about what Safe Browsing found. We also offer tailored recommendations for each type of issue, including sample URLs that webmasters can check to identify the source of the issue, as well as specific remediation actions webmasters can take to resolve the issue.<br /> <br /> We on the Safe Browsing team definitely recommend <a href="https://support.google.com/webmasters/topic/4564315">registering</a> your site in Search Console even if it is not currently experiencing a security issue. We send notifications through Search Console so webmasters can address any issues that appear <a href="http://research.google.com/pubs/pub44924.html">as quickly as possible</a>.<br /> <br /> Our goal is to help webmasters provide a safe and secure browsing experience for their users. We welcome any questions or feedback about the new features on the <a href="https://support.google.com/webmasters/go/community">Google Webmaster Help Forum</a>, where <a href="https://topcontributor.withgoogle.com/">Top Contributors</a> and Google employees are available to help.<br /> <br /> For more information about Safe Browsing’s ongoing work to shine light on the state of web security and encourage safer web security practices, check out our summary of trends and findings on the <a href="https://www.google.com/transparencyreport/safebrowsing/">Safe Browsing Transparency Report</a>. If you’re interested in the tools Google provides for webmasters and developers dealing with hacked sites, this <a href="https://www.youtube.com/watch?v=mbJvL61DOZg">video</a> provides a great overview. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </script> <noscript> <span class="byline-author">Posted by Kelly Hope Harrington, Safe Browsing Team</span><br /> For more than <a href="https://webmasters.googleblog.com/2007/08/malware-reviews-via-webmaster-tools.html">nine years</a>, Safe Browsing has helped webmasters via Search Console with information about how to fix security issues with their sites. This includes relevant Help Center articles, example URLs to assist in diagnosing the presence of harmful content, and a process for webmasters to request reviews of their site after security issues are addressed. Over time, Safe Browsing has expanded its protection to cover additional threats to user safety such as <a href="https://security.googleblog.com/2015/11/safe-browsing-protection-from-even-more.html">Deceptive Sites</a> and <a href="https://security.googleblog.com/2015/02/more-protection-from-unwanted-software.html">Unwanted Software</a>.<br /> <br /> To help webmasters be even more successful in resolving issues, we’re happy to announce that we’ve updated the information available in Search Console in the Security Issues report.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1BYDukWyKV1P7eavUNahaTWDkd4K_2iWVBwL7QBaemHA2zRp1gbA9yts_Pek9WtOaAGXE7y1SCAhBhWU6JScejFMD-aFj3rMxUtpX7WS_EaBO2vadIiBt78FXXCY0AQRKEgN3NYNzTzju/s1600/Screen+Shot+2016-08-26+at+1.04.29+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1BYDukWyKV1P7eavUNahaTWDkd4K_2iWVBwL7QBaemHA2zRp1gbA9yts_Pek9WtOaAGXE7y1SCAhBhWU6JScejFMD-aFj3rMxUtpX7WS_EaBO2vadIiBt78FXXCY0AQRKEgN3NYNzTzju/s640/Screen+Shot+2016-08-26+at+1.04.29+PM.png" width="640" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> The updated information provides more specific explanations of six different security issues detected by Safe Browsing, including <a href="https://developers.google.com/webmasters/hacked/">malware</a>, <a href="https://support.google.com/webmasters/answer/6350487">deceptive pages</a>, <a href="https://support.google.com/webmasters/answer/3258249">harmful downloads</a>, and <a href="https://support.google.com/webmasters/answer/3258249#if_uncommon">uncommon downloads</a>. These explanations give webmasters more context and detail about what Safe Browsing found. We also offer tailored recommendations for each type of issue, including sample URLs that webmasters can check to identify the source of the issue, as well as specific remediation actions webmasters can take to resolve the issue.<br /> <br /> We on the Safe Browsing team definitely recommend <a href="https://support.google.com/webmasters/topic/4564315">registering</a> your site in Search Console even if it is not currently experiencing a security issue. We send notifications through Search Console so webmasters can address any issues that appear <a href="http://research.google.com/pubs/pub44924.html">as quickly as possible</a>.<br /> <br /> Our goal is to help webmasters provide a safe and secure browsing experience for their users. We welcome any questions or feedback about the new features on the <a href="https://support.google.com/webmasters/go/community">Google Webmaster Help Forum</a>, where <a href="https://topcontributor.withgoogle.com/">Top Contributors</a> and Google employees are available to help.<br /> <br /> For more information about Safe Browsing’s ongoing work to shine light on the state of web security and encourage safer web security practices, check out our summary of trends and findings on the <a href="https://www.google.com/transparencyreport/safebrowsing/">Safe Browsing Transparency Report</a>. If you’re interested in the tools Google provides for webmasters and developers dealing with hacked sites, this <a href="https://www.youtube.com/watch?v=mbJvL61DOZg">video</a> provides a great overview. <span itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <meta content='https://plus.google.com/116899029375914044550' itemprop='url'/> </span> </noscript> </div> </div> <div class='share'> <span class='twitter-custom social-wrapper' data-href='http://twitter.com/share?text=Google Online Security Blog:More Safe Browsing Help for Webmasters&url=https://security.googleblog.com/2016/09/more-safe-browsing-help-for-webmasters.html&via=google'> <img alt='Share on Twitter' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_twitter_black_24dp.png' width='24'/> </span> <span class='fb-custom social-wrapper' data-href='https://www.facebook.com/sharer.php?u=https://security.googleblog.com/2016/09/more-safe-browsing-help-for-webmasters.html'> <img alt='Share on Facebook' height='24' src='https://www.gstatic.com/images/icons/material/system/2x/post_facebook_black_24dp.png' width='24'/> </span> </div> <div class='comment-container'> <i class='comment-img material-icons'>  </i> <span class='cmt_count_iframe_holder' data-count='0' data-onclick='javascript:window.open(this.href, "bloggerPopup", "toolbar=0,location=0,statusbar=1,menubar=0,scrollbars=yes,width=640,height=500"); return false;' data-post-url='https://security.googleblog.com/2016/09/more-safe-browsing-help-for-webmasters.html' data-url='https://security.googleblog.com/2016/09/more-safe-browsing-help-for-webmasters.html' style='color: #4184F3;'></span> </div> <div class='post-footer'> <div class='cmt_iframe_holder' data-href='https://security.googleblog.com/2016/09/more-safe-browsing-help-for-webmasters.html' data-viewtype='FILTERED_POSTMOD'></div> <a href='https://plus.google.com/112374322230920073195' rel='author' style='display:none;'> Google </a> <div class='label-footer'> </div> </div> </div> <div class='blog-pager' id='blog-pager'> <a class='home-link' href='https://security.googleblog.com/'> <i class='material-icons'>  </i> </a> <span id='blog-pager-newer-link'> <a class='blog-pager-newer-link' href='https://security.googleblog.com/search?updated-max=2017-01-12T13:03:00-05:00&max-results=10&reverse-paginate=true' id='Blog1_blog-pager-newer-link' title='Newer Posts'> <i class='material-icons'>  </i> </a> </span> <span id='blog-pager-older-link'> <a class='blog-pager-older-link' href='https://security.googleblog.com/search?updated-max=2016-09-06T16:02:00-04:00&max-results=10' id='Blog1_blog-pager-older-link' title='Older Posts'> <i class='material-icons'>  </i> </a> </span> </div> <div class='clear'></div> </div></div> </div> </div> <div class='col-right'> <div class='section' id='sidebar-top'><div class='widget HTML' data-version='1' id='HTML8'> <div class='widget-content'> <div class='searchBox'> <input type='text' title='Search This Blog' placeholder='Search blog ...' /> </div> </div> <div class='clear'></div> </div></div> <div id='aside'> <div class='section' id='sidebar'><div class='widget Label' data-version='1' id='Label1'> <div class='tab'> <img class='sidebar-icon' src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAYpJREFUeNrs2aFuwzAQBmAvKRkMKRjZA4QMDJaWFgyMjuzFRg37DIUlA3uFkoGQSaWzJU+tpri5O9+l/zSfdFJlpe59yTmyVedq1PjfcZMZ70NuQnaF8w8htyE/rABtpviXkLcK88c5HhLkMBfgVan43zfFBNGMjHVGT/s55KP2pAvidbGHd+nzKt1RKSLG3rKF1iPFv6UWiPke8i7kEqGdGsI1O+LYVdqJAjgirwkKYD0ytkJBUNbAMvX8V3q9PhUsYvU1sWD8SO/sQvx2ahxOiNoJCSBCoAHYCEQAC4EKICOQASQEOmAS8RcAFxFN5hiIiugpgC3wk9hQAHH/70EBHXUN7IER5EWMiBgo2+nzOKQv9SCAeEM/OQAkhE/ncccFICB87qzQMia5FsJfOui0zMnmRvipU1ormHQuxGTxUsAcCFLxJQBLBLn4UoAFglW8BkATwS5eC6CBEBWvCShBiIvXBkgQRcVbADiI4uKtABSESvGWgB9EzHt3+tNwyO0qa9SoIYtvAQYAqDJhaWWeMecAAAAASUVORK5CYII='/> <h2> Labels </h2> <i class='material-icons arrow'>  </i> </div> <div class='widget-content list-label-widget-content'> <ul> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/%23sharethemicincyber'> #sharethemicincyber </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/%23supplychain%20%23security%20%23opensource'> #supplychain #security #opensource </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/android'> android </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/android%20security'> android security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/android%20tr'> android tr </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/app%20security'> app security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/big%20data'> big data </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/biometrics'> biometrics </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/blackhat'> blackhat </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/C%2B%2B'> C++ </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/chrome'> chrome </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/chrome%20enterprise'> chrome enterprise </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/chrome%20security'> chrome security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/connected%20devices'> connected devices </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/CTF'> CTF </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/diversity'> diversity </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/encryption'> encryption </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/federated%20learning'> federated learning </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/fuzzing'> fuzzing </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Gboard'> Gboard </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/google%20play'> google play </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/google%20play%20protect'> google play protect </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/hacking'> hacking </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/interoperability'> interoperability </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/iot%20security'> iot security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/kubernetes'> kubernetes </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/linux%20kernel'> linux kernel </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/memory%20safety'> memory safety </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Open%20Source'> Open Source </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/pha%20family%20highlights'> pha family highlights </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/pixel'> pixel </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/privacy'> privacy </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/private%20compute%20core'> private compute core </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Rowhammer'> Rowhammer </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/rust'> rust </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Security'> Security </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/security%20rewards%20program'> security rewards program </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/sigstore'> sigstore </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/spyware'> spyware </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/supply%20chain'> supply chain </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/targeted%20spyware'> targeted spyware </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/tensor'> tensor </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/Titan%20M2'> Titan M2 </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/VDP'> VDP </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/vulnerabilities'> vulnerabilities </a> </li> <li> <a dir='ltr' href='https://security.googleblog.com/search/label/workshop'> workshop </a> </li> </ul> <div class='clear'></div> </div> </div><div class='widget BlogArchive' data-version='1' id='BlogArchive1'> <div class='tab'> <i class='material-icons icon'>  </i> <h2> Archive </h2> <i class='material-icons arrow'>  </i> </div> <div class='widget-content'> <div id='ArchiveList'> <div id='BlogArchive1_ArchiveList'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2024/'> 2024 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2024/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2023/'> 2023 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2023/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2022/'> 2022 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2022/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2021/'> 2021 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2021/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2020/'> 2020 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2020/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2019/'> 2019 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2019/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2018/'> 2018 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2018/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2017/'> 2017 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2017/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy toggle-open'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2016/'> 2016 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2016/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2015/'> 2015 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2015/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2014/'> 2014 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2014/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2013/'> 2013 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2013/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2012/'> 2012 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2012/01/'> Jan </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2011/'> 2011 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2011/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2010/'> 2010 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/04/'> Apr </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2010/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2009/'> 2009 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2009/03/'> Mar </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2008/'> 2008 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/12/'> Dec </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/08/'> Aug </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/05/'> May </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2008/02/'> Feb </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class='intervalToggle'> <span class='new-toggle' href='javascript:void(0)'> <i class='material-icons arrow'>  </i> </span> <a class='toggle' href='javascript:void(0)' style='display: none'> <span class='zippy'> <i class='material-icons'>  </i>   </span> </a> <a class='post-count-link' href='https://security.googleblog.com/2007/'> 2007 </a> </div> <div class='items'> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/11/'> Nov </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/10/'> Oct </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/09/'> Sep </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/07/'> Jul </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/06/'> Jun </a> </div> <div class='items'> </div> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <div class=''> <a class='post-count-link' href='https://security.googleblog.com/2007/05/'> May </a> </div> <div class='items'> </div> </li> </ul> </div> </li> </ul> </div> </div> <div class='clear'></div> </div> </div><div class='widget HTML' data-version='1' id='HTML6'> <div class='widget-content'> <a href="https://googleonlinesecurity.blogspot.com/atom.xml"> <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAihJREFUeNrsWa9Pw0AU7viRMDFRBAkzJDMIBIhJJhCzk7NILIqMv4AEhdz+BCY3OYssAlGBoAJREpZwAlHEBO8lr8nSvNeVbu1dyX3JlzTrXfa+u/e9d7c5joWFhYVO1Fa8PwH2gK6m+BRwAvSlAdsrgr8E1jUuMH73GTAEzrkBWymTewZlihhLmgDXIAFuHgGVQOUF7OSYM1p6PgTuA1vAZlUEvAnPdapcMY0VICECekQ0XRfYrqoHsAGNgXfAoMomRiFDEhOZkkL3S88hMaB2LwXp0bj+ps2edpToZpjfoIDQtBeU+xjoDzP2G/gCPKZ5f8WsCAFJoJgOCcFdWSTeL9YQMSvTA1h9BkI5jaiXhLpSCL/8mVZY0UpyJ9ZdOkniu1dmJ96BpzQu9w6s28gcOq9j6pwLdR8/36NK5CQKwJSMrb2MhhSglBpt4UjsrdsnNu0B3J0HCozbCc4TjyY2srEgos/4RQljCzNxl4ireQD8FOq+T+W0mTB2g7njhlR+Sy2jsXFvU658U8YTbeaGpdIu7mWkEAq5ZtIjIhFZdtfX7QHckSvB2B6zC3VdAkZk0kAQwaXTk/CzTXK3wjIExCs6ZJpTnE4uY1KV+KzFzA3KTiFPENHJkOPcsfpLhwe4btoSuvUqAR+6TOxlCE6ZfKUsJLgsqGW8OpqAGx2X+sLxrwUog+JUeQRMDBIwyXOcnlPtPnL0/UsT/8LnOxYWFhZG4leAAQAAQHEaYuzHbAAAAABJRU5ErkJggg==" class="sidebar-icon" /> <h2>Feed</h2> </a> </div> <div class='clear'></div> </div></div> <div class='section' id='sidebar-bottom'><div class='widget HTML' data-version='1' id='HTML5'> <div class='widget-content'> <div class='followgooglewrapper'> <script src="https://apis.google.com/js/plusone.js"></script> <div class="g-ytsubscribe" data-channel="Google" data-layout="full"></div> </div> <div class="share followgooglewrapper"> <button data-href="https://twitter.com/intent/follow?original_referer=http://googleonlinesecurity.blogspot.in/&screen_name=google" onclick='sharingPopup(this);' id='twitter-share'><span class="twitter-follow">Follow @google</span></button> <script> function sharingPopup (button) { var url = button.getAttribute("data-href"); window.open( url,'popUpWindow','height=500,width=500,left=10,top=10,resizable=yes,scrollbars=yes,toolbar=yes,menubar=no,location=no,directories=no,status=yes'); } </script> </div> <div class="fb-follow-button"> <a href="https://www.facebook.com/google" target="_blank"><img class="fb-follow" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmruMUNSjAUsU-iCQjxgiqufl2u1wHJfiVTn3wuiIZAK1VUSRsexREPAOLV0N4-4VVtaYbZL18UsVh5CUlUJWH5UurFiQKMkHlNnj3YYw-2UiYtbNbvBE7VsAhdtw9rwNuOc-riC1exNkp/s1600/facebook-logo.png" />Follow</a> </div> </div> <div class='clear'></div> </div><div class='widget HTML' data-version='1' id='HTML1'> <div class='widget-content'> Give us feedback in our <a href="https://support.google.com/bin/static.py?hl=en&page=portal_groups.cs">Product Forums</a>. </div> <div class='clear'></div> </div></div> </div> </div> <div style='clear:both;'></div> </div>  <div class='google-footer-outer loading'> <div id='google-footer'> <a href='//www.google.com/'> <img class='google-logo-dark' height='36' src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAALgAAABICAYAAABFoT/eAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAACLVJREFUeNrsXd+L20YQ3vOprdLqiMXFXE2qB7dcwEcTSB7ykIc+9A/PQx/yEMq1TWhNuYIpJriNr7XpmZ5IxFEvmW2EKs3Ornb1w50PxIFP0kiz387OzM6uhGAwGAxGP3Ho+f7x7ri1O7LdccPqZjSNA4dEHsLfaHcEFedJom93x9Xu2OyOFTcBo6sED3fHZHeMEELrkAHJF0B8Rr+gDFsZ5n0luLTQ95AXs4W06D/tjpR50xtM4CjD0y48YGB4rnyZxNOzyA7zBHr+nLnDaJLg0mo/ALekCasg3Z4XbM0ZdTEgnDPeHY8bIne+Qz2GvwyGNwsuyT218KWvIIBMcwGpLiipcolecjMxfBDchNyS1EvxLiOSIecp31q6IJ/C3yrIrMqMm4jhg+AxkdwbIO3aUO4KjqqMjCT3uaazMBhWBJfuxH3CtRfiXf66DhSRZWbmlMnNaILgZxrXJQO/eO3wORZwvwm4JUxuhheCjzVBYAbW1ces45YDSoZrFNOEE835M8FT6oyeEnws8Fz3QnBxFKPHBMem4GU+m6fPGb0leCTwWcM5B36MPgeZI01gudyDdw3hPeXfo8L/rmCUWnuMMdqUL2WqWeRbhf+twfVsO7YagZGNC79fw7OthEVtkiJ4jJzTd3KPwf3CRqhhiTu23AP5sl0/0xiwISQXpNwLIJK87mHF+U8ddzzdmgKlGzlPYjyxGJQouIhNT4k9AqWEFkqfguIvagTWbcq3KW1WE3xS3m8NtA9WS451xofwjKT5kkDoK/b6mDk5FfXr1lWDL4BofZEv2/SRsK/EHGlGdBdu8QNRb8HMCFwt7Yy3DDI/QP7fx5z3VLhdlJEIs4rKNuXXJXdxZPdB7kfCzWqwCO4V1LHgLjInX3tQ1KzCR52Cz+vDj1dydeRuS74rcvs2Pi6fT5H8OaaUQPQPYcWwRSGXyhhscn5dpAnEFMkuEZetbfkTAnlSuH4DxisE+aMGeJAQ3lFl7C4LJE6QWCaCd583ORQ1jYAwjFctal7nOs2ZZvicwvlZx+RHGrcoAwKUVX8uwcc/9TT65INeDOr5shL9LDRB6QTeIy3zwfdh3WOi6axLCEhSjXU7F3h6LqggUtvyJxpynwu8tDkD98fXApOxRj8zoZ9MnGveYVIVZKaGrkBXCY65BCYNN9NkjpKOyQ81Q79JgdxS+Jn3SDTEXRI7SWzaiSTB32oI3nU3BvMfM0urhOVYgwKhuiAfc4tM07wXwm1ZRoQYSl2NUwiu01fEAHVcpixd745FvVz4dzUUc0o8rwoLy8ZSwU6CyFx1RP5II9+1bFPEFs9HWbNLiimDXE+vCm7u1CS47cofzD3aEhVY57mxRo5zlqdt+RFC1JUH2S7bcVXg4liTMakaBZZVxiTICRoivcn1sEUBlk24JmaC6kxUbYmWoqvyfck2xZGGnDFYa9MMzkYQ1ijkCX6qidybrgePiQ0QIQqoi6qRLeqQfIoRsEHaQJLBdHOnLGetSdm/IPcymJuS1PAnbQPH0MOw/39C1vL11DiLOqIsbDI8QcHvGiLnySi2qUXBicaqUSxN5LEB0g7Jt3ENXJLPJ5S1tnaZBoWbpRqrmjRE7qHmpSmNHdQcYrEUadoh+TbBnc9ri7iycI1kzPeNcLDIvbiqXpez9Tmdq6zGREPuzECBoxrPMiI2WtvyNwhJba2wy3JZ6ky5dD1lSvmZS3e4SPA1wcf1VTFHKX+cGwZzdUYcqpvUtvwrD/InDttVlyZeAKlNN5MKbAiurHhKIPlUuJvlTCCiDjSKSCsUmCFWbGLZwCESfK07JB8LvMYWVtw0D00JEHV8Mq2HkqPbE0oHLvvK2g0o8ETg+4cfwTlZDT9JDoWygu4uQQE/ivIvtcnfPkaCqhiupz7jWOAzqL/vjtcdkv9G4MVMt+EaylfuImiPAXEUjRF3pjjaHiPPZ6If9TGGAO4ZY0am6jOCb+DQ+ZCqLkIpOIPrdNfIjnFPY6nyFut7TS/fanrziOBOKMupKw94WaLMtuVnSFt9CPrWWdJE6PeltCX432DEBoh+5Dv8RRhdis8YAv9uyq4/JAwtlEApgBe9Cw9xDD3tdk4Jn0MDfiHwPHcRPxBePCMER3GuIx7kGlv9fkZ4V9lolx2Uv4X7hEj7qJ3LDoAMGbTRMRibu4L2xQ8bgt8AyU+Q+x7nYrvDnH4iuO5LxKsYwPVbkPMvKF9Zky9wXzRfVWizi62r9X5VHf55h+WHhDjGBZ4WRhyTr6z5SlCoLMxLSpBZFsQ9F80uQFbF/6aFWi+Ev51vzzsuX+msyzuQXXjUz8zEBy+zpq9yweXAoxJW4JbYrDS6gYDqGHxPl+TKeiBfxj9/EBIElPYeOA4y8/qRQfknjvSzgRgtq0Pw/M1eQeMdOSb2Bnrhr6Led+1vcp2x7oTFHMnedFW+Ivlty062BUt74oHgSj+vHepnhunn0JJAMtBZgDI/qmGtMujRv8DDpo47zBJ8UtPOuAR/7rKn8t9AJ0tBdmBAmJ/Fu71yxp4I3qh+DhyRqbi5Y1ShVPlSb8X7bRNcfgZFl+WRGYo7uecrWq1r8X5bhmzP5OdlDwsGRm1suSxkg5rYm7ConyGQ3Zl+DgSD8V/kPwrWBMG9YcBtyShBnTLdTiHgttw7qAW7cqh/ZnmPKr/6ignOaKsdyxbsToT5UkPsW00bJjijDXficcX/JsLs6w2BwGtherdckH3w/kNXRPVI0OqJQoHX42/66IMfMj/2huRjxIidgKV/W0JS+bsstDoTeAHcrI8E5zTh/sDkqxL5rZup55/3USlswfcHf4IrQplVDgW9XFlOqnwr6pVPMMEZTuC60EttvdzbLbaZ4PsFVa3nohhO+vW+yn/ZB2fUhpysmQrzBcTSai9EszuZMcEZ1lCFVrp9zGXhm69iLyY4oxFIa178lPe12I/P2DAYDAaDwWAwGAwGg8FgMBgMBoPBYDD2Cf8IMADDRGoQTe+E9AAAAABJRU5ErkJggg==' style='margin-top: -16px;' width='92'/> </a> <ul> <li> <a href='//www.google.com/'> Google </a> </li> <li> <a href='//www.google.com/policies/privacy/'> Privacy </a> </li> <li> <a href='//www.google.com/policies/terms/'> Terms </a> </li> </ul> </div> </div> <script type='text/javascript'> //<![CDATA[ // Social sharing popups. var postEl = document.getElementsByClassName('social-wrapper'); var postCount = postEl.length; for(i=0; i<postCount;i++){ postEl[i].addEventListener("click", function(event){ var postUrl = this.getAttribute("data-href"); window.open( postUrl,'popUpWindow','height=500,width=500,left=10,top=10,resizable=yes,scrollbars=yes,toolbar=yes,menubar=no,location=no,directories=no,status=yes'); });} //]]> </script> <script type='text/javascript'> //<![CDATA[ var BreakpointHandler = function() { this.initted = false; this.isHomePage = false; this.isMobile = false; }; BreakpointHandler.prototype.finalizeSummary = function(summaryHtml, lastNode) { // Use $.trim for IE8 compatibility summaryHtml = $.trim(summaryHtml).replace(/(<br>|\s)+$/,''); if (lastNode.nodeType == 3) { var lastChar = summaryHtml.slice(-1); if (!lastChar.match(/[.”"?]/)) { if (!lastChar.match(/[A-Za-z]/)) { summaryHtml = summaryHtml.slice(0, -1); } summaryHtml += ' ...'; } } else if (lastNode.nodeType == 1 && (lastNode.nodeName == 'I' || lastNode.nodeName == 'A')) { summaryHtml += ' ...'; } return summaryHtml; }; BreakpointHandler.prototype.generateSummaryFromContent = function(content, numWords) { var seenWords = 0; var summaryHtml = ''; for (var i=0; i < content.childNodes.length; i++) { var node = content.childNodes[i]; var nodeText; if (node.nodeType == 1) { if (node.hasAttribute('data-about-pullquote')) { continue; } nodeText = node.textContent; if (nodeText === undefined) { // innerText for IE8 nodeText = node.innerText; } if (node.nodeName == 'DIV' || node.nodeName == 'B') { // Don't end early if we haven't seen enough words. if (seenWords < 10) { continue; } if (i > 0) { summaryHtml = this.finalizeSummary(summaryHtml, content.childNodes[i-1]); } break; } summaryHtml += node.outerHTML; } else if (node.nodeType == 3) { nodeText = node.nodeValue; summaryHtml += nodeText + ' '; } var words = nodeText.match(/\S+\s*/g); if (!words) { continue; } var remain = numWords - seenWords; if (words.length >= remain) { summaryHtml = this.finalizeSummary(summaryHtml, node); break; } seenWords += words.length; } return summaryHtml; }; BreakpointHandler.prototype.detect = function() { var match, pl = /\+/g, search = /([^&=]+)=?([^&]*)/g, decode = function (s) { return decodeURIComponent(s.replace(pl, " ")); }, query = window.location.search.substring(1); var urlParams = {}; while (match = search.exec(query)) urlParams[decode(match[1])] = decode(match[2]); this.isListPage = $('html').hasClass('list-page'); this.isMobile = urlParams['m'] === '1'; this.isHomePage = window.location.pathname == '/'; }; BreakpointHandler.prototype.initContent = function() { var self = this; $('.post').each(function(index) { var body = $(this).children('.post-body')[0]; var content = $(body).children('.post-content')[0]; $(content).addClass('post-original'); var data = $(content).children('script').html(); data = self.rewriteForSSL(data); if (document.body.className.indexOf('is-preview') !== -1) { // If exists, extract specified editor's preview. var match = data.match(/([\s\S]+?)<div data-is-preview.+?>([\s\S]+)<\/div>/m); if (match) { data = match[1]; } } // Prevent big images from loading when they aren't needed. // This must be done as a pre-injection step, since image loading can't be // canceled once embedded into the DOM. if (self.isListPage && self.isMobile) { data = data.replace(/<(img|iframe) .+?>/g, ''); } // Insert template to be rendered as nodes. content.innerHTML = data; if (self.isListPage) { var summary = document.createElement('div'); $(summary).addClass('post-content'); $(summary).addClass('post-summary'); body.insertBefore(summary, content); if (match) { // Use provided summary. summary.innerHTML = match[2]; } else { // Generate a summary. // Summary generation relies on DOM, so it must occur after content is // inserted into the page. summary.innerHTML = self.generateSummaryFromContent(content, 30); } // Add read more link to summary. var titleAnchor = $(this).find('.title a')[0]; var link = titleAnchor.cloneNode(true); link.innerHTML = 'Read More'; $(link).addClass('read-more'); summary.appendChild(link); } }); // Firefox does not allow for proper styling of BR. if (navigator.userAgent.indexOf('Firefox') > -1) { $('.post-content br').replaceWith('<span class="space"></span>'); } $('.loading').removeClass('loading'); }; BreakpointHandler.prototype.process = function() { if (!this.initted) { var makeInsecureImageRegex = function(hosts) { var whitelist = hosts.join('|').replace(/\./g,'\\.'); // Normal image tags, plus input images (yes, this is possible!) return new RegExp('(<(img|input)[^>]+?src=("|\'))http:\/\/(' + whitelist +')', 'g'); }; this.sslImageRegex = makeInsecureImageRegex(BreakpointHandler.KNOWN_HTTPS_HOSTS); this.sslImageCurrentDomainRegex = makeInsecureImageRegex([window.location.hostname]); this.detect(); this.initContent(); this.initted = true; } }; BreakpointHandler.KNOWN_HTTPS_HOSTS = [ "www.google.org", "www.google.com", "services.google.com", "blogger.com", "draft.blogger.com", "www.blogger.com", "photos1.blogger.com", "photos2.blogger.com", "photos3.blogger.com", "blogblog.com", "img1.blogblog.com", "img2.blogblog.com", "www.blogblog.com", "www1.blogblog.com", "www2.blogblog.com", "0.bp.blogspot.com", "1.bp.blogspot.com", "2.bp.blogspot.com", "3.bp.blogspot.com", "4.bp.blogspot.com", "lh3.googleusercontent.com", "lh4.googleusercontent.com", "lh5.googleusercontent.com", "lh6.googleusercontent.com", "themes.googleusercontent.com", ]; BreakpointHandler.prototype.rewriteForSSL = function(html) { // Handle HTTP -> HTTPS source replacement of images, movies, and other embedded content. return html.replace(this.sslImageRegex, '$1https://$4') .replace(this.sslImageCurrentDomainRegex, '$1//$4') .replace(/(<(embed|iframe)[^>]+?src=("|'))http:\/\/([^"']*?(youtube|picasaweb\.google)\.com)/g, '$1https://$4') // Slideshow SWF takes a image host, so we need to rewrite that parameter. .replace(/(<embed[^>]+?feed=http(?=[^s]))/g, '$1s'); }; $(document).ready(function() { var handler = new BreakpointHandler(); handler.process(); // Top-level navigation. $(".BlogArchive .tab").click(function(ev) { ev.preventDefault(); $(this).parent().toggleClass('active'); $(this).siblings().slideToggle(300); }); $(".Label .tab").click(function(ev) { ev.preventDefault(); $(this).parent().toggleClass('active'); $(this).siblings().slideToggle(300); }); // Blog archive year expansion. $('.BlogArchive .intervalToggle').click(function(ev) { ev.preventDefault(); if ($(this).parent().hasClass('collapsed')) { $(this).parent().removeClass('collapsed'); $(this).parent().addClass('expanded'); } else { $(this).parent().removeClass('expanded'); $(this).parent().addClass('collapsed'); } }); // Reverse order of months. $('.BlogArchive .intervalToggle + div').each(function(_, items) { var year = $(this); year.children().each(function(_, month) { year.prepend(month); }); }); // Set anchors to open in new tab. $('.post-content img').parent().each(function(_, node) { if (node.nodeName == 'A') { $(this).attr('target', '_blank'); } }); // Process search requests. $('.searchBox input').on("keypress", function(ev) { if (ev.which == 13) { window.location.href = 'https://www.google.com/search?q=site%3A' + window.location.hostname + '%20' + encodeURIComponent ($(this).val()); } }); }); //]]> </script> <script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/984859869-widgets.js"></script> <script type='text/javascript'> window['__wavt'] = 'AOuZoY7OivsYNEY4shpKlolaEqOt0UKzXg:1732707461538';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d1176949257541686127','//security.googleblog.com/2016/09/','1176949257541686127'); _WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '1176949257541686127', 'title': 'Google Online Security Blog', 'url': 'https://security.googleblog.com/2016/09/', 'canonicalUrl': 'https://security.googleblog.com/2016/09/', 'homepageUrl': 'https://security.googleblog.com/', 'searchUrl': 'https://security.googleblog.com/search', 'canonicalHomepageUrl': 'https://security.googleblog.com/', 'blogspotFaviconUrl': 'https://security.googleblog.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': false, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': 'G-K46T604G22', 'analytics4': true, 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Google Online Security Blog - Atom\x22 href\x3d\x22https://security.googleblog.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Google Online Security Blog - RSS\x22 href\x3d\x22https://security.googleblog.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Google Online Security Blog - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/1176949257541686127/posts/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/02de2df73990045b', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'X', 'key': 'twitter', 'shareMessage': 'Share to X', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'archive', 'pageName': 'September 2016', 'pageTitle': 'Google Online Security Blog: September 2016'}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Google Online Security Blog', 'description': 'The latest news and insights from Google on security and safety on the Internet', 'url': 'https://security.googleblog.com/2016/09/', 'type': 'feed', 'isSingleItem': false, 'isMultipleItems': true, 'isError': false, 'isPage': false, 'isPost': false, 'isHomepage': false, 'isArchive': true, 'isLabelSearch': false, 'archive': {'year': 2016, 'month': 9, 'rangeMessage': 'Showing posts from September, 2016'}}}]); _WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML8', 'sidebar-top', document.getElementById('HTML8'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_LabelView', new _WidgetInfo('Label1', 'sidebar', document.getElementById('Label1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'sidebar', document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML6', 'sidebar', document.getElementById('HTML6'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML5', 'sidebar-bottom', document.getElementById('HTML5'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML1', 'sidebar-bottom', document.getElementById('HTML1'), {}, 'displayModeFull')); </script> </body> </html>