Today, Google made major waves in the cryptography world, announcing a public collision in the SHA-1 algorithm. Its a deathblow to what was once one of the most popular algorithms in cryptography, and a crisis for anyone still using the function. The good news is, almost no one is still using SHA-1, so you dont need to rush out and install any patches. But todays announcement is still a major power play from Google, with real implications for web security overall.

Like most cryptography, it can get a little complicated, so its probably best to start from the very beginning...

Google publicly broke one of the major algorithms in web encryption, called SHA-1. The companys researchers showed that with enough computing power roughly 110 years of computing from a single GPU for just one of the phases you can produce a collision, effectively breaking the algorithm. Weve known this was possible for a while, but nobody has done it, in part because of the possible fallout.

A deathblow to a once-popular algorithm

In accordance with its disclosure policy, Google is waiting 90 days to say exactly how they did it but once the proof-of-concept is out, anyone with enough computing power will be able to produce a SHA-1 collision, rendering the algorithm both insecure and obsolete.

Its hard to say if Googles researchers are the first people to do this ( NSA ), but theyre the first ones to talk about it, which has major implications for anyone still using SHA-1.

SHA-1 is a hashing function, which produces a digital fingerprint from a given file. That lets you verify a files integrity without exposing the entire file, simply by checking the hash. If the hash function is working properly, each file will produce a unique hash so if the hashes match, the files themselves will also match. Thats particularly important for login systems, which need to verify that a password is correct without exposing the password itself.

A collision is what happens when a hashing function breaks, and two files produce the same hash. That could allow an attacker to smuggle in a malicious file because it shares its hash with a legitimate file. As proof-of-concept for todays announcement, Google published two PDF files that, run through SHA-1, produce the same hash.

In practical terms, a broken hash function could be used to break HTTPS, the encryption system that now protects more than half the web. You can learn more about that system from the podcast below (theres a whole pie-ribbon-curse metaphor; its great), but the gist is that it guarantees that the content you see at Wikipedia.com is really coming from Wikipedia and hasnt been tampered with along the way. If that system breaks, it would be easy for criminals to insert malware into web traffic from a compromised ISP or other network provider.

Unless you make a habit of clicking through those scary red screens, youll be fine. Cryptographers have been predicting a collision like this for years, making ever more specific predictions about how youd produce one and how much computing power it would take. This is the first time anyones burned the server time to actually do it, but weve known something like this was possible for a while.

As a result, most sites have already dropped SHA-1. As recently as 2014 it was being used for as much as 90 percent of the encryption on the web, but its been mostly abandoned in the years since. As of January 1st, every major browser will show you a big red warning when you visit a site secured by SHA-1. Its hard to say how many of those sites are left, but anyone with a halfway decent certificate provider is already safe.

SHA-1 is still used in a couple places outside web encryption particularly Git repositories but given how long the algorithm has been deprecated, the broader impact shouldnt be that widespread.

The short version is, they wanted to win the argument. Dropping SHA-1 took a lot of time and effort across the industry, and not everyone was eager to do it. The result has been a running fight over how fast make the switch with Googles Chrome Security Team providing one of the loudest voices for a faster transition. Chrome was forcing websites away from SHA-1 as early as 2014, long before other browsers started cracking down. Firefox caught on fairly quickly, too, with Microsofts Edge and IE bringing up the rear.

This is a fight about how secure the web needs to be

Chromes early moves caused a lot of grief among certificate providers but now that theres a proof-of-concept collision out there, the Chrome Security Team looks pretty smart. If wed listened to the slowpokes, this collision could have been a major problem! Instead, the industry moved fast, everyones safe, and we have to write blog posts to explain why it matters at all.

In a broader sense, this is a fight about how secure the web needs to be. If youre making smartphones or selling apps, you might not think its worth it to force the entire web off of a shaky algorithm. What does it matter if a few janky websites are slow to make the switch? But Google still a web advertising company, and that means any breakdown in web security is an existential threat. Whenever an algorithm like SHA-1 breaks, ad networks are among the first to be targeted, so Googles heavily invested in making sure those encryption systems work. And since Googles ads are served across the entire web, they need to make sure everyones on board. Sometimes that means cracking a few heads!

So while it might seem like a mathematical curiosity, this is really a victory lap for Google and one that cost quite a bit of server time. People have been saying SHA-1 was shaky for years, and now we all know they were right. Luckily, we all listened to the crypto folks, and nothing too serious got broken. Youre welcome.

See the rest here:
Google just cracked one of the building blocks of web encryption (but don't worry) - The Verge

Data from Chrome and Firefox shows that more than 50 percent of all web traffic now uses HTTPS.

More than half of all web page traffic is now encrypted, a milestone in an effort backed by everyone from Google to the federal government to encrypt the entire Internet.

The figure is based on a report from the Electronic Frontier Foundation released this week using data from the Chrome and Firefox web browsers. Mozilla and Google track the usage of the standard HTTPS encryption protocol based on data from users who opt in to share information.

As of Feb. 21, 51.3 percent of web pages that Firefox loads use HTTPS, according to results from Mozilla's Telemetry data-sharing program. Likewise, HTTPS covers more than half of the web pages loaded in Chrome across all operating systems, including Windows, Mac, iOS, and Android.

As TechCrunch notes, the encryption rallying cry has been taken up by organizations large, small, public, and private. And while encrypting more than half of all websites is significant, the modest and incremental goals that many of the organizations have set are an indication of the task's enormity.

For example, the Obama administration previously mandated that all federal websites using the .gov domain use HTTPS by the end of 2016. That didn't happen, but the General Services administration is still working on it. Meanwhile, Google last year announced plans to place increasingly noticeable warning labels on unencrypted sites in Chrome, although they will gradually roll out across several successive Chrome builds.

In the meantime, the EFF offers an add-on for most mainstream browsers called HTTPS Everywhere that can force websites to serve HTTPS pages even if they would otherwise default to plain HTTP. It's a stopgap measure, though, according to the EFF.

"Our goal is a universally encrypted web that makes a tool like HTTPS Everywhere redundant," EFF researcher Gennie Gebhart wrote in a blog post. "Until then, we have more work to do."

Tom is PCMag's San Francisco-based news reporter. He got his start in technology journalism by reviewing the latest hard drives, keyboards, and much more for PCMag's sister site, Computer Shopper. As a freelancer, he's written on topics as diverse as Borneo's rain forests, Middle Eastern airlines, and big data's role in presidential elections. A graduate of Middlebury College, Tom also has a master's journalism degree from New York University. Follow him on Twitter @branttom. More

Read the original here:
More Than Half of All Web Traffic Now Encrypted - PC Magazine

Some code found by XDA Developers in a teardown of version 7.2 of Googles Gmail APK seems to hint at enhanced encryption features planned for a future version of the app. To be clear, the mobile variant of the application already has some level of security with TLS encryption enabled by default. However, the discovered code hints at the addition of support for an enhanced encryption protocol S/MIME which is already available in the web-based version of Gmail. Bearing in mind that items found in APK teardowns dont always come to fruition, the addition of more security on the mobile side of things would match the companys goals to both make Android the most secure mobile platform and to bring more unification across its platforms.

S/MIME effectively works by creating, sending, and checking signature certificates tied to an email, so that users can verify that the sender of any such communication was actually where the message originated from. In the web-based version of Gmail, verification is shown in the form of a green lock symbol on a given email. XDA Developers conducting a teardown first noticed a block of code Enhanced encryption (S/MIME). The otherlines of code in that section appear to be related to user-side messages also linked to S/MIME encryption. It can reasonably be assumed that Google will use the same symbols in the mobile application as those used in the web version of Gmail. So the strings, as code stored in text format is called, would most likely be shown to end-users click alongside associated emails. Presumably, S/MIME messages could work similarly to how current messages relating to security do. For example, some spam emails in the current Gmail app show a boxed message which generally appears at the top of the email with a statement relating to how the message was determined to be spam in the first place and including precautions that should be taken.Layout files which generally correspondto user interface management were also discovered. The naming conventions used with the files directly correlate to those found in the encoded string messages and are listed by XDA asfz_details.xml, fz_failure.xml, fz_details_item.xml, fz_details_divider.xml, and fz_failure_background.xml.

It is always worth reiterating that not all of the code found in any APK will eventually make its way to users.However, the sheer number of discoveries in version 7.2 of the mobile application really seems to indicate very strongly that a future version will come with the advanced protocol activated. Considering the current security-minded atmosphere surround technologies in general, that would ultimately be a win-win for everybody involved.

Read more here:
Gmail 7.2 APK Hints At Possible S/MIME Encryption - Android Headlines

WhatsApp, the hugely popular Instant Messaging platform is continuing on its path to release new service and feature updates.

The latest release is a new feature called Status which was announced by the WhatsApp team earlier this week.

Its essentially a pimped up version of that Status tab that been previously used for text messages like Hey Im On WhatsApp or At The Gym. The new Status allows users toshare photos, videos emojis and GIFs. The status updates also disappear after 24 hours.

For people on Snapchat and Instagram, all of this ought to be very familiar now. Its what Snapchat introduced to us as Snapchat Stories and was also appropriated by Facebook-owned Instagram.

It looks like WhatsApp, which is also part of Facebook, continues to beinspired by Snapchat (remember that photo art feature), though its been quick to express its point of difference. Your Status is secured through its End to End Encryption (E2EE).

The feature is being rolled out to iOS, Windows and Android gradually and you dont have to update your version for it. It just shows up and when it has been activated youll know by changes in the Status tab that include a camera icon.

Continue reading here:
WhatsApp launches feature called Status which copies Snapchat Stories but with encryption - Technology Zimbabwe