Google on Tuesday revealed that the decade old, but still widely used SSL 3.0 (Sockets Layer) has a major security flaw. According to the company, the vulnerability dubbed as POODLE (short for, Padding Oracle On Downgraded Legacy Encryption) allows decryption of the contents of encrypted connections to websites. The vulnerability affects any product that follows SSL 3.0, which includes Chrome, Firefox, and Internet Explorer.
A day after Apple detailed its new privacy measures; Google has opened up about its own plans to boost security on Android. The company will enable data encryption by default on devices running on Android L, which means all data will be inaccessible unless the person has the decryption key, The Washington Post reports.
Google is reportedly working on end to end encryption for Gmail to ensure that its users have better privacy. According to The Verge, PGP has been an open-source encryption standard for nearly 20 years, but the protocol has been dogged with usability issues that many claim have kept it from broader use.
Popular web encryption software OpenSSL might have been the preferred choice when it came to making secure transactions on the Internet, but a recent bug in its heartbeat feature can expose user information to malicious websites. The Heartbleed Bug was made public yesterday and it impacted almost every online service that used OpenSSL for data encryption. This includes services provided by companies like Google, Facebook, Yahoo and others. While you thought that your transactions were secured, the existence of Heartbleed Bug puts that sense of security into question. The Heartbleed Bug has existed for about two years and could have provided a backdoor entry to our encrypted information to malicious hackers as well as government agencies like America's NSA. We take a look at what the Heartbleed Bug means to Internet users.
Yahoo has reportedly taken additional security measures in order to protect the data it handles and is also planning to encrypt additional services like Yahoo Messenger. Yahoo, one of the many technology companies demanding reforms on US surveillance laws, reportedly revealed that it has been encrypting traffic from its data centers since the beginning of this week.
Google announced that it would encrypt Gmail messages in order to increase the security of content, and prevent snooping on a user s account. Starting today, Gmail will use an encrypted HTTPS connection on all email messages sent or received, even while moving these messages internally between Google's data centers, to ensure the privacy and safety of users' content.
Twitter has announced a new security feature, wherein it is enabling a Perfect Forward Secrecy encryption method across its mobile site and website. This encryption method will ensure that hackers or snooping organizations won t have an easy access to any personal information on the micro blogging platform.
The Indian givernment has finally found a way to encrypt data from BlackBerry and other popular email services sch as Yahoo, Skype, Nokia Pushmail, Gmail and others. The Ministry of Home Affairs (MHA) is working on a model wherein direct tapping of BBM services would be possible instead of sending requests to RIM for surveillance. To sort out this issue, the MHA has set up a server, controlled by a team of officers which would help in direct linkage with the servers of these giants for interception. The MHA has also suggested that the interception of email services by Yahoo, Nokia Pushmail and Gmail can take place if these service providers ensure that all emails accessed from India are routed through servers located in India. Conversations through Skype would soon get intercepted as well, with Skype planning to set up India-centric software.
The Telecom Minister of India Kapil Sibal has recently held a meeting with the Interpol Secretary General Ronald K Noble to discuss intercept mechanism of such communications which would help in combating telecom crimes. Indian security agencies are not able to intercept the encrypted communication from services like BlackBerry, Gmail, Nokia Pushmail and Skype. The
Google and Apple testified before the Senate on Tuesday, where both firms were grilled on collecting location information from mobile phones. During the hearing, Senator Al Franken was particularly vocal on the issue. “My wireless companies, Apple and Google, and my apps, all get my location or something very close to it,” Senator Franken said. “We need to address this issue now, as mobile devices are only going to get more popular.” We covered Apple’s response on Tuesday, during which Apple’s vice president of software technology, Bud Tribble, said that “Apple does not track users’ locations,” and that the firm never plans to do so. However, Franken was also concerned that Apple and Google have done little to police third-party applications that are collecting and transmitting location data, and suggested that both companies require developers to alert users of their specific privacy policies. Trimble said Apple already does this, but it has never tossed an application for violating that rule. Google’s director of public policy, Alan Davidson, said Google would consider adding the option. According to The Wall Street Journal, Jessica Rich, the deputy director of the Federal Trade Commission’s consumer-protection bureau said that, despite both firms saying they don’t collect user data, “there’s a lot [the FTC] can do… to challenge,” those claims.
Apple has finally broken its week-long silence over the location-tracking database scandal surrounding iPhones and 3G iPads running iOS 4 and higher. The company states that it never has, and never plans to, track users’ iDevices, and that the purpose of the database file in question consolidated.db is to “help your iPhone rapidly and accurately calculate its location when requested.” The company noted that a software update will limit the size of the location file and be available in the next few weeks the next major iOS release will add a layer of encryption to the file. Apple’s full statement is after the break. Have a look and let us know what you think.
It looks as though software developer James Laird has opened Pandora’s box for Apple’s AirPlay music streaming system. Frustrated by the fact that an AirPort Express emulator did not exist, Laird began to look for a solution that would allow him to stream iTunes music without the use of AirPlay. “I was disappointed to find that Apple used a public-key crypto scheme, and there’s a private key hiding inside the ApEx [Airport Extreme],” wrote Laird. “So I took it apart (I still have scars from opening the glued case!), dumped the ROM, and reverse engineered the keys out of it.” Laird has published the private key in an open source software project dubbed ShairPort (clever). The software, which is built in Perl and C, will allow users to stream iTunes content to hardware and software designed to talk to ShairPort. Apple has opened up its AirPlay system to third-parties in recent months, but this blows the doors wide open for all those looking to circumvent that red tape-filled process.
In a recent blog post, Twitter announced a new measure aimed at keeping its users data a bit more secure as it travels over the wire. Via the “Settings” preference pane, users can now force Twitter communications to always travel over a secure, HTTPS connection. “This will improve the security of your account and better protect your information if you re using Twitter over an unsecured Internet connection,” writes Twitter. “In the future, we hope to make HTTPS the default setting.” Enabling the feature also secures traffic traveling to and from the official Twitter applications for both the iPhone and iPad it will not, however, automatically enable HTTPS on the mobile Twitter website. Unless you have a specific reason not to enable the feature, we highly recommend it.