WebProNews

Tag: Encryption

  • Google Bringing End-to-End Encryption to RCS Messages

    Google Bringing End-to-End Encryption to RCS Messages

    Google appears prepared to bring end-to-end encryption to RCS messages, helping it better compete with Apple iMessages.

    RCS is considered the successor to basic text messages, offering a number of feature not possible with the older technology. Larger groups chats, read receipts, chat over WiFi, typing indicators, group management (adding/removing participants) and more. These are features Apple iMessages have had since the beginning, but only work when communicating with other Apple devices.

    The one area where RCS has lagged behind, however, is security. While RCS does have encryption, it does not support end-to-end encryption, which is considered the gold-standard of protecting user privacy. Now, that appears to be changing.

    According 9to5Google, APKMirror has discovered one of Google Messages internal “dog food” builds. The term “dog food” is used in software development to describe using your own product to find the flaws in it, before asking customers to use it—as in “eat your own dog food.”

    There are a number of interesting features Google appears to be working on. Just as iMessages can fall back to SMS or MMS, Google Messages will have the same option. In an improvement over iMessages, however, Google Messages will warn the user that SMS and MMS does not support encryption when falling back to it. Similarly, Google will ask if a user wants to grant access to encrypted messages to apps that otherwise have access to standard messages.

    Overall, this is a welcome upgrade to RCS messages, especially since Google rolled them out to all users in the US late last year.

  • Zoom to Allow Paid Customers to Route Their Data

    Zoom to Allow Paid Customers to Route Their Data

    Beginning April 18, Zoom will allow paid subscribers to choose which region their data is routed through.

    Zoom has experienced unprecedented growth, quickly becoming the option of choice for videoconferencing as millions of people work from home. Despite its popularity, and in part because of it, the company has faced withering criticism for lapses in its security and privacy measures, prompting it to put a 90-day moratorium on new features in an effort to focus on privacy and security improvements. One such criticism is that some calls, as well as the encryption keys used to protect them, were routed through China—despite originating in North America.

    True to its promise to focus on beefing up security, Zoom has announced that paying customers will be able to choose where their calls and data are routed. The company began sending out emails to paid subscribers, notifying them of the change, on Monday.

    In a blog post, Zoom CTO Brendan Ittelson explained further:

    Beginning April 18, every paid Zoom customer can opt in or out of a specific data center region. This will determine the meeting servers and Zoom connectors that can be used to connect to Zoom meetings or webinars you are hosting and ensure the best-quality service.

    1. Starting April 18, with respect to data in transit, Zoom admins and account owners of paid accounts can, at the account, group, or user level:
    • Opt out of specific data center regions
    • Opt in to specific data center regions

    You will not be able to change or opt out of your default region, which will be locked. The default region is the region where a customer’s account is provisioned. For the majority of our customers, this is the United States.

    This feature gives our customers more control over their data and their interaction with our global network when using Zoom’s industry-leading video communication services.

    This is good news for paid subscribers, and further demonstrates the lengths to which Zoom is going to regain the trust they lost.

  • Coming or Going? In the Encryption Debate, U.S. Government Doesn’t Know

    Coming or Going? In the Encryption Debate, U.S. Government Doesn’t Know

    Senator Blumenthal has issued a call for the FTC to investigate Zoom’s security, illustrating a schism within the government over the issue of encryption.

    Few issues have polarized politicians, scientists, researchers and citizens as much as end-to-end encryption. Many officials, including multiple FBI directors, have warned that strong encryption makes it nearly impossible to properly investigate cases and contributes to criminals “going dark.” Others, such as Senators Ron Wyden and Rand Paul, have been staunch proponents of strong encryption. Similarly, mathematicians and security experts have repeatedly made the case that strong encryption cannot have backdoors or built-in weaknesses and still offer the necessary protection.

    Currently, the biggest threat to encryption in the U.S. is the upcoming EARN IT Act. The bill is designed to combat online sexual exploitation of children. While absolutely a worthwhile goal that should be a priority for companies, governments and individuals alike, the bill is a pandora’s box of uncertainty when it comes to encryption. The bill addresses protection under Section 230 of the Communications Decency Act, wherein companies are not held liable for things people say or do on their communications platforms.

    Under the proposed EARN IT Act, in order to maintain their protected status under Section 230, companies would need to comply with vague “best practices” established by a committee. This committee, and the U.S. Attorney General, would have wide discretion to determine what those “best practices” are. So what happens if the Attorney General is William Barr, an individual who has voiced staunch opposition to end-to-end encryption? Might “best practices” include the requirement that companies build in backdoors? Very likely.

    Backers of the bill, have said the bill is not an attack on encryption and that necessary safeguards are in place. However, nearly every expert who has reviewed the bill has arrived at a completely different conclusion, and believe the bill will absolutely lead to an all-out attack on encryption.

    Should that happen, many companies will have to choose between weakening their encryption, and thereby endangering their users, or move their businesses outside the U.S. One example is the encrypted messaging app Signal, ussed by the U.S. military, as well as senators and their staff. Signal developer Joshua Lund made it clear (an excellent read) the app will likely no longer be available in the U.S. if EARN IT passes.

    What makes this story all the more interesting is a recent tweet by Senator Richard Blumenthal, one of the sponsors of the EARN IT Act:

    I am calling on FTC to investigate @zoomus. Zoom’s pattern of security failures & privacy infringements should have drawn the FTC’s attention & scrutiny long ago. Advertising privacy features that do not exist is clearly a deceptive act.

    The facts & practices unearthed by researchers in recent weeks are alarming—we should be concerned about what remains hidden. As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy & security.

    Richard Blumenthal (@SenBlumenthal) April 7, 2020

    One of the biggest privacy and security issues with Zoom is the fact that it advertised end-to-end encryption, but failed to deliver. Based on Senator Blumenthal’s tweet, the message is clear: end-to-end encryption is a wonderful thing for government officials, so long as said government officials can still spy on the average citizen.

    In other words, the U.S. government is stuck in a strange dichotomy where it wants to punish companies for not supporting end-to-end encryption, while at the same time undermining and legislating backdoors in that very encryption.

  • Zoom Pivots to Security Amid Ongoing Criticism

    Zoom Pivots to Security Amid Ongoing Criticism

    Zoom is taking drastic measures to improve its security and privacy amid criticism and scrutiny as it serves hundreds of millions of users.

    As the pandemic sweeps the globe, individuals, corporations and organizations of all types are making drastic changes to their daily workflows and routines. Zoom has become an integral part of those routines, and hundreds of millions of users have begun to rely on the platform for school, work and socializing.

    Unfortunately for the company, the increased usage has also brought increased scrutiny, especially in the realm of privacy and security. The company has been called to task for not using end-to-end encryption, as its marketing claims; for leaking email addresses; for sending data to Facebook without informing users, before finally removing the offending SDK; and for a rash of Zoom-bombing incidents where outside individuals gain access to a Zoom meeting and make a nuisance of themselves.

    In view of these challenges, Zoom is taking drastic action to beef up its security and privacy. In a blog post on the company’s site, founder and CEO Eric Yuan said the company is enacting a freeze for 90 days in order to shift all “engineering resources to focus on our biggest trust, safety, and privacy issues.”

    The company also plans to conduct a comprehensive review with third-party experts and release a transparency report. It will also enhance its bug bounty program, and engage in a number of white box penetration tests. Zoom has also improved its privacy policy, apologized for not handling its encryption issues clearly and tried to help individuals address Zoom-bombing.

    In short, the company is pulling out all the stops in an effort to improve its privacy and security, no small task given how quickly the platform has grown.

    “To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million,” writes Yuan. “In March this year, we reached more than 200 million daily meeting participants, both free and paid.”

    As we said in a previous article, “the increased scrutiny of Zoom is a good reminder to companies that privacy and security should never be an afterthought. Instead, they should be a core feature, built in to an app or service from day one.”

    That statement remains true—security and privacy should never be an afterthought. At the same time, it’s time to give credit where credit is due: Zoom is stepping up to the plate and doing everything possible to provide its users with the privacy and security they expect and deserve.

  • EU Commission Switching to Signal Messaging App

    EU Commission Switching to Signal Messaging App

    In an effort to improve its cybersecurity, the EU Commission is encouraging its staff to switch to the Signal messaging app.

    In the world of messaging, Signal is considered the king of security. It features end-to-end encryption that is widely believed to be the best in the business. It’s so good, in fact, that its protocol serves as the basis of the more popular WhatsApp. Unlike WhatsApp, however, Signal is also open-source, ensuring a level of transparency that other apps can’t match.

    Signal has recently been in the news as it works to become a more mainstream alternative to more well-known competitors. A big part of that was an investment by WhatsApp cofounder Brian Acton of $50 million two years ago. Acton left Facebook over disagreements about WhatsApp’s privacy once Facebook acquires his creation. By throwing his weight—and money—behind Signal, Acton obviously sees the app as the successor to WhatsApp, and the best option for individuals who want to keep their communications secure.


    The EU Commission evidently agrees, as it wants its staff to switch to the messaging app to help avoid the kind of embarrassing leaks it has experienced recently, according to Politico. The move will likely cause turmoil in the greater debate about end-to-end encryption, as governments around the world are pushing tech companies to create backdoors for government access. Mathematicians, cryptographers, scientists, tech leaders and even some lawmakers have all said such a quest is foolhardy, dangerous and impossible to achieve without fundamentally weakening encryption and opening up innocent individuals to having their data compromised.

    The EU seemingly endorsing the single, most secure end-to-end encryption platform on the planet will go a long way toward making the case against backdoors or weakening of the very encryption the EU is counting on.

    Image Credit: Signal (Instagram @signal_app)

  • PSA: Don’t Post Links to Private WhatsApp Groups

    PSA: Don’t Post Links to Private WhatsApp Groups

    Although WhatsApp is well-known for its security and end-to-end encryption, posting links to WhatsApp groups can open the entire group to the internet.

    Jordan Wildon, a journalist with DW News, first noticed that Google was indexing WhatsApp invitation links.

    Your WhatsApp groups may not be as secure as you think they are.

    The “Invite to Group via Link” feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups.

    — Jordan Wildon (@JordanWildon) February 21, 2020

    Following his tweet, Jane Manchun Wong—who specializes in reverse engineering apps to uncover security flaws—confirmed the issue.

    A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines

    It should’ve been Disallowed with robots.txt or with the noindexmeta tag

    thanks @JordanWildon for the tip

    — Jane Manchun Wong (@wongmjane) February 21, 2020

     

    Motherboard did further testing and was able to join a variety of groups, including one that claimed to be “NGOs accredited by the United Nations.” Motherboard was able to see all of the group participants and their phone numbers.

    Google has said there is nothing wrong with what’s occurring, and this is a simple case of their search engine indexing publicly available information, just as it would any other source.

    In a statement to Motherboard, WhatsApp confirmed that stance: “Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”

    The takeaway here is that if users want to keep their WhatsApp groups private, they shouldn’t share access via public links. Doing so essentially serves as an open invitation, only requiring someone to put forth the time and effort to find such groups.

  • WhatsApp Now Has Two Billion Users

    WhatsApp Now Has Two Billion Users

    Facebook-owned WhatsApp achieved a significant milestone, officially crossing the two billion user threshold.

    WhatsApp is the most popular messaging app on the planet and is a primary means of electronic communication in many countries. In addition to being cross-platform, the app supports audio and video calls, text and voice messages, file sharing and more. Significantly, the app supports end-to-end encryption, making it a vital element for many journalists and individuals who live under oppressive regimes.

    Not surprisingly, Facebook’s announcement regarding its user base focused heavily on the privacy aspects of the app. After acknowledging that the more people use the app, the more important it is to keep it secure, Facebook touted its commitment to continuing its strong stance on security and encryption.

    “That is why every private message sent using WhatsApp is secured with end-to-end encryption by default. Strong encryption acts like an unbreakable digital lock that keeps the information you send over WhatsApp secure, helping protect you from hackers and criminals. Messages are only kept on your phone, and no one in between can read your messages or listen to your calls, not even us. Your private conversations stay between you.

    “Strong encryption is a necessity in modern life. We will not compromise on security because that would make people less safe. For even more protection, we work with top security experts, employ industry leading technology to stop misuse as well as provide controls and ways to report issues — without sacrificing privacy.”

    As the war on privacy continues, it’s reassuring that one of the most widely used services remains more committed than ever to supporting strong encryption in an effort to protect its users.

  • Facebook Will Not Give Authorities a Backdoor to Access Encrypted Messages

    Facebook Will Not Give Authorities a Backdoor to Access Encrypted Messages

    Two months ago we reported on an open letter by Attorney General William Barr and his counterparts in Australia and the United Kingdom, calling on Facebook to create encryption backdoors in its messaging apps. This was followed by the FBI urging Interpol to condemn the use of strong encryption.

    Facebook has officially responded to the Attorney General’s request, via an open letter of their own. In the letter, Will Cathcart, Head of WhatsApp, and Stan Chudnovsky, Head of Messenger, highlight the inherent risks of making encryption weaker, or creating backdoors for authorities to access.

    “We believe that people have a right to expect this level of security, wherever they live. As a company that supports 2.7 billion users around the world, it is our responsibility to use the very best technology available to protect their privacy. Encrypted messaging is the leading form of online communication and the vast majority of the billions of online messages that are sent daily, including on WhatsApp, iMessage, and Signal, are already protected with end-to-end encryption.

    “Cybersecurity experts have repeatedly proven that when you weaken any part of an encrypted system, you weaken it for everyone, everywhere. The ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm. It is simply impossible to create such a backdoor for one purpose and not expect others to try and open it. People’s private

    “And we are not alone. In response to your open letter asking that Facebook break encryption, over 100 organizations, including the Center for Democracy and Technology and Privacy International, shared their strong views on why creating backdoors jeopardize people’s safety. Cryptography Professor Bruce Schneier said earlier this year: ‘You have to make a choice. Either everyone gets to spy, or no one gets to spy. You can’t have ‘We get to spy, you don’t.’ That’s not the way the tech works.’ And Amnesty International commented: ‘There is no middle ground: if law enforcement is allowed to circumvent encryption, then anybody can.’”

    The two executives argued that law enforcement already has viable ways of getting the information they need in cases that demand it.

    “That doesn’t mean that we cannot help law enforcement. We can and we do, as long as it is consistent with the law and does not undermine the safety of our users…. We deeply respect and support the work these officials do to keep us safe and we want to assure you that we will continue to respond to valid legal requests for the information we have available. We will also continue to prioritize emergencies, such as terrorism and child safety, and proactively refer to law enforcement matters involving credible threats.”

    Our initial report on the Attorney General’s open letter highlighted the dangers of weakening encryption or creating backdoors. As Amnesty International said, “there is no middle ground.” Encryption is about basic math. It’s no more possible to have strong encryption with backdoors than it is to break the laws of physics. Hopefully, Facebook’s questionable history with privacy and security will not cloud the very valid argument they are making about the importance of encryption.

  • FBI Recruits Interpol to Condemn End-to-End Encryption

    FBI Recruits Interpol to Condemn End-to-End Encryption

    Attorney General William Barr and his Australian and British counterparts made headlines recently when they wrote an open letter urging Facebook to create backdoors in its encryption. Not content with open letters, the FBI has drafted a resolution for Interpol to release urging companies to create methods that would allow access to encrypted data.

    Sources told Reuters the resolution “would be released without a formal vote by representatives of the roughly 60 countries in attendance.” A draft of the resolution seen by Reuters uses the threat of child exploitation as the reason behind the need for weakened encryption.

    “Service providers, application developers and device manufacturers are developing and deploying products and services with encryption which effectively conceals sexual exploitation of children occurring on their platforms.

    “Tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and useable format.”

    According to Nicole Perloth at the New York Times, however Interpol is denying the resolution was ever considered:

     

    There is no doubt the resolution was drafted, with both Reuters and Ars Technica having seen a copy of it. The only question is whether Reuters’ sources about Interpol’s intentions were incorrect, or whether Interpol is attempting to backpedal after the news broke.

    Either way, it’s another disturbing escalation of attempts to weaken end-to-end encryption. The draft resolution itself is misleading in nature. Ars reports the resolution claims “technologists agree” that creating systems that “\[allow] for lawful access to data, while maintaining customer privacy…can be implemented in a way that would enhance privacy while maintaining strong cyber security.”

    In point of fact, nothing could be further from the truth. As previously highlighted, mathematicians, cryptologist and privacy experts all agree there is no silver bullet. It is simple math—there is no way for encryption to be strong and protect its users, while simultaneously having backdoors or other means for companies or governments to access the encrypted data.

    If Interpol could be persuaded to condemn strong encryption, it would make it easier for countries around the world to pass laws requiring companies to create backdoors. Such a result would be disastrous for journalists, whistleblowers, political dissidents, refugees and anyone else who values their privacy.

  • Government Officials Urge Facebook to Create Encryption Backdoor

    Government Officials Urge Facebook to Create Encryption Backdoor

    In most cases, two plus two equals four. It’s simple math. The same is true of encryption. Devices and services are either protected by strong encryption or they’re not. There is no in-between.

    In spite of that, the UK Home Secretary, Priti Patel, joined U.S. Attorney General William Barr and Australian Home Affairs Minister Peter Dutton in an open letter urging Facebook to essentially create a backdoor in their end-to-end encryption.

    On the one hand, the government officials offer lip service to the need for strong encryption:

    “We support strong encryption, which is used by billions of people every day for services such as banking, commerce, and communications. We also respect promises made by technology companies to protect users’ data. Law abiding citizens have a legitimate expectation that their privacy will be protected.”

    However, those statements are undermined by what follows:

    “Companies should not deliberately design their systems to preclude any form of access to content, even for preventing or investigating the most serious crimes.”

    Unfortunately these statements, and others like them, demonstrate a dangerous lack of understanding about how encryption works or, for that matter, how basic math—the foundation of all encryption—works. Experts the world over have warned about the catastrophic dangers of creating backdoors in encryption here, and here, and here, and here, and here, and here and here (PDF).

    The last one was an open letter to the White House by civil organizations, companies, trade associations and a myriad of security and policy experts. These are individuals from such varied backgrounds that they rarely agree on anything. Yet the one thing they all agree on is that there is simply no way to create backdoors in encryption without fundamentally weakening said encryption. It simply can’t be done. There is no way to create a backdoor for the “good guys” to get into the phones, computers and tablets of the “bad guys” without the “bad guys” using those same backdoors to get into the devices of the “good guys.”

    At this point in the debate, people who want backdoors usually fall back to complaining about how strong encryption is making it possible for bad actors to “go dark,” using encryption to protect their activities from prying eyes. Therefore, the argument goes, the tech companies should be forced to make a backdoor in the interest of the greater good.

    By that logic, however, safe makers should be required to create a backdoor to every safe they manufacture in the event that whoever purchases it tries using it for nefarious purposes. Similarly, paper shredder makers should be forced to make shredders that can take the strips of shredded paper and recombine them into their original form. Otherwise, someone might use a shredder to destroy documents to cover illegal activity.

    What’s interesting about both of those examples is that, even without the manufacturers’ assistance, it’s possible to crack into a safe, as well as sort through strips of shredded paper and reconstruct documents. Is it a pleasant experience? No—but it’s possible.

    Similarly, even without backdoors in encryption, with enough computing power it is possible to break encryption or find ways to circumvent it. In the wake of the San Bernardino case, after the FBI tried to force Apple to unlock the perpetrator’s iPhone, the FBI was able to find a company that succeeded in unlocking the phone. Was it pleasant? No—but it was possible.

    Sometimes convenience for a few—in this case law enforcement—must take a back seat to the safety of the many. In other words, two plus two must equal four, unless a person doesn’t believe in basic math principles. Then two plus two equals five, or 13, or 127,309 or…

  • HTTPS Launched For All Custom Domains On WordPress.com

    HTTPS Launched For All Custom Domains On WordPress.com

    Automattic announced that they’re launching free HTTPS for all custom domains hosted on WordPress.com. WordPress.com has supported encryption for WordPress.com subdomains since 2014, but now it’s being expanded to over a million custom domains.

    The company says users will see secure encryption automatically deployed on every new site within minutes.

    “We are closing the door to un-encrypted web traffic (HTTP) at every opportunity,” writes Automattic’s Chief Systems Wrangler.

    As he notes, encryption provides more than security.

    “Protocol enhancements like SPDY and HTTP/2 have narrowed the performance gap between encrypted and un-encrypted web traffic, with encrypted HTTP/2 outperforming un-encrypted HTTP/1.1 in some cases,” he writes.

    Google announced HTTPS as a ranking signal in 2014. Back in December, the search engine started indexing HTTPS versions of URLs by default.

    Earlier this year, Moz found that HTTPS URLs made up 25% of page-one Google results across 10,000 queries.

  • Here’s How Google Is Improving Gmail Security

    Here’s How Google Is Improving Gmail Security

    Google has made security a priority with Gmail early this year. Last month, the company announced changes to keep users safe including a broken lock icon display on messages when a user receives a message from or is about to send one to a person whose email service doesn’t support TLS encryption.

    Also part of the February update was a question mark displayed on a sender’s profile/avatar if the user gets a message that can’t be authenticated.

    Earlier this month, Google introduced improve data loss prevention features for enterprise customers using Gmail. This included optical character recognition for better scanning of attachments and the addition of new predefined content detectors.

    Google also launched two new detection parameters to give its largest Work customers better control over DLP policies, minimize false positives, and “take action commensurate with the level of perceived risk.” There is a count parameter and a confidence parameter. The former lets customers set up different DLP policies based on whether a message contains individual or bulk PII. The latter lets customers tighten or loosen detection criteria for the most commonly used detectors.

    On Thursday, Google announced partnerships with Comcast, Microsoft, and Yahoo to submit a draft IETF specification for “SMTP Strict Transport Security.” As the company describes, this is a new proposed standard that enables companies to ensure mail is only delivered through encrypted channels, and furthermore that encryption failures are reported for analysis.

    Google is also extending its “Safe Browsing” feature, which is already enabled in several of its products, to give Gmail users warnings if they click links Google has identified as potentially dangerous. This is being applied when Gmail is used in different web browsers and email apps.

    warning

    Finally, Google is launching a new full-page warning about state-sponsored attacks and how to stay safe from them.

    new warning

    Google notes that a very small percentage of users will ever see these (mainly activists, journalists, policy-makers, etc.), but those who do may see them instead of the existing warnings or in addition to them.

    Images via Google

  • Google Adds More Security To Gmail

    Google Adds More Security To Gmail

    Google announced some changes to Gmail to keep users safe. For one, if you receive a message from or are about to send a message to a person whose email service doesn’t support TLS encryption, Gmail will display a broken lock icon in the message.

    If you get a message that can’t be authenticated, the sender’s profile photo/avatar will have a question mark displayed.

    “Gmail has always supported encryption in transit using TLS, and will automatically encrypt your incoming and outgoing emails if it can,” writes product manager John Rae-Grant. “We support industry-standard authentication to help combat email impersonation. And there are tons of other security measures running behind the scenes to keep your email safe.”

    “Of course, it takes at least two people to send and receive an email, so it’s really important that other services take similar measures to protect your messages—not just Gmail,” Rae-Grant adds. “Unfortunately, not all email services do.”

    As Google notes, just because an email is affected by one of these features, it doesn’t mean that it’s necessarily a dangerous email. It will just help users be extra cautious.

    The features were announced for “Safe Internet Day” on Tuesday.

    Images via Google

  • Shopify Makes All Stores Use SSL Encryption

    Shopify Makes All Stores Use SSL Encryption

    Shopify announced on Tuesday that it is now ensuring that all pages on all of its over 200,000 online stores can be accessed using SSL encryption.

    The company says that this will make sure that no data can be intercepted and that it will help merchants build trust.

    “To make this possible, we’ve issued and set up SSL certificates for every Shopify store,” says Shopify’s David Cornu. “And because we feel this is important, we did it at no additional cost to existing or future Shopify merchants. You can now easily encrypt your online store by clicking ‘Activate SSL certificates’ in your Shopify account. Once activated, all your traffic will be redirected from HTTP to encrypted HTTPS.”

    “When a shopper visits your store for the first time, they look for cues that tell them it’s safe to buy from you,” he adds. “The most powerful indicator that they can trust you is the padlock icon that appears when your online store is fully encrypted, and they look for it whether they’re on your checkout or not.”

    Shopify also notes the SEO benefits of encryption, referring to in December, when Google announced it was adjusting its indexing system to look for more HTTPS pages.

    Image via Shopify

  • Obama Urged to Reject Encryption Backdoors in Tech-Backed Letter

    President Obama is about to receive a letter signed by dozens upon dozens of companies and organizations, urging him to resist giving government agencies access to citizens’ personal data via backdoors in encrypted devices.

    “We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products. We request that the White House instead focus on developing policies that will promote rather than undermine the wide adoption of strong encryption technology. Such policies will in turn help to promote and protect cybersecurity, economic growth, and human rights, both here and abroad,” says the letter.

    “We are writing today to respond to recent statements by some Administration officials regarding the deployment of strong encryption technology in the devices and services offered by the U.S. technology industry. Those officials have suggested that American companies should refrain from providing any products that are secured by encryption, unless those companies also weaken their security in order to maintain the capability to decrypt their customers’ data at the government’s request. Some officials have gone so far as to suggest that Congress should act to ban such products or mandate such capabilities.”

    The idea that devices should be encrypted but not that encrypted is one that’s been gloated around as of late by officials like U.S. Secretary of Homeland Security Jeh Johnson.

    The “current course [the technology industry is on], toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security,” said Johnson recently. “Encryption is making it harder for your government to find criminal activity and potential terrorist activity.”

    The consortium argues against backdoors (or front doors or whatever you want to call them) that would allow access to encrypted devices.

    “Encryption thereby protects us from innumerable criminal and national security threats. This protection would be undermined by the mandatory insertion of any new vulnerabilities into encrypted devices and services. Whether you call them ‘front doors’ or ‘back doors’, introducing intentional vulnerabilities into secure products for the government’s use will make those products less secure against other attackers. Every computer security expert that has spoken publicly on this issue agrees on this point, including the government’s own experts,” says the letter.

    The letter is signed by companies like Apple, Facebook, Microsoft, Google, Twitter, and Yahoo – as well as privacy organizations like the ACLU, Human Rights Watch, the Electronic Frontier Foundation, and over 50 security and policy experts.

    According to the Washington Post, the letter is also signed by “three of the five members of a presidential review group appointed by Obama in 2013 to assess technology policies in the wake of leaks by former intelligence contractor Edward Snowden.”

    “The Administration faces a critical choice: will it adopt policies that foster a global digital ecosystem that is more secure, or less? That choice may well define the future of the Internet in the 21st century,” they say.

    Image via White House, Twitter

  • Yes, Your Google Hangouts Can Be Wiretapped

    Google encrypts your Hangouts conversations, but it doesn’t use end-to-end encryption. This means that Google can wiretap your Hangouts at the government’s request.

    That’s one big revelation from a recent reddit AMA with Richard Salgado, Google’s director for law enforcement and information security, and David Lieber, Google’s senior privacy policy counsel.

    The American Civil Liberties Union’s chief technologist Christopher Soghoian asked the Google reps why they’ve made a habit of dodging questions about Hangouts’ encryption, saying,

    “Hi. Google has repeatedly refused to acknowledge whether or not it is capable of wiretapping Hangouts for government agencies. In contrast, Apple’s FaceTime product uses end-to-end encryption and the company says it is not able to wiretap this service. Why has Google refused to be transparent about its ability to provide wiretaps for Hangouts? Given Google’s rather impressive track record regarding surveillance transparency, the total secrecy regarding the company’s surveillance capabilities for this product is quite unusual.”

    Google’s response (bolding ours)?

    “There are legal authorities that allow the government to wiretap communications. Google was the first company to disclose the number of wiretap orders it receives issued in criminal investigations. (There were a total of 7 wiretap orders in the first half of 2014, covering 9 accounts, for example). We also report requests made under national security authorities to the extent we are allowed by law. We want to be able to be much more granular about the number and nature of these demands, and think that’s important for people who use Google, policymakers and the public. Hangouts are encrypted in transit, and we’re continuing to extend and strengthen encryption across more services.”

    As reddit user reddit_poly put it, “this means that Hangouts are only encrypted on their way between your computer and Google’s servers. Once they arrive at Google’s end, Google has full access. In short, this is confirmation Google can wiretap Hangouts.”

    Google confirmed all of this to Vice:

    We asked Google to clarify, or elaborate, on Monday, and a spokesperson confirmed that Hangouts doesn’t use end-to-end encryption. That makes it technically possible for Google to wiretap conversations at the request of law enforcement agents, even when you turn on the “off the record” feature, which actually only prevents the chat conversations from appearing in your history—it doesn’t provide extra encryption or security.

    According to Google’s latest Transparency Report, the company received 25 wiretap requests from January 2013 to June 2014. Whether or not those had to do specifically with hangouts was not disclosed.

  • The Messaging Apps You Use the Most Are Woefully Insecure

    The Messaging Apps You Use the Most Are Woefully Insecure

    It’s likely that every single day, you use a messaging app to communicate with friends and family. It’s also likely that the messaging app you’re using is unequipped to protect your privacy.

    The Electronic Frontier Foundation (EFF) has just released a scorecard featuring 39 messaging apps ranging in popularity from the relatively small Silent Phone and CryptoCat to the ubiquitous iMessage and Facebook Messenger. The scorecard measures the security of each app using seven different criteria.

    That includes the questions … Is your communication encrypted in transit? Is your communication encrypted with a key the provider doesn’t have access to? Can you independently verify your correspondent’s identity? Are past communications secure if your keys are stolen? Is the code open to independent review? Is the crypto design well-documented? and Has there been an independent security audit?

    Spoiler alert – it’s not good. The messaging landscape is woefully insecure.

    In fact, only six applications garnered a perfect score: ChatSecure, CryptoCat, Signal/Redphone, Silent Phone, Silent Text, and TextSecure.

    Every other app failed in at least one of the aforementioned areas.

    “The revelations from Edward Snowden confirm that governments are spying on our digital lives, devouring all communications that aren’t protected by encryption,” said EFF Technology Projects Director Peter Eckersley. “Many new tools claim to protect you, but don’t include critical features like end-to-end encryption or secure deletion. This scorecard gives you the facts you need to choose the right technology to send your message.”

    Out of the most popular apps to be rated, Apple’s iMessage and FaceTime had the best security score (five out of seven).

    Services like AIM, Blackberry Messenger, Secret, and Yahoo Messenger were only able to garner one check mark – for messages being encrypted in transit.

    Popular apps like WhatsApp, Snapchat, Skype, and Facebook Messenger only grabbed two checks.

    “We’re focused on improving the tools that everyday users need to communicate with friends, family members, and colleagues,” said EFF Staff Attorney Nate Cardozo. “We hope the Secure Messaging Scorecard will start a race-to-the-top, spurring innovation in stronger and more usable cryptography.”

    Eckersley told Ars Technica that even a perfect score on the EFF’s security scorecard did mean the apps are 100 percent recommended.

    “Getting a perfect score here is more the first step than final victory. We still need usability studies, metadata protection, independently commissioned audits, and other measures of security before we try to get the whole network to switch to one of these options,” he said.

    He went on to say that “good cryptographic design should not cause significant inconvenience.”

    Check out the full report here.

    Image via EFF, Secure Messaging Scorecard

  • Yahoo Explains How It’s Making All Its Properties More Secure

    Last fall, Yahoo announced that it would turn on SSL/HTTPS encryption for Yahoo Mail this year, which it did in January. The following month, they added it to Tumblr.

    Yahoo has now posted an update on its ongoing encryption efforts.

    It says that traffic moving between the company’s data centers is now full encrypted as of March 31st.

    In addition to the aforementioned change to Yahoo Mail, they enabled encryption of mail between its servers and other mail providers that support the SMTPTLS standard in the last month.

    The Yahoo Homepage and all search queries that run on it, as well as most other Yahoo properties now have HTTPS encryption enabled by default.

    Yahoo implemented “the latest in security best-practices,” it says. This includes supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for global properties like Homepage, Mail and Digital Magazines. They’re currently working to bring all Yahoo sites up to this standard, the company says.

    Yahoo users can also now initiate an encrypted session for Yahoo News, Yahoo Sports, Yahoo Finance and Good Morning America on Yahoo by typing “https” before the site URL.

    The company says a new, encrypted version of Yahoo Messenger will be deployed in the coming months.

    “One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoo’s hundreds of global properties to make sure that any data that is running on our network is secure,” says Chief Information Security Officer Alex Stamos. “Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem.”

    Yahoo says the goal is to encrypt its entire platform for all users all the time by default. They’ll also be implementing additional security measures like HSTS, Perfect Forward Secrecy, and Certificate Transparency over the coming months.

    Image via Yahoo

  • Office 365 Message Encryption Is Now Available

    Encryption has been on everyone’s minds since it was revealed that the NSA combs through Internet data going into and out of the U.S. Major Internet companies have moved towards encrypting their users’ data and Microsoft is now doing the same for Office 365 users.

    Microsoft announced this afternoon that Office 365 Message Encryption is now live and will be rolling out to users. The service will allow you to send encrypted email messages to anyone through your Office 365 account. To use it, your organization will have had to licensed Office 365 Enterprise E3 or E4. If not, you can also purchase a subscription to Windows Azure Rights Management to gain access.

    According to Microsoft, this new message encryption service is based on its previous Exchange Hosted Encryption service. The new service features a number of new features that warrant the subscription cost.

    You’ll want to watch the below video to learn how Office 365 Message Encryption works. You’ll also see how you can set it up for yourself or your organization:

    If you need more help in setting up Office 365 Message Encryption, you’ll want to check out Microsoft’s documentation. It will cover in detail “the requirements and steps needed to enable Office 365 Message Encryption” on your network.

    Microsoft will also be discussing the new program at the Microsoft Exchange Conference in Austin, TX on March 31.

    Image via Microsoft

  • Yahoo Adds SSL Encryption To Tumblr

    Yahoo Adds SSL Encryption To Tumblr

    Tumblr announced that users can now enable SSL security. This comes after Yahoo announced late last year that it would encrypt all info that moves between its data centers by the end of the first quarter.

    Enabling the option isn’t exactly encrypting all data, but at least it’s a start for the massively popular blogging service. The Tumblr staff blog says:

    You can now take extra precaution against hackers and snoops by enabling SSL security on your Tumblr Dashboard. Just head over to your Account Settings and flip the switch.

    “Any reason I shouldn’t do this?” Nope, not really. It doesn’t change anything about the dashboard, it just encrypts your connection to it. We’ve been using it for weeks and haven’t even noticed. So, yeah, turn it on and forget about it. Easy.

    Last month, Yahoo made search encrypted by default, following a similar move for Yahoo Mail.

    Still, Yahoo warning users of a major hacking attempt dominated the related headlines last week.

    Image via Tumblr

  • Yahoo Mail Adds Default HTTPS As Promised

    Yahoo Mail Adds Default HTTPS As Promised

    Yahoo announced back in October that it would turn on SSL/HTTPS encryption for Yahoo Mail by default for all of its users starting on January 8th.

    The company has now announced that it has indeed done so.

    “Yahoo is fully committed to keeping our users safe and secure online,” writes Yahoo SVP of Communication Products Jeff Bonforte in a blog post. “As we promised back in October, we are now automatically encrypting all connections between our users and Yahoo Mail. Anytime you use Yahoo Mail – whether it’s on the web, mobile web, mobile apps, or via IMAP, POP or SMTP- it is 100% encrypted by default and protected with 2,048 bit certificates. This encryption extends to your emails, attachments, contacts, as well as Calendar and Messenger in Mail.”

    “Security is a key focus for us and we’ll continue to enhance our security technology and policies so we can provide a safe and secure experience for our users,” he adds.

    Yahoo Mail has faced a lot of backlash from users in recent months thanks to, at first, big design and functionality changes, and then a major outage debacle.

    Here’s at least one thing that users shouldn’t have much trouble applauding.

    Image via Yahoo