Skip to content

Google

Google IMAP losing old security protocols this month

Quote

Google’s ongoing elimination of the antediluvian SSLv3 and RC4 protocols is taking another step on June 16.
From that date, Gmail’s IMAP and POP services will join its SMTP services in rejecting connections using those protocols.
Recognising, perhaps, that not everybody’s been paying attention, Mountain View is giving users and sysadmins time to adjust. It may take “longer than 30 days for users to be fully restricted from connecting” using clients that still run those protocols, the company’s announcement states.
However, most clients already support more modern TLS versions.
Beyond the deprecation date, sysadmins will start to see errors if they try running SSLv3 or RC4 in connection, and app developers are likewise warned they need to push out upgrades.
It’s been a year since the IETF put a bolt into the skull of SSLv3, issuing RFC 7568 as a not-so-gentle reminder to the industry.
And as a cipher, RC4 has been a dead duck for years.
So if your favourite mail app tells you “upgrade now”, you might want to ask why they’ve taken so long.

Took long enough!

Chrome trumps all comers in reported vulnerabilities

Quote

More vulnerabilities were discovered in Google Chrome last year than any other piece of core internet software – that’s according to research that also found 2014 clocked record numbers of zero-day flaws.

The Secunia Vulnerability Review 2015 report [PDF] is built on data harvested by the company’s Personal Software Inspector tool residing on “millions” of customer end points, each with an average of 76 installed applications.

It said the Chocolate Factory’s web surfer had more reported vulnerabilities than Oracle Solaris, Gentoo Linux, and Microsoft Internet Explorer which rounded out the top four among the analysed core products. ….Chrome leads the browser pack with 504 reported vulnerabilities followed by Internet Explorer with 289 and Firefox with 171. Some 1035 flaws were reported across all browsers including Opera and Safari, up from 728 in 2013.

Wait, but isn’t Google itself a threat?

Google Malvertising App

Quote

Android apps that should be innocuous are pimping smut by way of slack supervision of their advertising networks, with two app authors complaining to The Register that the root of the problem lies with The Chocolate Factory.

The authors of two popular Sydney public transport apps told us Google’s app monetisation service AdMob is failing to catch disallowed advertisements that should be easy to spot for the world-dominating ad-and-click network.

Malvertising is a rising problem because users are turning to ad blockers as a security precaution, both to protect against malware and to keep material they deem inappropriate out of their eyeballs. The latter outcome is made necessary by ads like those below, which The Register has observed in the Arrivo and TripView public transport timetable apps, both of which are likely to pop up on minors’ phones.

If, as it seems to this untutored eye, the ad got past filters by presenting its text as an image with extra space to defeat character recognition, Google deserves its backside kicked through all the letters of its Alphabet. Twice per letter, once per language.