Andrea Danti - Fotolia

Google boosts HTTPS, Certificate Transparency to encrypt Web

Roundup: Google pushes efforts on HTTPS, Certificate Transparency and more to safeguard the Web with encryption, while other tech firms are eyeing more, stronger encryption.

Google continued its push this week to securely encrypt all Web traffic, going all-out for HTTPS and transparency, as it announced the expansion of its Transparency Report project, along with the release of new tools and resources.

New sections to the report include a page where Google HTTPS efforts can be tracked, as well as a Certificate Transparency log viewer. Google also now reports on HTTPS use by leading websites, listing the top sites running modern HTTPS by default and that support modern HTTPS -- not by default -- with a list of other top sites that have not yet updated to HTTPS.

"Google has been working hard toward our objective of achieving 100% encryption across our products and services," the company wrote, while touting its HTTPS deployment. According to company statistics, as of Feb. 27, 2016, 77% of all requests to Google servers were encrypted.

Google's Gmail service has been encrypting 100% of Gmail connections with HTTPS since 2014, but other services -- such as Google Advertising, Finance, News and Maps -- have lagged behind. Google HTTPS efforts have run into technical obstacles, such as older technology that doesn't support modern encryption, or "political challenges," such as countries that block or degrade HTTPS traffic, according to the company. As of Feb. 27, 58% of Google Finance connections were encrypted with HTTPS; other services did better, with 77% of Advertising connections and 83% of Maps connections being encrypted. The search giant stated that it continues "to work through the technical barriers that make it more difficult to support encryption on some of our products."

The Certificate Transparency log viewer offers users a way to look up all of the digital certificates in public Certificate Transparency logs that have been issued for a given hostname, including expired certificates and certificates for subdomains of a hostname. Certificate Transparency provides a way for certificate authorities to publicly declare certificates they have generated legitimately. Using the logs, it is possible to determine whether an attacker has been issued a certificate for a domain not under the attacker's control, as well as to determine when a CA has been subverted.

The goal of Certificate Transparency is to mitigate flaws in the structure of the SSL certificate system that can "facilitate a wide range of security attacks, such as website spoofing, server impersonation and man-in-the-middle attacks," according to the Certificate Transparency project.

Certificate Transparency got a boost last year when Symantec was caught improperly generating digital certificates; Google subsequently imposed sanctions on Symantec for the breach of protocol.

Google's Transparency Report project aims to offer access to data "that sheds light on how laws and policies affect Internet users and the flow of information online," including statistics on requests to remove content by copyright holders or governments, requests for information about users from governments, European privacy search removal requests and more.

WhatsApp to beef up encryption

As the legal wrangling between Apple and the FBI continues over unlocking an iPhone used by the gunman in the San Bernardino, Calif., shootings last year, speculation is rife over whether other providers of encrypted communications may be next in the FBI's sights in the ongoing "going dark" debate, and which providers they might be.

Investigators in a continuing criminal investigation hit a wall in trying to get access to communications encrypted by WhatsApp, according to The New York Times. In the last year, the messaging app service, owned by Facebook, began adding end-to-end encryption to its text services, which made them inaccessible to investigators -- even when armed with a judge's wiretap order. While those involved with the case were unable to comment publicly, there was speculation it might precipitate another legal contest over encryption, as well as the prospect of revising decades-old wiretap laws.

The Guardian, meanwhile, reported this week that WhatsApp would soon be adding encryption to its voice calling and group messaging services, and other tech firms, including Google and Snapchat, have been firming up encryption of their services in what may be a display of solidarity with Apple.

TeslaCrypt ransomware encryption strengthened

Researchers at Cisco's threat intelligence unit, Talos, reported this week a new update to the TeslaCrypt ransomware, which fixed a vulnerability in the malware that had provided victims a way to recover their files, without paying ransom to the attackers.

Malware developers working on TeslaCrypt have apparently taken the vulnerability reports to heart and produced a new version, dubbed TeslaCrypt 3.0.1.

"The former variant had a weakness in its way to store the encryption key, which enabled researchers to provide a tool for decryption of the files encrypted by TeslaCrypt," Talos researchers Andrea Allievi and Holger Unterbrink wrote. "Unfortunately, so far, we are not aware of any tool [that] can do the same for this variant of TeslaCrypt."

In other news

  • AceDeceiver, an iOS Trojan that exploits flaws in Apple's Digital rights management software, FairPlay, to infect any iOS device, was reported this week by security firm Palo Alto Networks, based in Santa Clara, Calif. "AceDeceiver manages to install itself without any enterprise certificate at all," wrote Claud Xiao, security researcher at Palo Alto Networks. "It does so by exploiting design flaws in Apple's DRM mechanism." AceDeceiver also works on nonjailbroken phones. "Three different iOS apps in the AceDeceiver family were uploaded to the official App Store between July 2015 and February 2016, and all of them claimed to be wallpaper apps. These apps successfully bypassed Apple's code review at least seven times." And even though Apple has already removed the offending apps, "the attack is still viable, because the FairPlay [man-in-the-middle] attack only requires these apps to have been available in the App Store once. As long as an attacker could get a copy of authorization from Apple, the attack doesn't require current App Store availability to spread those apps."
  • Millions of U.S. visitors to major mainstream sites hosted by BBC, NFL, AOL, MSN, New York Times and others last weekend were exposed to a "massive" malvertising campaign, according to Joseph Chen, fraud researcher at Los Angeles security firm TrendMicro. The malicious ads enable delivery of the Angler exploit kit. Chen wrote on Monday morning that the attack "may have affected tens of thousands of users in the last 24 hours alone." The next day, "out of the blue on the weekend, we witnessed a huge spike in malicious activity," reported Jérôme Segura, senior security researcher at San Jose, Calif., security firm Malwarebytes, noting that the Web publishers carrying the malvertising included high-profile publishers, such as,, and "Users and organizations are advised to make sure that their applications and systems are up-to-date with the latest security patches; Angler Exploit Kit is known to exploit vulnerabilities in Adobe Flash and Microsoft Silverlight, among others," Chen wrote.
  • Cyberthreat data is already being shared under Cybersecurity Information Sharing Act of 2015 (CISA) legislation enacted earlier this year, according to the Associated Press. Approximately six organizations have signed up for the program, according to Andy Ozment, the assistant cybersecurity secretary at the U.S. Department of Homeland Security; records of organizations participating in the program are exempt from disclosure under the Freedom of Information Act. Meanwhile, DHS released a report this week that revealed risks to privacy under the Automated Indicator Sharing initiative, the mechanism being developed to enable cyberthreat sharing under CISA. The report, titled Privacy Impact Assessment for the Automated Indicator Sharing (AIS), indicates that there are "some" privacy risks in the system. For example, the report stated: "There is a risk that DHS will not provide notice to individuals whose personal information is directly related to the cybersecurity threat submitted to DHS." The department also said that it's "not possible to fully mitigate this risk" at this time. Other risks are considered mitigated by the imposition of "the Privacy and Civil Liberties Guidelines as required under CISA" for federal users of the system and for "nonfederal entity users of AIS cyberthreat indictors are required to abide by the Terms of Use of AIS."

Next Steps

Learn why metadata means that the FBI isn't necessarily going dark.

Find out more about weighing the public safety costs of encryption against the FBI's inability to access encrypted data.

Read about the Diginotar certificate authority breach and its consequences.

Dig Deeper on PKI and digital certificates