MOUNTAIN VIEW, CALIF. — If you have a choice between reading this and installing a security update, install the update. But it would be even better if the patch allowed you zero say on the matter and instead just updated on its own — without making any noise.
That was a big takeaway of Google security product manager Stephan Somogyi’s talk Friday at Google’s I/O conference here: Automatic software updates work. He also stressed the importance of paying attention to Google’s browser security warnings.
A third big lesson for you, the individual user: If you recycle the same password over and over again, you’re still doing it wrong. Stop. Immediately.
Update all the things!
As evidence for his point about updates, Somogyi highlighted how Google keeps its Chrome browser secure with updates that arrive automatically and demand only a restart of the browser — which will return you to every open page.
"We update about 80% of the user base in the first week” of an update’s release, he said. By the second week, that figure reaches 90%.
Chrome users are more inclined to accept drama-free updates like these: “Users never would have accepted auto updates if we pushed out crashy updates."
Somogyi said Google used the same strategy with the OnHub wireless router it shipped last year. Unlike most WiFi routers, this device installs firmware updates automatically.
As a result, Google had every single OnHub patched three days after the discovery of a critical vulnerability in a widely used open-source code library.
The situation is not as bright with Android, mainly because of the time it takes device makers and wireless carriers to package and test each update.
Last year, Google switched to shipping security fixes as monthly patches; Somogyi said that operating system “has been making big steps forward” with those regular fixes but offered no numbers.
Google’s latest annual report on Android security is no more informative, although it does offer reassuring details on Google’s success at keeping malware out of the Play Store.
Locking down the web
At last year’s I/O, Somogyi emphasized the need to encrypt connections between sites and users’ computers. And this time he had good news about Google’s work to secure the web against snooping and interference. Since last year, the Alphabet, Inc., subsidiary (GOOG) has switched on encryption across its Blogger blog-hosting service and its AdWords ad network.
The company is now working to cut down on incorrect security warnings that might lead users to ignore real ones. "We know from our research that users get security warning fatigue," Somogyi said. Surprisingly, an incorrect time on a computer’s clock often causes these faulty warnings.
Somogyi also discussed another line of defense — the Safe Browsing service he said protects “well over 2 billion devices" from hostile sites. That’s tricky on mobile devices with slow or spotty bandwidth, where the company may leave out lesser offenders to send an optimized subset of the Safe Browsing blacklist: "Every single bit that safe browsing sends down to the device needs to matter."
Last May, Google was barely a year into a campaign to get e-mail services to adopt TLS (Transport Layer Security) encryption of messages in transit across the internet. Google stepped up that effort in March by adding a red open-padlock warning at Gmail’s site to warn users when they’re composing a message to a recipient using a TLS-incompatible mail service.
Somogyi said that yielded a dramatic boost in the number of sites where Google can send TLS-encrypted mail: "Within 45 days, we had jumped by 20%," to 78% of all outbound Gmail. The figure is now at 83%.
Getting past password pain
So if you accept automatic updates and heed Google’s browser warnings, what else should you do?
"Please. Stop. Reusing. Passwords. Across. Services,” Somogyi intoned. Sticking with that unsafe habit “is the number one most helpful thing you can do for your attackers."
(While you’re at it: The common practice of changing passwords frequently won’t help you stay safe, despite the common wisdom that it does.)
Somogyi further implored users to adopt not just two-step verification, where you verify a login that looks unusual with a one-time code sent to your phone, but also “U2F,” (“Universal Second Factor”) authentication. That lets you confirm your log-in by plugging in a simple USB fob to your computer.
U2F frees you from the annoyance factor of moving two-step verification apps like Google’s Authenticator from an old phone to a new one (an advantage Somogyi didn’t mention), but these USB keys also cost money.
Somogyi said adoption of U2F is growing but offered no concrete numbers.
While I can attest that I am one of those U2F users, that’s largely because I got two of those keys for free at last year’s I/O. And I’m not Somogyi’s typical user — he needs to protect the people in the world who won’t go out of their way to keep themselves secure online.