SAN FRANCISCO — Google’s security product manager has a simple definition of success: invisibility.
“This is our desired outcome,” Stephan Somogyi said as a screengrab of a blank browser window appeared beside him: “absolutely nothing.”
At Google’s I/O conference, during a half-hour presentation titled Second annual Google Security update at I/O, Somogyi revealed some news about the state of online security. Surprise: It wasn’t all bad.
Malware and phishing sites
Somogyi led off with an update on the company’s Safe Browsing service. He calls it a “collection of systems that hunt badness across the Net.” It protects visitors to Google’s search site as well as Chrome, Firefox, and Safari users. That reach adds up to a total audience of 1.1 billion people, Google announced in March.
The company’s numbers show that the malware is becoming less of a problem, but phishing sites that fool you into entering passwords for your financial (and other) sites are on the rise. Over the week of May 17, Safe Browsing detected 14,977 malware sites and 33,571 phishing sites — a big drop and a bigger increase, respectively, from the totals a year before, when it found 18,454 malware sites ad 24,864 phishing sites.
Somogyi credited that to better security in the operating systems of our devices. “Platforms, by and large, are becoming more hardened to malware,” he said. Unfortunately, that hasn’t pushed malware authors to get real jobs; instead, they’ve moved to phishing sites and a new class of “unwanted software” that “gets within a hair’s breadth of malware.”
Google had to add a third kind of Safe Browsing warning to tell users when sites push unwanted software, and it can only hope people heed the advice. They haven’t always. As Somogyi said, “The clickthrough rate for warnings is really irritating.” But it’s getting better: An old, red-bordered warning saw 23 percent of its viewers click past it to go to the hostile site, while a new, all-red version only has 9 percent of those warned clicking past.
“Generally speaking, when you see one of these, please do believe us,” Somogyi implored. “We know what we’re doing.”
The push for encryption
Google was an early advocate (at least among giant tech companies) of using encryption to stop others from snooping on people online. When it learned via Edward Snowden’s revelations that the National Security Agency had been eavesdropping on its own traffic, it only accelerated that push.
In his I/O talk, Somogyi expressed frustration about Google’s effort to get other email providers to adopt Transport Layer Security (TLS) encryption, which stops third parties from reading messages while they’re in transit. While the percentage of Gmail messages encrypted on their way to other email systems has risen from 70 percent a year ago to 81 percent, the share of inbound Gmail messages has barely budged, from 58 percent last year to 59 percent today.
“We’re going to reach out to one of the larger companies that sends us email and ask why they’re not using TLS,” Somogyi said. But Google is not ready to resort to public shaming; Somogyi wouldn’t name this company when I asked.
Google is having more success getting websites to use HTTPS encryption to secure users’ visits. One thing that helped: Google’s announcement last August that it would factor in a site’s use of encryption when deciding how to rank it in search results.
“The moment we said that HTTPS was beneficial to search ranking, a whole lot of site-infrastructure people decided that this was something worth working on,” Somogyi said in mock amazement.
Killing off app passwords
Finally, Somogyi had some advice for adopters of Google’s two-step verification, through which you confirm a log-in from an unusual location or machine with a one-time code either sent to your phone or computed by an app on it. From the start, that system has allowed users to generate random “app passwords” for programs or devices that can’t handle those codes — but that fallback option’s time is up, he said.
Instead, Google now lets developers build in two-step support using a log-in technology called OAuth 2.0.
“We want everybody to have no app passwords,” Somogyi said. “If you are a developer and your app relies on app-specific passwords, please stop.”
He pointed to instant-messaging app Adium as a good example of how this feature has been used to make users’ accounts “significantly more secure,” then he noted that Apple added OAuth 2.0 support to iOS 8.3 and OS X 10.10.3.
I know that well, as I switched on that option on this MacBook right after installing the 10.10.3 update. And ever since, OS X has been falsely complaining that I need to update my Google password after waking from sleep. I showed him a screengrab of that error message and asked him if he knew anything about that.
His answer: “I’ve never seen that before.” Turns out it’s just as dismaying to hear this from a security expert as it is from a doctor.