Google’s Chrome browser isn’t secure

A word of warning when you use the Google Chrome web browser. The browser uses a misleading notification system.

When you see the “Secure” notification in the browser location bar, this means that the connection between the browser and the website you went to is encrypted. But this does not mean that the you should fully trust the web site. It isn’t guaranteed that the web site is safe from phishing, malware, etc.

This is [as I said] because the “Secure” notification only means that there is encryption between your computer’s browser and that site. You can encrypt anything.

If the encryption certificate for the site has been revoked, the Chrome browser will still show it as “Secure”. Google knows about the issue but hasn’t corrected the issue.

In addition, according to year end reports [2016, 2017], Google’s Chrome browser continues to lead all browsers in vulnerabilities making it less secure.

[Note: Both links above may be technical for some. The results appear on page 20 for both reviews and the comparison of web browsers are on page 21. As well, they are external links. View at your own risk.]

Some vulnerabilities are more critical than others. But with the Chrome browser picking up users over the past few years, some vulnerabilities have been aimed at the browsers. Others are from sloppy programming.

This doesn’t mean you should stop using the Chrome web browser. More like you should understand that the browser isn’t 100% secure and Google’s claim that it is, is misleading. But no web browser is secure.

Privacy in technology

Even as we close in on 2 years of Windows 10, we still see so-called “journalists” [or bloggers] who continue to fan the flames when it comes to privacy/telemetry settings in Windows. zdnet.com had one this week.

Microsoft has tweaked the way the settings are over the 2 upgrades in Windows 10 plus they tweaked it again earlier this year [if you bought a new laptop and it had the update].

Even with the tweaking, there has been many third-party tools [such as Safer Networking] that can be used to disable some of this – aside from what Microsoft provides. Some inventive people even wrote scripts to remove some of it.

Note: Some tweaks can actually cause problems as well if you modify them.

And yet, these so-called “journalists” continue to write what is considered mostly a dead issue.

If you are still whining about this privacy/telemetry issue, then I’m not sure if you belong in IT [if you are in that field]. Whining does nothing.

Everything you touch has some privacy/telemetry issues. Your ISP tracks your Internet access. Your carrier tracks your cell usage. If you use a search engine, it’s tracked. You are using an operating system? No matter which one, they are all tracking you.

Question is that do you know how much tracking Google, Apple or others are doing?

Remember when Siri from Apple first came out? Apple stored what you asked [voice recording] plus all your metadata [Apple ID, date, time, IP, etc.] for at least 6 months. After 6 months, they still kept your voice sample [and probably a subset of the metadata] for another 2 years. Apple claimed it was because they needed sample voices to improve Siri’s understanding. You are still being tracked with Siri.

When you visit a web site [that you are registered on], ever get an Email following a visit asking you if you are still interest in what you were looking at or something similar?  Staples and Best Buy are among the numerous sites that do that.

So the first thing you do when buying something with an OS is to go into the setting thoroughly – every section – and disabled or modify what you don’t want. You then research to see what else can be disabled or modified.

The same goes for web sites that you visit. Go in and turn off or modify what you don’t need.

The other alternative is to dump anything that connects yourself to the internet, the Cloud, etc. [Not even a dumb cell phone.]

 

Warning about Google’s Allo app

Google’s Allo is new chat app launched today for the iOS and Android platforms. It inserts AI into your conversations and is the equivalent of state surveillance. According to whistleblower/hero/traitor Edward Snowden, it should be avoided.

“Free for download today: Google Mail, Google Maps, and Google Surveillance” is how Snowden tweeted it.

Earlier this summer, the app was unveiled by Google, Eric Kay, Google’s director of engineering of communications products, said that all messages would only be stored on Google’s servers briefly and not stored permanently. But this will only be true for the “incognito mode”. The default of normal messages will see them stored. On Googles’ servers.

Theoretically the messages can be opened by the police with a warrant or maybe a simple request made to Google for the messages.

Google is claiming that storing conversations helps its servers’ algorithms learn how to be more helpful in conversations [but knowing Google they also may be used for advertisements like when they admit they read your Email electronically to aim relevant ads at you]. Google says that all the participants in the chat will see Google search results in the chat.

“And our [Google’s] approach is simple — your chat history [all or part] is saved for you until you choose to delete it.”

 

A slippery slope between Apple and the FBI

The US government are at odds with Apple. The FBI got a judge in the Federal District Court for the District of Central California to order Apple to bypass security functions on an iPhone 5c used by Syed Rizwan Farook, who was killed by the police along with his wife, Tashfeen Malik, after they attacked Mr. Farook’s co-workers at a holiday gathering in December 2015.

The judge ordered Apple to build special software that would essentially act as a skeleton key capable of unlocking the phone.

But Apple CEO Tim Cook announced Apple’s refusal to comply citing to protect the privacy of its users – even terrorists. [You can’t cherry pick them.] First there will be this issue, then there will be others. When will it stop.

The FBI says that by withholding access to the phone’s information, it is hampering the continuing investigation. Police and prosecutors want the companies to build what would be considered a master key that can be used to get around the encryption.

The Justice Department had secured a search warrant for the phone, owned by Mr. Farook’s former employer, the San Bernardino County Department of Public Health.

Blackberry was in the same dilemma but with foreign countries such as Pakistan where Pakistan wanted a master key to unencrypt any conversation or mail between two parties.

One needs to wonder whether Pakistan would go after solely what they would describe as terrorists or maybe even after those the government consider subversive such as protesters.

The same could apply in this Apple case – but hopefully at least the US government can be a bit more open.

In 2014, Apple and Google announced that they had re-engineered their software that encrypts the devices used by their operating systems, and therefore could no longer unlock their own products as a result.

[I had this issue with my Android phone about a month ago. Don’t ask me why, but my boot encryption password didn’t working after 2+ years. I had to force a device wipe.]

Not surprising, Republican Presidential nominee is in favor of the master key concept. [Wonder how he would like it if the FBI investigated him and asked for his phone.]

Known treason tech guy, Edward Snowden, has asked why Apple is policing something the FBI should be doing.

This is going down a slippery slope. If Apple is forced to hand the FBI the keys to the castle, when will it stop? Clearly Mr. Farook was a terrorist, but can a warrant be issued to look at the phone of a politician? A celebrity? The person across the street?

If Apple [and Google] are forced to put something in future operating systems, will consumers ignore upgrading to the operating systems that the government can access?

 

Google pulls Chrome Browser support for Windows XP in April

For the fewer and fewer who are still running Windows XP, Google will drop support for the Chrome browser for Windows XP in April [and don’t be surprised when Vista retires that Google will stop support on the same day as Microsoft].

Those who are using a recent version of the Chrome browser will have noticed by now the bar at the top of the browser window when the Chrome browser is opened.

Right now, the next alternative is Firefox. For now, Mozilla is still supporting Firefox and Windows XP.

This brings me to something which you may already know: The support by companies that support Windows XP is dwindling.

Google trying new password system – good luck!

Google is testing a new non-password identification system. Rather than using a password, Google account users will receive a notification from their smartphone which will enable them to log in.

While aiming for improved security, this could take longer to log in. in addition, they can revert to a regular password setup when there is [for example] no network.

Google’s competitors, Yahoo and Microsoft, have also worked on improving security with various schemes.

For example, in Windows 10, Microsoft added Hello where you will see options for face, fingerprint, or iris if your PC has a fingerprint reader or a camera that supports it. Once you’re set up, you’ll be able to sign in with a quick swipe or glance.

While this is fun and dandy [some will like the modern technology feel of Hello – and think they are tech savvy], many will still use the standard password setup.

What makes things worse is that many users will still log in with the simplest passwords such as 123456 or password.

Some sites have offered two form authentications – similar to what Google is testing but in the end will revert to a simple password because it is faster, easier or less confusing.

May at least these sites should force their users to use a stricter password setup. For example, the Windows domain password restrictions [when fully enforced] makes it difficult to use easy passwords.

My smartphone has the option of unlocking by face or if I am at home [I guess anywhere with a number of feet of my home GPS location I could use my smartphone without using a password]. I was thinking of trying the latter but for some reason, my smart phone think I lived a block away – so that option went out the window.

Not fixing Android bug affects 930 million users

Recently a security issue came up that is affecting about 60% of Android OS users [or about 930 million users] worldwide.

Google has decided not to fix the WebView bug in Android versions before 4.4 because of the “complexity” in doing so.

A lead engineer for Android security revealed the decision was due to the complexity of applying patches to older branches of WebKit – the browser engine that was used in WebView and Chrome until Google forked WebKit into Blink for Chrome. To start off with, WebKit alone is over five million lines of code and hundreds of developers are adding thousands of new commits every month.

But this is the same company that “stung” both Apple and Microsoft [and probably others] by revealing vulnerabilities before they could be fixed.  I am wondering what Google would have replied with if Apple or Microsoft revealed the bug before that did.

That said, Google has already announced that by not fixing this issue, 930 million users will be vulnerable.

For those running older versions of the OS, I wonder if this will speed up the process for those phones to be upgraded to a newer version of the OS. Problem is that it is usually the phone’s carrier that decides when an upgrade can be done because of the carrier’s own tweaking of the OS.

In comparison, with Windows, manufacturers are expected to support the latest service pack, updates, etc. They are also required to keep their own software updated to work with the newer updates.

Google is suggesting that if you have an affected OS is not to use the built in web browser but one that is getting updated like Firefox or Chrome.

If you are stuck at 4.3 or slightly before, complain to your carrier.

Can the built in browser be disabled or uninstalled?

[My phone is using OS 4.4.2 and still waiting for them to go to either 4.4.3 or 4.4.4 or maybe even 5.0 like some US carriers have done for the same model. But other than a security updated last fall, there has been nothing.]