google

A while ago Google announced its project zero, which is a team of security researchers, whose goal is to find bugs in software, so that you, dear user, can use the web and technology securely.  They were very up front about how the team would work.  They would report bugs and vulnerabilities that they have found to the companies or people responsible for maintaining the software.  Google would give the developers 90 days to fix the bug and then let the world know about it.

It turns out that Microsoft Windows has a few bugs in it(who knew?).  On more than one occasion Google discovered vulnerabilities in Windows.  On two of these occasions Microsoft was notified of these vulnerabilities and was “unable” to patch the vulnerability before the 90 days elapsed.  I have read many articles about this and I feel like they are almost all completely out to lunch.  I won’t even link to them because I feel they are so poorly informed on this topic.
Read Full Article

I was thinking about this question the other day.  It SEEMS obvious…  I relialized that it relates to one of my favourite misconceptions about https or SSL/TLS.  Often people get too focused on the encryption aspect of SSL/TLS and not the authenticity and verification properties of it.  When Google first announced that Google search was going to be over “https” a few years ago I, like a lot of people, assumed that it was because it was to make your search results private.

 

Google’s support page, regarding SSL Search, quite correctly points out:

SSL doesn’t always protect:

  • The fact that you visited google.com
  • The search terms that you typed

     

Read Full Article