Thursday, June 4, 2015
Google’s Security News: Malware’s Down, and You’re Heeding More of Its Warnings
SAN FRANCISCO — Google’s security product manager has a simple definition of success: invisibility.
“This is our desired outcome,” Stephan Somogyi said as a screengrab of a blank browser window appeared beside him: “absolutely nothing.”
At Google’s I/O conference, during a half-hour presentation titled Second annual Google Security update at I/O, Somogyi revealed some news about the state of online security. Surprise: It wasn’t all bad.
Somogyi led off with an update on the company’s Safe Browsing service. He calls it a “collection of systems that hunt badness across the Net.” It protects visitors to Google’s search site as well as Chrome, Firefox, and Safari users. That reach adds up to a total audience of 1.1 billion people, Google announced in March.
The company’s numbers show that the malware is becoming less of a problem, but phishing sites that fool you into entering passwords for your financial (and other) sites are on the rise. Over the week of May 17, Safe Browsing detected 14,977 malware sites and 33,571 phishing sites — a big drop and a bigger increase, respectively, from the totals a year before, when it found 18,454 malware sites ad 24,864 phishing sites.
Somogyi credited that to better security in the operating systems of our devices. “Platforms, by and large, are becoming more hardened to malware,” he said. Unfortunately, that hasn’t pushed malware authors to get real jobs; instead, they’ve moved to phishing sites and a new class of “unwanted software” that “gets within a hair’s breadth of malware.”
Google had to add a third kind of Safe Browsing warning to tell users when sites push unwanted software, and it can only hope people heed the advice. They haven’t always. As Somogyi said, “The clickthrough rate for warnings is really irritating.” But it’s getting better: An old, red-bordered warning saw 23 percent of its viewers click past it to go to the hostile site, while a new, all-red version only has 9 percent of those warned clicking past.
“Generally speaking, when you see one of these, please do believe us,” Somogyi implored. “We know what we’re doing.”
Google was an early advocate (at least among giant tech companies) of using encryption to stop others from snooping on people online. When it learned via Edward Snowden’s revelations that the National Security Agency had been eavesdropping on its own traffic, it only accelerated that push.
In his I/O talk, Somogyi expressed frustration about Google’s effort to get other email providers to adopt Transport Layer Security (TLS) encryption, which stops third parties from reading messages while they’re in transit. While the percentage of Gmail messages encrypted on their way to other email systems has risen from 70 percent a year ago to 81 percent, the share of inbound Gmail messages has barely budged, from 58 percent last year to 59 percent today.
“We’re going to reach out to one of the larger companies that sends us email and ask why they’re not using TLS,” Somogyi said. But Google is not ready to resort to public shaming; Somogyi wouldn’t name this company when I asked.
Google is having more success getting websites to use HTTPS encryption to secure users’ visits. One thing that helped: Google’s announcement last August that it would factor in a site’s use of encryption when deciding how to rank it in search results.
