Google’s Good Timing: New Encryption Measure Announced Ahead of OpenSSL Bug
First came the Heartbleed bug. Now it’s another minor headache of a bug that developers across the Internet are working to fix.
Another OpenSSL has been discovered, but fortunately it’s not on the scale of Heartbleed. However, since the SSL/TLS MITM bug affects encryption, it puts some of users’ data at risk. The bug prevents the “handshake” process of encryption when two servers come in contact and agree to encrypt the data. This interruption prevents encryption. It works on a much smaller scale than Heartbleed, as reported The Wire, with many web browsers being unaffected by it according to experts.
“The good news is that attacks [exploiting CVE-2014-0224] need a man-in-the-middle position against the victim, and that non-OpenSSL clients (Internet Explorer, Firefox, Chrome on Desktop and iOS, Safari, etc) aren’t affected,” wrote Adam Langley, a senior software engineer at Google (NASDAQ:GOOG) (NASDAQ:GOOGL) on his blog.
While only vulnerable systems are affected, the online community has responded with a flurry of notices, patches, and announcements of new security and encryption measures. Google has a new extension coming out just in time to cover this security hole. It was announced mere days ahead of the alert about the SSL/TLS MITM bug.
Google’s new extension allows users to encrypt messages with a password that can only be decrypted with that password. While it is being sent, the email is supposedly unreadable by anyone other than the sender and recipient, including third parties like hackers or the NSA. Google said in a post that it decided to create the new extension after seeing that 40 to 50 percent of emails sent between Google and other email providers were not properly encrypted.
For people looking for even stronger email security, end-to-end encryption is a good option — but it’s been hard to use. So today we’re making available the source code for End-to-End, a Chrome extension. It’s currently in testing, and once it’s ready for general use it will make this technology easier for those who choose to use it.
The new End-to-End extension is exclusive to Google Chrome for now. However, as that’s the world’s top Internet browser, a significant number of people will be protected. In making available the source code, Google is encouraging others to find security holes and other flaws in its product or even to find ways to improve it before the Google Chrome extension is released to the general public.
The new encryption measure also extends an extra confirmation to Gmail users that their private emails will stay private. Google is a member of Reset the Net, an advocacy group that is against the NSA using online weaknesses like the recent OpenSSL bugs to spy online. Other high profile members include Reddit, Greenpeace, and Mozilla, parent company of Internet browser Firefox. Finding security flaws and developing fixes for this new bug are part of the cause because fixing it makes the online community more secure.