“Since the key is available to TrustZone, Qualcomm, and OEMs [Original Equipment Manufacturers] could simply create and sign a TrustZone image which extracts the KeyMaster keys and flash it to the target device,” Beniamini wrote. “This would allow law enforcement to easily brute force the FDE password off the device using the leaked keys.”
Google has added some new sections to their Transparency Reporting site. The most interesting is the new ‘HTTPS on top sites‘ page which shows some interesting details for a list of sites which make up around 25% of all website traffic world wide.
Some heavy hitters in the list which aren’t even trying to serve website content over HTTPS:
Some of the ‘good’ sites which have best practice configuration:
Source: Transparency Report – Google
Google released one of its in-house tools used to help assess vendor security. They have released both the questionnaires and source code on Github (link below). For organisations which have to regularly assess the high level security controls in place for vendors this approach is quite novel, the questionnaire changes based on the responses and (where relevant) displays warnings and security advice to the vendor within the form itself.
Based on this positive response, we’ve decided to open source the VSAQ Framework (Apache License Version 2) and the generally applicable parts of our questionnaires on GitHub: https://github.com/google/vsaq. We hope it will help companies spin up, or further improve their own vendor security programs. We also hope the base questionnaires can serve as a self-assessment tool for security-conscious companies and developers looking to improve their security posture.
The VSAQ Framework comes with four security questionnaire templates that can be used with the VSAQ rendering engine:
Google has posted about its intention to finally disable SSLv3 and the cipher RC4. This is great news as Google is responsible for an insane level of web traffic and to know that the encryption they use to secure all of those transactions will be greater secured is brilliant!
SSLv3 has been obsolete for over 16 years and is so full of known problems that the IETF has decided that it must no longer be used. RC4 is a 28 year old cipher that has done remarkably well, but is now the subject of multiple attacks at security conferences. The IETF has decided that RC4 also warrants a statement that it too must no longer be used.