Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Google Updates. Show all posts
Google Updates
Ad Blockers API Chrome Extensions Cyber Security Google Google Chrome Google Chrome security Google Updates

The Impact of Google’s Manifest V3 on Chrome Extensions

 

Google’s Manifest V3 rules have generated a lot of discussion, primarily because users fear it will make ad blockers, such as Ublock Origin, obsolete. This concern stems from the fact that Ublock Origin is heavily used and has been affected by these changes. However, it’s crucial to understand that these new rules don’t outright disable ad blockers, though they may impact some functionality. The purpose of Manifest V3 is to enhance the security and privacy of Chrome extensions. A significant part of this is limiting remote code execution within extensions, a measure meant to prevent malicious activities that could lead to data breaches. 

This stems from incidents like DataSpii, where extensions harvested sensitive user data including tax returns and financial information. Google’s Manifest V3 aims to prevent such vulnerabilities by introducing stricter regulations on the code that can be used within extensions. For developers, this means adapting to new APIs, notably the WebRequest API, which has been altered to restrict certain network activities that extensions used to perform. While these changes are designed to increase user security, they require extension developers to modify how their tools work. Ad blockers like Ublock Origin can still function, but some users may need to manually enable or adjust settings to get them working effectively under Manifest V3. 

Although many users believe that the update is intended to undermine ad blockers—especially since Google’s main revenue comes from ads—the truth is more nuanced. Google maintains that the changes are intended to bolster security, though skepticism remains high. Users are still able to use ad blockers such as Ublock Origin or switch to alternatives like Ublock Lite, which complies with the new regulations. Additionally, users can choose other browsers like Firefox that do not have the same restrictions and can still run extensions under their older, more flexible frameworks. While Manifest V3 introduces hurdles, it doesn’t spell the end for ad blockers. The changes force developers to ensure that their tools follow stricter security protocols, but this could ultimately lead to safer browsing experiences. 

If some extensions stop working, alternatives or updates are available to address the gaps. For now, users can continue to enjoy ad-free browsing with the right tools and settings, though they should remain vigilant in managing and updating their extensions. To further protect themselves, users are advised to explore additional options such as using privacy-focused extensions like Privacy Badger or Ghostery. For more tech-savvy individuals, setting up hardware-based ad-blocking solutions like Pi-Hole can offer more comprehensive protection. A virtual private network (VPN) with built-in ad-blocking capabilities is another effective solution. Ultimately, while Manifest V3 may introduce limitations, it’s far from the end of ad-blocking extensions. 

Developers are adapting, and users still have a variety of tools to block intrusive ads and enhance their browsing experience. Keeping ad blockers up to date and understanding how to manage extensions is key to ensuring a smooth transition into Google’s new extension framework.
Read more »
Online Privacy
alternative messaging apps Cyber Security E2EE Google Google Security Tools Google Updates ISP MLS providers Online Privacy

Google Backs Messaging Layer Security for Enhanced Privacy and Interoperability

 

In 2023, Google pledged its support for Messaging Layer Security (MLS), a protocol designed to provide practical interoperability across various messaging services while scaling efficiently to accommodate large groups. This move marks a significant step towards enhancing security and privacy across platforms. Although Google has not officially announced the timeline for adopting MLS, references to the standard have been found in a recent Google Messages build, suggesting that its implementation might be on the horizon. 

To appreciate the significance of MLS, it is essential to understand the basics of end-to-end encryption (E2EE). E2EE ensures secure communication by preventing unauthorized entities, such as hackers and internet service providers (ISPs), from accessing data. In asymmetric or public key encryption, both parties possess a public and a private key. The public key is available to anyone and is used to encrypt messages, while the private key, which is much harder to crack, is used to decrypt them. 

Despite its advantages in providing privacy, security, and data integrity, E2EE has its shortcomings. If security is compromised at either the sender’s or receiver’s end, malicious actors can intercept the public key, allowing them to eavesdrop on conversations or impersonate one of the parties. Additionally, E2EE does not conceal metadata, which can be exploited to gather information about the communication. Messaging Layer Security (MLS) is a standard proposed by the Internet Engineering Task Force (IETF) that offers enhanced security for communication groups, ranging from small to large sizes. 
While popular messaging services typically use E2EE for one-on-one chats, group chats present a unique challenge. MLS addresses this by using sender keys over secure channels to provide forward secrecy, meaning that the theft of a single key does not compromise the rest of the data. The protocol is based on asynchronous ratcheting trees (ART), which enable group members to derive and update shared keys. This tree structure approach ensures forward secrecy, post-compromise security, scalability, and message integrity, even as group sizes increase.  

Google Messages, the default messaging app on most Android phones, currently uses Rich Communication Services (RCS) to offer features like encrypted chats, read receipts, high-resolution media sharing, typing indicators, and emoji reactions. Although the Universal Profile version used by Google Messages does not support E2EE, it uses the Signal Protocol as a workaround for security. Recent APK teardowns of Google Messages have revealed code snippets mentioning MLS, hinting that Google might incorporate this feature in future updates. 

If MLS becomes the default security layer in Google Messages, it will significantly enhance the app’s security and interoperability. Google’s adoption of MLS could set a precedent for other messaging services, promoting better interoperability and security across communication apps. This move might also influence how Apple integrates RCS in iOS. With iOS 18 set to support the RCS Universal Profile 2.4 for messaging without E2EE, Apple may need to consider adopting MLS to stay competitive in offering secure communication. 

As Google prepares to implement MLS, we can expect a push towards standardizing communication protocols. Google Messages already offers features like auto spam detection, photomojis, and cross-device compatibility, making it a robust choice for staying connected. Should MLS be integrated, users can look forward to even more secure and private messaging experiences.
Read more »
Vulnerability and Exploits
Android Bugs Google Google Updates Vulnerability and Exploits

Google Fixes Critical Vulnerabilities Affecting Android Devices

Earlier this week, Google announced that the new Android patches fixed a total of "40" vulnerabilities, various were "critical" rated. The most critical vulnerabilities addressed in the June 2022 security updates, according to Google, affect the system components and could cause remote code execution (RCE). Known as CVE-2022-20127, the flaw affects Android versions 10,11,12, and 12L. As per Google advisory, the most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. 

"Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device/partner security bulletins are not required for declaring a security patch level" says Google Advisory. Besides this, two more critical-severe vulnerabilities were patched into the system with Android updates, both of these vulnerabilities could lead to elevation of privilege. 

Known as CVE-2022-20140, the first vulnerability affects Android 12 and Android 12L. The second vulnerability, CVE-2022-20145, affects Android 11. In June another severe critical flaw fixed in Android was discovered in the Media framework. 

Known as CVE-2022-20130, it might cause RCE on systems using Android 10 and forthcoming. These four vulnerabilities were patched as a part of the 2022-06-01 security patch level, it also consists of 5 security flaws in Framework, and 13 more vulnerabilities in the device component, all these bugs are rated "high severity." 

If these issues are exploited successfully, it may lead to information disclosure, the elevation of privilege, or Denial of Service (DoS). "Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available" says Google Advisory.

Read more »
Subscribe to: Posts (Atom)