Is this *another* attempt to smother me in Gmail shit ?
If so, please, please, please
Fuck
Right
Off
A new feature in Google's Chrome browser will warn you if your username and password matches a known combination in a security breach every time you type credentials into any website. This credential check is "gradually rolling out for everyone signed into Chrome" as part of the Safe Browsing option, according to the …
as it did into bot-scouring forums to drive downvotes, they'd rule the world ....
To the PP - you need to rewrite your grumble so it uses loads of positive words, while still saying what a steaming pile o'shite it is being dragooned into Googles "Gmail everywhere" programme.
I wholeheartedly agree. However, I don't know of a reliable external email system that hasn't recently gained the desire to have your mobile number for verification (verification, I say. Not advertising or data selling. Stop questioning us, you puny end-user). My main email is through my own mailserver, but I need an external email which runs the accounts for the domain name and mailserver, so if there's a good one out there that isn't likely to start demanding extra details, I'd like to identify it.
get a free pay-as-you-go-sim, enable it, but don't put credit on it.
bingo.
Careful now,
A certain mobile phone company I've been barely using for at least a decade with little to no hassle from their end has now begun spamming me with warnings that I'm not using it enough and am at risk of loosing my number.
Ever since they were bought by a bastion of British telefoolery.
It's just for registering, then you can bin it.
You can't.
Every now and then, the device and IP number you've been using several times a day, every day, for the last 10 years, will be deemed by "google" to be new and previously unused. They will decide you cannot be logged in till you can verify your account, and to do that they need to send you a text.
(Now, if you phone gets a number of verification texts every day, will that count as sufficient use?)
Here it's typically a year (last I looked), however any unused pre-pay credit could be stolen in as little as a month (think that brand changed that a while back).
Sadly gone are the days when you could buy a cheap phone, stick $5 credit on it, and wire it into your car's alarm system to send you an alert/phone you when the alarm was triggered. Well, you still can, but you need to add credit every now and then.
Over here they don't care if you use the credit to make calls, as it "disappears" after a while, so then your credit is almost all profit.
IIRC there was at least one telco that counted incoming stuff as 'use' and reset their counter to the last inbound/outbound text or call.
So... what happens when Google's master key gets compromised?
Encryption is all very well but wouldn't a one-way hash of an encryption be better? Although that could be cracked if you know the hashing algorithm and want to spend some time cracking them...
The problem is that if they're stored there is a weakest point. There's always a weakest point.
The only verifiably 100% guaranteed way to avoid the credentials leaking is not to store them, unfortunately.
The approach they claim to use wouldn't work most of the time. While it works fine if the passwords were originally in plain text, it doesn't work if the hashes were salted at all or used a hashing algorithm other than the one Google's decided upon. Chrome wouldn't know the salt or algorithm to use, meaning the sent data wouldn't be matchable to whatever is in the database. Google has a lot of employees intelligent enough to understand this. Logically, they considered it. My guess is that they made the system work and now are being a little evasive in explaining exactly how it works.
My guess is that they made the system work and now are being a little evasive in explaining exactly how it works.
Pops a query over to haveibeenpawned.com (or whatever that site is) and asks 'on your behalf'?
All unsuccessful queries fully logged for future use of course. I mean so that if it gets detected in future they can warn you early, honest!
That is assuming that the system is working as specified publicly and not doing something else entirely. How could we know?
There's one way I know it couldn't be used in a malicious way...
<clickey>d e l c h r o m e . e x e<clickey>
(or in my case, never installed)
Since it sends back a set of credentials matching the hash prefix, the matching of the full credentials hashes can happen locally without ever sending the actual credentials to Google, encrypted or not.
So the real question is: why Google wants the credentials on its side??
Since it sends back a set of credentials matching the hash prefix, the matching of the full credentials hashes can happen locally without ever sending the actual credentials to Google, encrypted or not.So the real question is: why Google wants the credentials on its side??
I don't think you understand (or I misunderstand your point).
You don't send your credentials for Google to later send back the set of hashes that match the prefix to do the check on your local computer.
The credentials that Google has are those that have been compromised already. It doesn't get them from you, it gets them from published hacks (scraped from the dark web marketplaces that sell them, or more likely from security researchers who find them on the dark web and publish them).
Therefore, if in the hashes Google sends back there is a match, it means that those credentials are already out in the wild and in the possession of miscreants.
You don't send your credentials
Yes you do, that's even the first part of the process: "When you type in your credentials, the browser sends a hashed and encrypted copy of the credentials to Google". OK they're encrypted with your own local key, so Google shouldn't be able to read them, but as the OP pointed, why not just send the hash prefix and do the comparison on the hashes only?
Interesting, re-reading it you are right:
2. When you type in your credentials, the browser sends a hashed and encrypted copy of the credentials to Google, where the key used for encryption is private to the user. In addition, it sends a "hash prefix" of the account details, not the full details.3.Google searches the breach database for all credentials matching the hash prefix and sends the results back to the browser. These are encrypted with a key known only to Google. In addition, Google encrypts your credentials with this same key – so it is now doubly encrypted.
What seems even weirder is why does google encrypt the already known compromised credentials? I mean, the whole point of Google having them in its database is because they are already compromised and in the wild, so why would you encrypt that (beyond TLS for when sending/receiving via HTTPS)?
Just because the compromised credentials are already in the wild doesn't mean Google shouldn't keep their own copy secure. A leak doesn't give you the right to do whatever you like with private data. What would we say if Google publisehed a few credentials on their homepage everyday?
The Firefox "Logins & Passwords" item has had a rather nice revamp recently.
It gives the following warning:
Passwords were leaked or stolen from this web site since you last updated your login details. Change your password to protect your account. Learn more about this breach
in a nice yellow box.
I would rather not be logged in to google, ever, than gain the benefits of their password breach notifications.
Good feature for those that are happy for Google to hoover up all their personal data though!
Hashing and only sending part of the hash is probably the best way they could have done it for speed and security reasons. Saying that, those pesky 3 letter agencies probably have some way to abuse the limited data sent anyway.
"sending your credentials to Google for checking could itself be a security risk" I feel "is" is more accurate that "could"
"The idea is that your credentials are never sent to Google in a form it can read" yeah, I gotta call bologna on that.
Dal90 has it right. Governments won't need to hack you, or ask you, or get a subpoena, if they already have access to your credentials with a simple request to the goog.
Chromium is nice, as long as you remember toblg out of every Google service after use (true of all browsers, of course.) I still sometimes go for Firefox, partly for nostalgic reasons (I remember Gecko as a bare HTML renderer, address bar, fwd / back / reload and nothing else. GOD I felt smug to be using it...
Chromium is nice, as long as you remember toblg out of every Google service after use (true of all browsers, of course.)
"The trick is not to try and bend the spoon - that would be impossible. The trick is to realise, there is no spoon".
(or in this case, no point in logging out of google's slurpware, better never to log in in the first place (and also realise, there is no service, but you are getting 'serviced' and there sure is a load of bull involved!)