Google, which has found Gmail to be a target of hacking attempts from China, has modified Chrome so the browser always encrypts connections with the e-mail service.

Google already changed Gmail to use encryption by default, a mode indicated by the "https" at the beginning of a browser address bar that means outsiders sniffing network traffic can't read your e-mail. People could still get to the unencrypted version by typing "http://gmail.com," but no more, for Chrome.

"As of Chromium 13, all connections to Gmail will be over HTTPS. This includes the initial navigation even if the user types 'gmail.com' or 'mail.google.com' into the URL bar without an https:// prefix," Google programmers said on a blog post yesterday. They said that approach defends against sslstrip-type attacks, which can be used to hijack browsing sessions.

The technology used to enforce the encryption is called HSTS, which stands for HTTP Strict Transport Security and which lets a browser specify that a Web site may only be used over a secure HTTP connection. HTTP, or Hypertext Transfer Protocol, is the standard that governs how Web browsers communicate with Web servers to retrieve a Web page.

The moves dovetail with Google's attempt to make security a prominent selling point of its browser. By improving Chrome's security, the company stands to benefit directly by making its own services less vulnerable and indirectly by making the Web a safer place for people to spend personal and professional time.

Google is a prominent target. It has disclosed attacks on Gmail it said appeared to come from China--some in 2009, and more this year. To try to make attacks harder, it's added two-factor authentication to Gmail, which requires a code from a person's mobile phone as well the ordinary password.

Most people don't appreciate the measures Google is taking to secure Chrome and its browser-based operating system, Chrome OS, argues Sundar Pichai, Chrome's senior vice president, in an interview at Google I/O, pointing to measures such as running plug-ins such as Flash and a PDF reader in a sandbox, using a verified boot process with Chrome OS, and making Chrome OS's file system encrypted.

Chrome also is the vehicle for other Google ambitions, for example to speed up the Web. Among aspects of that effort are an HTTP improvement called SPDY; a new ability to preload selected search results pages so they display much faster when a person actually clicks on the links; technology called Native Client designed to run Web-app software much faster; and the WebP image format that Google argues is faster than JPEG.

It's not just about making the Web faster and safer, though. When people use Chrome to perform a Google search, the company doesn't have to share any resulting search-ad revenue with other browser makers such as Mozilla.

The HTTPS-only access to Gmail isn't the only security move Google is making.

Google also is trying to ensure that no users of Chrome and Gmail will be vulnerable to a problem that reared its head in March when an affiliate of a New Jersey company called Comodo was hacked, apparently by an Iranian.

Comodo and its affiliate issue digital certificates that browsers use to establish encrypted connections to Web sites, but the attack produced fake encryption certificates for Yahoo, Skype, Google, and Mozilla. The Comodo issue is leading browser makers to rethink certificate technology.

Now, for some sites including Gmail, Chrome only can obtain certificates originating only from a short list of providers, not from the hundreds available on the global Internet. That list includes Verisign, Google Internet Authority, Equifax, and GeoTrust, according to a blog post by Adam Langley, a Google programmer. He adds that the list is visible in Chrome's source code.

In the longer run, there's another significant security move on the horizon: Google is rebuilding Chrome atop its Native Client technology, gradually making more parts of the browser execute in a more secure "sandbox" whose isolation from other computing resources makes it harder for attackers to take over a computer through a browser-based attack.

That move will begin with Chrome's PDF reader, but it won't be switched on until Google is confident of the technology, Pichai said.

A close cousin of security is privacy, for example in the case where a government might want to see if a dissident has visited a particular Web site. Browser makers are working to extend beyond today's private-browsing modes that don't leave traces on a computer to private-browsing modes that don't leave traces on servers, either.

For example, Chrome, Firefox, and Internet Explorer all are getting a technology to delete local stored objects (LSOs), which in practice means it's harder for Web sites to keep track of users through "evercookies." Standard cookies are text files that can be deleted by browser users, but with Adobe's Flash Player, other plug-ins, and new HTML storage techniques, there are more ways for Web browsers to store that data even when ordinary cookies are deleted.

Evercookies are an overt way to track people. But there are subtler fingerprints a browser leaves behind that can help identify who's using a browser, as the Electronic Frontier Foundation's Peter Eckersley documented last year in his Panopticlick report (PDF.)

Chrome is based on the WebKit browser engine project that's also the foundation of Apple's Safari. Now WebKit engineers are evaluating the idea of "tracking-resistant browsing" that reduces that fingerprint.

One example, described in the WebKit documentation of the tracking-resistant browsing, concerns the user-agent string--the text a browser sends a Web server to describe its version number, compatibility, and operating system. Differences between different people's user-agent strings means that a each carries enough information to narrow it down to about one in a thousand randomly selected browsers.

Even a thousandth of the total number of Web browsers is a huge number, of course, but there are plenty of other ways to narrow down a search: time zone, installed plug-ins, fonts, and screen resolution, and more.

It's not clear yet how much appetite there is for obscuring these fingerprints, though.

"I'm skeptical that doing these things will provide anything more than window dressing, but I certainly don't want to discourage you from trying," said WebKit programmer Adam Barth in a comment. He requested more information: "I'd like to see us make tracking harder...I'd just like us to understand what we're buying and what we're paying for it."

Originally posted at Deep Tech

Socially engineered threats remain a major security concern on mobile devices, so to help protect its users Lookout Mobile Security (download) has added "safe browsing" to its premium version today at no extra cost. Safe browsing checks links you tap before they load in your device's Web browser to make sure they don't lead to phishing scams or malware.

Safe browsing is not quite widely available yet on mobile devices, even though it potentially can threaten mobile device users as easily as it does people using laptops and desktops. In an interview last week at CNET's San Francisco office, Lookout's Chief Technology Officer Kevin Mahaffey discussed what he thinks are the next big mobile security problems. "The two things we saw coming were drive-by downloads and exploits on Web sites. Since almost all web browsing on mobile is done with Webkit, Webkit exploits will affect almost everybody," he said. Webkit is the underlying rendering engine that powers the default mobile browser on iOS, most of the mobile browsers including the default on Android, as well as Google Chrome and Apple Safari on the desktop.

Lookout's Safe Browsing shows up as a new option on its main screen. Tapping it only reveals a brief description about the feature because it's designed to be baked right into the main interface, said Anbu Anbalagapandian, a senior software engineer at Lookout. "As Steve Jobs says, it just works," she added.

When you click on a link from within any app, Lookout will detect your browser opening and then check where the link is going to before the page loads. If the Web site is safe, Lookout will show a message stating as much in the notifications window. You won't see it unless you pull down the notifications window immediately after tapping a link.

If a malicious link is detected, Safe Browsing asks you if you'd like to Block the site or Proceed Anyway. In brief testing, Lookout's Safe Browsing successfully blocked the browser from loading five known malicious sites.

To get the update, either install the app and upgrade to the premium version, or update your current installation of Lookout. It is also available during the app's trial period. While adding the feature to Lookout isn't going to change the face of mobile security, safe browsing is absolutely a smart feature to include in any mobile security app.

Security enhancements to stop drive-by downloads and a tweak to make "About Internet Explorer" more helpful landed in Internet Explorer 9.0.1 (download) today.

The update fixes seven vulnerabilities in IE9, and takes two steps to make the About box slightly more useful.

All seven security fixes in this version are marked "critical" because the vulnerabilities could lead to a remote code execution if you go to a malicious Web site designed to target Internet Explorer users.

The changes to the "About Internet Explorer" box, accessible from the Tools menu, call out the latest Internet Explorer update with a link to the related Microsoft knowledge base article. The box also clearly states the version of Internet Explorer, so in the past where it would always read "Internet Explorer 8," the box will add minor versioning points, such as "9.0.1". These are small changes, although they are useful for encouraging better user control over the browser. Unfortunately, they don't address the About box functionality difference between Internet Explorer and other browsers, where users can use the box to check for browser updates.

Microsoft said in a blog post announcing the update that most people will not have to take any action since they have automatic updates enabled. However, Internet Explorer has a different upgrade path than other browsers. To force Internet Explorer to update manually, Microsoft requires users to go through the Windows Update utility. To update to Internet Explorer 9.0.1, go to your Control Panel, Start Menu, click All Programs, click the Windows Update utility, and then run the Windows Update.