WIRED: After 3 Years, Why Gmail’s End-to-End Encryption Is Still Vapor

WIRED: After 3 Years, Why Gmail’s End-to-End Encryption Is Still Vapor. “NEARLY THREE YEARS have passed since Google announced it would offer an end-to-end encryption add-on for Gmail, a potentially massive shift in the privacy options of a piece of software used by more than a billion people. It still hasn’t materialized. And while Google insists its encryption plugin isn’t vaporware, the company’s latest move has left critics with the distinct impression that Gmail’s end-to-end encrypted future looks cloudy at best—if not altogether evaporated.”

PC World: Google’s Collision Shakes Up Computer Cryptography

PC Magazine: Google’s Collision Shakes Up Computer Cryptography. “after years of trying, Google found a way to crack the SHA-1 cryptographic hash function, a security building block that enables digital signatures and HTTPS encryption. Cracking SHA-1 requires creating a cryptographic hash collision, which is essentially when a single hash, or ‘digest’ applies to two different files.”

Washington Post: Here’s why your browser may tell you the White House website isn’t secure

The security certificate for WhiteHouse.gov is apparently invalid at this writing. “Experts told the Post that the messages are appearing because the site’s security certificate — or, very simply put, the thing that verifies that a site is what it says it is — isn’t valid. It appears the White House’s equipment isn’t configured correctly, and the old certificate was revoked or allowed to expire without getting replaced, said Kenneth White of the Open Crypto Audit project, a nonprofit dedicated to improving cybersecurity. There are perhaps hundreds of pieces of equipment and servers that need to be just right to keep the White House site up and running correctly, so it’s easy to miss something, he said.”

Ars Technica: Firefox, Chrome start calling HTTP connections insecure

Ars Technica: Firefox, Chrome start calling HTTP connections insecure. “The non-secure labelling will occur on pages delivered over HTTP that include forms. Specifically, pages that include password fields, and in Chrome, credit card fields, will put warnings in the address bar to explicitly indicate that the connection is not secure.”

TechCrunch: WhatsApp, Signal, and dangerously ignorant journalism

There is a big fight going on over whether or not WhatsApp is really secure and whether it has “backdoors.” Last week I linked to an article on the “yes” side. From TechCrunch, Here’s an article on the “no” side. “There is something about encryption that brings out the worst in journalists. Because to most of them it is magic, they are always searching desperately for the proverbial man behind the curtain, without knowing what to look for. Which may explain The Guardian’s recent bizarre attack on WhatsApp, which they accused, wrongly, of having a ‘backdoor.’ And the security community erupted in rage.”

Email Service Lavabit Is Coming Back

Email service Lavabit is relaunching. “In 2013, Ladar Levison, founder of the encrypted email service Lavabit, took the defiant step of shutting down the company’s service rather than comply with a federal law enforcement request that could compromise its customers’ communications. The FBI had sought access to the email account of one of Lavabit’s most prominent users — Edward Snowden. Levison had custody of his service’s SSL encryption key that could help the government obtain Snowden’s password. And though the feds insisted they were only after Snowden’s account, the key would have helped them obtain the credentials for other users as well.”