How to Send Self Destructing Emails from Gmail

Google’s Gmail Confidential Mode lets an email sender set a message to automatically expire anywhere from 24 hours to five years after itis sent.

Gmail Final

Remember Hollywood movie series Mission Impossible (MI), in that the agent used to receive his assignments through self-destructing messages that usually detonating itself.

Confidential mode on Gmail adds access restrictions to emails that you sent using the mode. Designed to protect sensitive information, it enables you to set time limits and passcodes. The mode blocks certain actions, forwarding, copy and paste, downloading of the email, and printing as well automatically.

Here disappearing emails may not actually detonate, but they do vanish after a certain amount of time. The tool is part of Google’s efforts to beef up privacy and cybersecurity for Gmail users. It will be available to corporate accounts as well as personal Gmail account holders, you can enable it and use it right away.

Here’s how.

Open Gmail on your computer and tap the compose/reply button.

Now select this icon on the bottom of the screen. It’s a tiny lock with a clock on it.

 

Picture1

A click on the icon opens the confidential mode configuration overlay which gives you two options:

  1. Set an expiration date for the email. Available options are 1 day, 1 week, 1 month, 3 months and 5 years. The expiration date is displayed next to the selection menu so that you know immediately when the email expires.
  2. Enable the SMS passcode Recipients to need a mobile phone for that and Google will be sent recipients a passcode text message which they need to unlock the email.

Picture2

No SMS passcode – if the recipients don’t use Gmail, they’ll get a passcode by email.

SMS passcode – Recipients will get a passcode by SMS (text message)

Picture3

Gmail highlights confidential mode by adding a “content expires” message to the email. You can edit the requirement or click on the x-icon to remove it again before you hit the send button.

Picture4

What happens when you hit send? If you selected the passcode option, you are asked to type the phone number of the recipient.

Picture5

That’s it. Now the email will automatically delete itself after your predetermined self-destruction time period ends. Recipients can open the email until then, which means the clock starts right when you send it, not when they open it.

Also, if you want to revoke access sooner, you can do that by opening Gmail, selecting “Sent,” opening the confidential email you just sent and then selecting “remove access.”

The email that you receive does not contain the message. Google uses the selected subject and shows the sender of the email, but instead of displaying the content, it informs you that you have received a confidential email which you can only open.

Picture6

In other words: Google sends you a notification by email that a confidential email was sent to you and that you may click on the link to open it.

No SMS passcode– if the recipients don’t use Gmail, they’ll get a passcode by email.

SMS passcode– Recipients will get a passcode by SMS (text message)

But, before you start emailing friends the juicy details of your diary, there are a few important limits on confidential emails you might want to keep in mind. Erased emails may fade away from receivers’ inboxes, but they’ll still show up in your “sent” file if you don’t manually delete them. Keep in mind as well that Mac OS and Windows OS both allow the taking and saving of screenshots of anything that appears on a screen. It’s also not clear how long the messages stay on Google’s servers.

There is another issue that needs to be addressed. Recipients get an email with a link asking them to click on the link and even sign in to a Google account if they are not already to view it. If that does not sound a lot like phishing I don’t know what does.

Recipients may not want to click on the links. Ironically, attackers who use phishing as an attack vector may exploit the new functionality to steal user credentials.

Closing Words

Gmail’s Confidential mode feature is not the right option when you need to send confidential messages to others. Email is not the right format for confidential messages unless you use Pretty Good Privacy (PGP) or another secure form of communication.

email inventor

Source: computer.howstuffworks, ghacks, cnbc, downloadsource,

 

World Kindness Day

World Kindness Day is an international observance on 13 November. It was introduced in 1998 by the World Kindness Movement, a coalition of nations’ kindness NGOs.

During the 1999 World Kindness Movement conference in Tokyo, the cosmos bipinnatus was adopted as the official flower for the organization.

World Kindness Day

“Kindness is a universal language.”

I know, I know, every day should be World Kindness Day. But the reality is, between an out of whack work-life balance, losing patience in traffic jams, and feeling stressed over the upcoming holiday season, smiling at a stranger is often the last thing on people’s minds. So maybe we need a day to reinforce the importance of niceness, reminding us to let go of any anger and perhaps soften our too-hard exterior.

Besides, the mental and physical benefits of kindness are plenty, which should make us want to smile more and frown less. Author David R. Hamilton, Ph.D. writes that kindness has positive side effects including healthier hearts, better aging, and improved relationship bonds.

WKD

 

Source: Wikipedia, Randomactsofkindness, HuffingtonPost

 

HTTP/2

HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google.

HTTP/2 was developed by the Hypertext Transfer Protocol working group httpbis (where bis means “second”) of the Internet Engineering Task Force (IETF).

HTTP Timeline pic
                                                                                                                                                   ~ HTTP Timeline

What is a Protocol?

A protocol is a set of rules that govern the data communication mechanisms between clients (for example web browsers used by internet users to request information) and servers (the machines containing the requested information).

Protocols usually consist of three main parts: Header, Payload, and Footer.

The Header placed before the Payload contains information such as source and destination address as well as other details (such as size and type) regarding the Payload.

The Payload is the actual information transmitted using the protocol.

The Footer follows the Payload and works as a control field to route client-server requests to the intended recipients along with the Header to ensure the Payload data is transmitted free of errors.

 

Protocol
                                                                                                                                                     ~ Mail HTTP/2

The system is similar to the postal mail service. The letter (Payload) is inserted into an envelope (Header) with destination address written on it and sealed with glue and postage stamp (Footer) before it is dispatched.

What is SPDY?

SPDY (pronounced SPeeDY) is a networking protocol developed by Google with the purpose of speeding up the delivery of web content. It does this by modifying HTTP traffic which in turn reduces web page latency and improves web security.

HTTP, while powerful in its day, cannot keep up with the demands of today’s digital world, which is the reason SPDY was introduced to help meet those demands.

What is HTTP/2?

HTTP/2 is the second major version update to the HTTP protocol since HTTP1.1 which was released more than 15 years ago. The HTTP/2 protocol was developed due to the ever-evolving digital world and the need to load more resource intensive web pages.

SPDY was also implemented to help reduce web page latency users experience when using HTTP1.1. HTTP/2 is based off SPDY, however, contains key improvements that have led to the deprecation of SPDY in February 2015.

How does HTTP/2 work?

Whenever you click on a link to visit a site a request is made to the server. The server answers with a status message (header) and a file list for that website. After viewing that list, the browser asks for the files one at a time. The difference between HTTP 1.1 and HTTP/2 lies in what happens next.

Say you want a new LEGO set. First, you go to the store to buy your LEGO. When you get home, you open the box and look at the instructions, which tell you what you have to do: one brick at a time. So for every brick, you have to look at the instructions to see which brick to use next. The same for the next brick, and so on. This back-and-forth keeps happening until you have finished the entire LEGO set. If your set has 3,300 bricks, that’ll take quite a while. This is HTTP1.1.

With HTTP/2 this change. You go to the store to pick up your box. Open it, find the instructions and you can ask for all the bricks used on one section of the LEGO set. You can keep asking the instructions for more bricks, without having to look at the manual. “These bricks go together, so here they are.” If you want it really quickly, you could even get all the bricks at once so you can build the set in an instant.

Picture7

Differences from HTTP1.1

Similar to SPDY, using HTTP/2 does not require any changes to how web applications currently work, however, applications are able to take advantage of the optimization features to increase page load speed.

Differences between the HTTP1.1. and HTTP/2 protocol includes the following:

  • HTTP/2 is binary, instead of textual
  • It is fully multiplexed, instead of ordered and blocking
  • It can use one connection for parallelism
  • It uses header compression to reduce overhead
  • It allows servers to “push” responses proactively into client caches instead of waiting for a new request for each resource.

Is it HTTP/2.0 or HTTP/2?

The Working Group decided to drop the minor version (“.0”) because it has caused a lot of confusion in HTTP/1.x.

In other words, the HTTP version only indicates wire compatibility, not feature sets or “marketing.”

Similarities with HTTP1.x and SPDY

HTTP1.x SPDY HTTP2
SSL not required but recommended. SSL required. SSL not required but recommended.
Slow encryption. Fast encryption. Even faster encryption.
One client-server request per TCP connection. Multiple client-server requests per TCP connection. Occurs on a single host at a time. Multi-host multiplexing. Occurs on multiple hosts at a single instant.
No header compression. Header compression introduced. Header compression using improved algorithms that improve performance as well as security.
No stream prioritization. Stream prioritization introduced. Improved stream prioritization mechanisms used.

Conclusion

HTTP/2 is without a doubt the direction the web is moving towards in terms of the networking protocol that is able to handle the resource needs of today’s websites. While SPDY was a great step forward in improving HTTP1.1, HTTP/2 has since further improved the HTTP protocol that has served the web for many years.

According to W3Techs, as of November 2018, 31% of the top 10 million websites supported HTTP/2.

Source: kinsta, wikipedia, yoast, github, keycdn,

HTTP vs HTTPS

Both HTTP and HTTPS are protocols being used for transmitting and receiving information across the Internet.

HTTP is the acronym for Hypertext Transfer Protocol. HTTP has been the standard communication protocol pretty much since the internet was developed.

HTTP: HyperText Transfer Protocol:

Hypertext Transfer Protocol (HTTP) is a system for transmitting and receiving information across the Internet. HTTP is an “application layer protocol,” which ultimately means that its focus is on how information is presented to the user, however, this option doesn’t really care how data gets from Point A to Point B.

It is said to be “stateless,” which means it doesn’t attempt to remember anything about the previous web session. The benefit of being stateless it that there is less data to send, and that means increased speed.

Here is the fact of HTTP:

  • The Term HTTP is originated by Ted Nelson.
  • HTTP connections uses a port 80 by default.
  • HTTP URLs begin with “http://”.
  • The first version of HTTP was introduced in 1991 that is HTTP V0.9.
  • HTTP V1.0 is specified in RFC 1945 that officially introduced and recognized in 1996.
  • HTTP V1.1 is specified in RFC 2616 and was released in January 1997.
  • HTTP V2.0 is specified in RFC 7540 and was published in May 2015

HTTPSHyper Text Transfer Protocol Secure:

Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.

 

HTTP vs HTTPS

Web browsers such as Internet Explorer, Firefox and Chrome also display a padlock icon in the address bar to visually indicate that an HTTPS connection is in effect.

 Here is the fact of HTTPS:

  • HTTPS uses a port 443 by default to transfer the information.
  • HTTPS URLs begin with “https://”.
  • The HTTPS is first used in HTTPS V1.1 and defined in RFC 2616.

 HTTPS provides three key layers of protection

  • Encryption. Encrypting the exchanged data to keep it secure.
  • Data Integrity. Data cannot be modified or corrupted during transfer without being detected.
  • Authentication proves that your users communicate with the intended website.

There is a belief among many around the web that HTTPS is slower. Fortunately, this is a myth. HTTPS is actually much faster than HTTP.

Difference between HTTP and HTTPS

  • In HTTP, URL begins with “http://” whereas URL starts with “https://”
  • HTTP uses port number 80 for communication and HTTPS uses 443
  • HTTP is considered to be unsecured and HTTPS is secure
  • HTTP Works at Application Layer and HTTPS works at Transport Layer
  • In HTTP, Encryption is absent, and Encryption is present in HTTPS as discussed above
  • HTTP does not require any certificates and HTTPS needs SSL Certificates

http-vs-https

Picture12

 

Is HTTP dying?

HTTP isn’t really dying, per se. It’s just being forced to evolve. As we mentioned earlier, the browsers are basically our de facto vehicle for getting around the internet. The vast majority of us could not use the internet without a browser. And that puts the browsers in position to influence the internet as they see fit.

Right now, they’re mandating SSL. The initiative began a few years ago with a soft push. Google announced HTTPS would become a ranking factor for SEO, then the browsers started making new features exclusive to sites with SSL. Gradually they incentivized encryption more and more.

For a detailed explanation on SSL/TLS protocols, check my earlier post: SSL/TLS

Picture11Keep reading, Keep learning 😊

 Source: Sanjay Barot, geeksforgeeks, i-techgeeks, instantsslBhavesh Patel

How protected are you against cyber-attacks?

People often say you can’t truly understand something until it happens to you, which is true in many situations in life. We can’t imagine data security issues impact our lives.

All infrastructure is vulnerable to attack.

There is no magic platform that is completely impenetrable now and in the future. Despite what you may see in advertisements, no vendor, no firewall, no router, no hardware, no operating system, and no software product can block all possible attacks.

This is why information security is a process that begins when a system is being planned, and monitors, evaluates, and corrects security issues throughout the lifetime of the system, and continues until the system is decommissioned and its components securely disposed of.

What are the cybersecurity attacks?

Cybersecurity refers mainly to protecting internet-connected systems, including hardware, software, and data, from cyber attacks. Cyber attacks can result in the following issues:

  • Data theft
  • Ransomware installation
  • Data corruption
  • Spyware

I thought you could use a starting point, a guide you can use to do a personal security risk assessment, so you can then take the necessary actions to improve your protection from cyber-attacks.

In order for your data to be secure, it has to check 3 important factors. We want our information to:

  • be read by only the right people (Confidentiality)
  • only be changed by authorized people or processes (Integrity)
  • be available to read and use whenever we want (Availability).

Picture2

When going through the questions below and answering them honestly (no grades will be given), keep in mind these three principles. This security risk assessment is not a test, but rather a set of questions designed to help you evaluate where you stand in terms of personal information security and what you could improve.

  1. What type of information do you have stored on your computer (pictures, work documents, applications, passwords, etc.)?

It will be really useful to make a list of the different types of information you have stored:

  • Locally, on your computer
  • Online, in different apps (cloud-based or not) and on various websites.

Do you have personal emails, work documents, confidential corporate data, photos and videos of your family or personal information, such as banking credentials or passwords?

  1. Which online services do you use more often?

Think of the online services you use on a daily or weekly basis. You could list:

  • Online shopping
  • Social networking
  • Online banking
  • News websites
  • Download portals
  • Chat applications, etc.
  1. Define how valuable each asset to you.

You can use three degrees of importance: “low”, “medium” and “high”. Define this value based on the potential cost (financial, reputational or emotional) of an unauthorized person gaining access to that piece of information or service.

For example:

  • Online banking password – high value
  • Playlist stored on your music streaming service – low value.
  1. How do you keep your sensitive information safe?

Consider the following options (and others that apply to your situation):

I use strong passwords (longer than 8 characters and including symbols and numbers)

I use passwords for both my online accounts and for logging into my laptop/tablet/phone

I use two-step authentication whenever it’s available

I have set strong security questions in the event of a security breach

I have my email accounts connected so I can regain access to my information in the case of a cyber attack

I set up my phone number to receive alerts from important services (such as online banking or email) in the case my accounts should be compromised.

  1. What kind of security are you using?

Do you have an antivirus solution installed? Do you update it regularly? And, most of all, do you know that antivirus is not enough?

In order to understand why antivirus is not enough, you’ll need to learn about the difference between an antivirus and an anti-spyware product. To put it briefly:

  • When you’re already infected, antivirus programs detect if a virus is on your PC and they remove it.
  • But what you need is not to get infected in the first place.
  • So that’s why you need a tool that can work proactively to detect and block malware.
  • Another layer of protection you could use is a firewall and even an encryption application that can ensure that your data won’t be accessed in case your gadgets are stolen.

Before choosing any cybersecurity product, make sure to do some research and learn about what the product offers, check AV testing websites (AV TestAV ComparativesVirus BulletinPC Mag) and other reviews that compare options, so that you can make the best choice for you.

  1. What security software are you using against financial and data-stealing malware?

Cyber-attacks directed at collecting financial information and leaking confidential data are increasing in numbers and severity. This is why, in order to conduct online transactions with peace of mind, browse the web securely and keep your private information secure, you’ll need a dedicated product.

In order to get protection against financial malware, the solution you need should:

  • include a real-time Internet traffic scanner that scans all incoming network data for malware and blocks any threats it comes across
  • be able to provide malware detection and removal of malicious software that has already been installed onto a computer
  • have a website security scanner feature that checks the website you want to visit, detects malware and blocks it.
  1. Are you using a backup solution for your operating system or for your vital information?

Keeping your data backed up is crucial for your cyber security plan. Evaluate your options: would you rather use an external drive or a cloud based solution? Weigh in the pros and cons for each, but be sure to keep the essential information you deem valuable safe.

Backup your data regularly in order not to lose the important progress you’ve made. There’s even a World Backup Day celebration happening on March 31 to help you remember!

  1. How do you protect your shared documents (e.g. Google Docs) or gadgets (computer, tablet, etc.)?

Do any other people use your gadgets? Have you set up guest accounts for them or do they have access to the administrator account? Do you have kids that use your gadgets (and have you taught them about information security)?

I know these seem like a lot of questions, but the human factor is the most common cause for cyber-attacks because hackers know how to manipulate and trick the vulnerable categories into revealing information or installing malicious software.

Also, keeping a back-up of shared documents and files could save you the trouble of having to do the work all over again if someone should delete or modify those files. When possible, be sure to offer view-only permission and regularly check who has access to confidential information (after a colleague’s departure from the company, after a break-up with a spouse or boyfriend/girlfriend, etc.).

Maintain a vigilant attitude and, to the extent that you can, try to share valuable these what you’ve learnt from this security risk assessment with those around you, especially with the people you shared gadgets or accounts and documents stored in the cloud with.

  1. How do you manage your passwords?

You’ve probably accumulated plenty of passwords by now, which is what makes it so difficult to manage them. You may be tempted to use the same password more than once and make it easy to remember, but, by all means, NEVER do that!

 The safest way to manage your passwords is to use a password manager application, like LastPass. You should use a generator to create long, complicated passwords and store them in LastPass, and NEVER, EVER store them in your browser.

Picture2

This is especially recommended if you’re using your personal device at work. Don’t forget to password-protect your devices as well, and remember to lock/log off each time you leave them unattended.

It may take a bit to set things up at first, but, when you’re done, you’ll have more peace of mind and have a simpler way to manage your passwords.

  1. Do you regularly update the software you use?

Consider some of these choices:

Do you perform operating system updates when you’re prompted to do so?

Do you have automatic software update set up for both your OS and your applications?

Do you regularly update Oracle Java, Adobe Reader or Adobe Flash, which are known to cause 85% of security exploits that hackers use?

Do you keep your browsers updated to the latest versions?

Picture1

One of the most common and dangerous types of cyber attacks that hackers engineer are called “social engineering” strategies. These attacks entail the psychological manipulation of the victim to trick the person into divulging confidential information. The purpose can be information gathering, fraud, or system access.

So, ask yourself: do you reply to e-mails received from unknown people? Do you trust strangers and talk openly about your digital assets? Think about how you behave online and then adjust your habits so that you can become your own layer of protection.

Source: Heimdal Securitybusiness2community

All major browsers drop TLS 1.0 and 1.1 in 2020

All major web browser makers announced on October 15, 2018, that the browsers that they produce will stop supporting the standards TLS 1.0 and TLS 1.1 in 2020.

The change was announced by Google, Apple, Microsoft, and Mozilla on company websites.

Transport Layer Security (TLS) is a security protocol used on the Internet to protect Internet traffic. It uses encryption to protect the data from eavesdropping.

TLS 1.0 and TLS 1.1 are old standards. TLS 1.0 turned 19 this year, a very long time on the Internet. The main issue with TLS 1.0 is not that the protocol has known security issues but that it doesn’t support modern cryptographic algorithms.

TLS

History & Development of SSL/TLS:

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP(VoIP). Websites can use TLS to secure all communications between their servers and web browsers.

SSL and TLS are often referred to as a group – e.g. SSL/TLS

SSL which was initially invented by Netscape in 1994.

The SSL 1.0 version was never released to the public because of its serious security flaws. The SSL 2.0 was released in February 1995 and was later replaced by SSL 3.0 which is regarded as a complete redesign of the protocol performed by the American cryptographer Paul Kocher in collaboration with Netscape’s engineers in the year 1996.

Dr. Taher Elgamal, who was the chief scientist at Netscape Communications from 1995 to 1998, is considered the “Father or SSL”

Dr. Taher Elgamal

In 2014, researchers at Google disclosed the ‘POODLE’ vulnerability, which could allow attackers to decrypt encrypted connections to websites that use the SSL 3.0 protocol using a Man-in-the-Middle (MitM)attack – a popular way to intercept data.

This is where the hacker inserts a process in between the client and server through which their communication passes through, allowing the hacker to listen in on a private communication. The hacker may also be able to redirect the client to a web site controlled by the hacker where the hacker will infect the client with malware and/or commit financial fraud.

SSL 2.0 was prohibited in 2011. SSL 3.0 was also later prohibited in June 2015.

benefits-of-ssl-certificates

Image Source: ssl2buy

TLS (Transport Layer Security) is developed by the Internet Engineering Task Force (IETF) as a successor protocol to SSL.

In 1999, TLS 1.0 was designed as another protocol for SSL. Although the differences were not essential, experts stated that SSL 3.0 was less secure than TLS 1.0.

In 2006, TLS 1.1 was released. The next version TLS 1.2 released in August 2008. TLS 1.3 was released in August 2018.

TLS – a future enhancement of SSL

SSL uses the Message Authentication (MAC) algorithm; Transport Layer Security (TLS) goes a step further than this and uses keyed-Hashing Message Authentication (HMAC). What does HMAC will do? Well, it generates an identity check same as the MAC but with HMAC, it becomes tougher to break it into. TLS is a venture of Internet Engineering Task Force (IETF).

TLS protocol consists of two different layers of sub-protocols:

  • TLS Handshake Protocol: Enables the client and server to authenticate each other and select an encryption algorithm prior to sending the data
  • TLS Record Protocol: It works on top of the standard TCP protocol to ensure that the created connection is secure and reliable. It also provides data encapsulation and data encryption services.

Even though TLS 1.3 was first announced in 2014, it was released this April via OpenSSL. The distribution is still not global yet. There are millions of websites that need to upgrade to the latest version.

TLS 1.3 is currently supported in both Chrome (starting release of 66 version) and Firefox (starting with release 60), and in development for Safari and Edge browsers.

Benefits of using TLS 1.3:

  •  Faster connections

In the previous versions, two round-trips were needed to establish a secure connection. This process takes place before any actual data is transferred and lasts for hundreds of milliseconds.

With TLS 1.3 there is only one round-trip necessary to create a secure connection. This cuts the encryption latency by half!

TLS 1.3

TLS 1.3 speeds up the previously established connections even more with so-called “zero-round trip time” (0-RTT) mode. TLS 1.3 “remembers” previously shared keys and allows to send early data when resuming previous sessions.

Unfortunately, 0-RTT could be a potential threat. Attackers could access your 0-RTT communication and duplicate the flight of 0-RTT data. If your pre-shared keys are not expired, the server will accept attacker’s 0-RTT data and respond to it. This is especially dangerous for POST HTTP requests, e.g. “/buy-something”.

In order to prevent any harm, servers that allow 0-RTT should implement the anti-replay mechanism and limit 0-RTT calls to only some requests. Currently, TLS 1.3 does not provide and even cannot provide inherent replay protections for 0-RTT.

  • Improved Security

With a “less is more” approach, TLS 1.3 removed broken and vulnerable pieces of the previous protocols. Having done this, TLS 1.3 enhances security and its implementation is much simpler for developers.

Moreover, TLS 1.3 improves the safety of previous connection by securing session resumption with a PFS (Perfect Forward Secrecy) mechanism. Therefore, an attacker won’t be able to decrypt previous traffic even if he gains access to the session encryption key. In other words, all sessions and even session resumptions are individually protected.

Source: GhacksWikipediassl2buycdn77,