A small army of security and privacy researchers has called on Google to automatically encrypt all data transmitted via its Gmail, Google Docs, and Google Calendar services. Google already uses Hypertext Transfer Protocol Secure (https) encryption to mask login information on this trio of cloud-based web-based applications. And …
I'm with Google on this one
Admittedly they're using latency as an excuse for saving the costs of transferring everything over https, but if the vast majority can't be arsed to turn on http, why should Google turn it on by default.
If you're storing or working confidential docs using Google, and using GMail for business (you're an idiot if you do) and you're worried about the security involved, then you already should know to turn on https. If you don't, you need to be clubbed to death with your keyboard. They're providing a free service, and are attempting to keep their costs down.
The Royal Mail doesn't have a bloody big sign on every letter box saying "Remember to seal your envelopes before posting so that evil people can't read your letters.". Same thing goes for postcards, you don't send the design for your cold fusion reactor on one.
Not that I use GMail or any of their services other than email, but if I did I would turn on https.
"Ignorance is not an excuse". Now, write it out a hundred times, and if it's not done by sunrise, I'll cut your balls off.
https also breaks igoogle
It's also worth mentioning that if you do turn on the optional https setting for gmail, the igoogle gmail applet no longer works.
https and igoogle
Https does work perfectly in Googles Chrome browser though, and the browser is quite good also.
The real reason
Google may try to obfuscate their reasoning with ridiculous statements like "Your computer has to do extra work to decrypt all that data" (my Core 2 Duo is more than capable of decrypting one paltry GMail session, thank-you-very-much), but their real reasoning is clear.
They don't want their servers to have to do all that "extra work" to ENcrypt all the data. It would mean they'd have to buy more servers, and that would hurt their bottom line. That is, ultimately, all that any company gives a shit about (do-no-evil or otherwise). Oh, and I suppose that using more servers isn't 'green' or something- I'm surprised they didn't trot out that line. Save the planet, ban encryption!
They give you the option to turn on https to placate the savvy users, but everyone else gets whatever uses the fewest CPU cycles. If you expect them to do anything else, you don't understand how a business works.
"Your computer has to do extra work to decrypt all that data, and encrypted data doesn't travel across the internet as efficiently as unencrypted data. That's why we leave the choice up to you."
"the work is negligible for your computer, and has no impact on being transmitted over the net, but we'd have to spend money on all of our servers to cope with the increased processing load."
There's nothing wrong with that, as it's a legitimate reason, but why imply it's the users computer that won't be able to cope with the workload? After all it's not like people notice the massive delays while their machine labours to decrypt a single wi-fi signal on the fly.
If Google used...
If Google used UltraSPARC T1 or T2 processors... additional load would not be a problem, since these processors were designed for web servers and have octal crypto units built in to allow https traffic without a performance hit on the server.
Google apps and encryotion
How would Google scan all users documents if users controlled encryption?
Not that they would do that...
False sense of security
@Lou 1 - https secures the data in transit between you and Google - once it gets to Google it is (probably) decrypted and stored on their servers in the clear.
Don't let the fact that "it's encrypted" weigh too much on whether you trust Google to store all your important stuff. I guess it's a personal decision, but I only use Gmail and Google Calendar for things that I wouldn't really mind anyone seeing, so I don't see a particular gain to be had from using https transfer.
How much did MSFT pay?
I mean, it's not like you should do anything sensitive in "the cloud" anyway. It's not like they didn't provide the https option for the paranoid types (how many people do encrypt their e-mails routinely in the first place anyway?). So there must be a hidden agenda. Who could possibly want to put some pressure (and bad rep) on Google? Asked another way, is this mob going to demand that the new Opera services use explicit SSL encryption exclusively?
Encryption not just for
"if the vast majority can't be arsed to turn on http, why should Google turn it on by default."
I understand this to a point, but at the same time it isn't only ignorant users passing highly sensitive info that are getting hurt by the lack of automatic https. An equal problem I see are users who may use the services casually but get caught by phishing scams because they can't tell the difference between google's log-in (or that of another legit site) and a fake one. Even if no "sensitive" material is compromised in such a hack, it still exposes personal information -- passwords, for example -- that can be used malevolently. The only way to start protecting against this is encryption, and OBVIOUS encryption, like extended validation ssl w/the green url bar.
And I think a lot of business folks use gmail for personal mail but not pro mail, like I do, but there could be some overlap (I occasionally email stuff between the two mailboxes). Although I do use what https there is.
Uh, did SMTP suddenly gain encryption while I wasn't looking?
Even if my HTTP session with gmail is encrypted, doesn't the email still go out in plain text as it makes its way to the recipient's mail server?
Vote for Steve Hunter.
Guys wake up.
It will not make any differance being a HTTPS session when the e-mail hits the next SMTP server!
Regarding posting of Doc's. READ THE T&C's! If you don't agree with them then don't use the service!
Don't read the T&C's. Well who's fault is that then?
They'll have to fix their own iGoogle wigit first, because at the mo their own customise-your-own-portal page doesn't work with their own 'always use https' setting !
Been affected by this
I've been affected by non secure communications in the past and currently battling with unusualities, I for one would endorse the secure all approach and have done so for quite some time. Also, I have switched on https.
Another nail in Phorms coffin
Can't wait for this to happen. Phorm will lose a big chunk of its spying opportunity.
I think I've just found amanfrommars selling his washing machine;
.. might explain why he's been quiet recently ..
How about the environment?
Won't someone think of the extra CO2 because of this extra security?
And @David... a T1 will be slower than an X2100 by the time about 3 to 4K of data goes by thanks to its very slow block cypher.
Never send sensitive information through e-mail anyway!
I can't believe Google is getting slated over this. Even if you send your data through gmail securely there is no guarantee that your details aren't going to be hacked into somewhere along the line.
You should never send any type of personal information through an e-mail system, especially not things like bank details.
I get so annoyed with MBNA who send me a letter through e-mail every so often saying "We have added your postcode to this e-mail so you know it's from us".
So how does the fact that MBNA know what my postcode is prove to me that the e-mail they've sent me is genuinely from them? Apart from the fact that anywhere along the lines, between MBNA's mail server and my mail server, anyone could have taken a look at that e-mail and seen my postcode, wrote it down and sent me an e-mail that looks like it's from MBNA, although I'm not really bothered if people find out my postcode, they could find it just as easily by looking in the phone book.
E-mail is not secure and should never be used to send anything sensitive. Certainly never bank details of any sort. If you really must send bank details through e-mail possibly the most safest way is to put them in to a file and compress the file with something like WinRAR adding a secure password to it (ideally at least 8 characters long with numbers, capital letters and some non-alphanumeric characters in it for good measure). Then call the person and tell them the password to open the file at their end, then you know that it is fully encrypted before being sent.
@Darren Forster: "Then call the person and tell them the password..."
And the phone system IS secure? No... When I lived in NYC, I could have safely and easily tapped the lines of anyone in the building.
Glad to see google getting with the program. Half the cost of SSL is in the initial handshake, which Google always did to protect the login itself. I've been using SSL with my provider for years. (fastmail.fm).