Feeds

back to article Google grabs Gmail-using HTTPS refuseniks and coats them with SSL

Google has announced that from Thursday all connections to its Gmail website will be encrypted in transit using HTTPS – and messages will be encrypted when being moved around the web giant's data centers. "Every single email message you send or receive - 100 per cent of them - is encrypted while moving internally," wrote Nicolas …

COMMENTS

This topic is closed for new posts.
Black Helicopters

About bloody time.

You wouldn't want the secret police's copies of your data being corrupted by man-in-the-middle attacks, eh?

0
0
Anonymous Coward

Re: About bloody time.

So encrypting with the standards established with NSA oversight is your solution to government spying?

That's like covering the lambs in mint jelly to keep the wolves at bay.

1
1
Anonymous Coward

If the NSA can decrypt SSL, wouldn't they be in violation of DMCA?

0
0
Anonymous Coward

"If the NSA can decrypt SSL, wouldn't they be in violation of DMCA?"

You have to prove the injury in order to make the legal claim. As doing so would require a security clearance and divulging that information to the court would be a violation of your NDA, your complaint would still not be actionable.

In short: Catch-22.

1
0

Encrypt it all by default

Use HTTPS Everywhere from the EFF, encrypts by default whenever possible. You get to use the ultra-secret https://encrypted.google.com/ even when you try using the usual address, unless you tell it otherwise. Why let GCHQ or NSA know what I'm searching for?

FF (Mozilla-based), FF for Android, Chrome, even Opera. But not IE, boo hoo.

If you know anything better for the same money or less, please recommend it.

3
0
Silver badge

Re: Encrypt it all by default

Calomel for Firefox shows how secure encrypted connections are.

Google's got all the bells (PFS, SHA-256). Oddly enough banks in general are fairly insecure.

https://addons.mozilla.org/en-US/firefox/addon/calomel-ssl-validation/

3
0

HTTPS Everything Means You

No choice for you means more security for everyone. None of your contacts using Gmail will leak stuff you are expecting to be confidential by shoddy mail security. All 425M Gmail users will create a flood of unintelligible stuff that will be five times more difficult to save than if 80% opted for fast but insecure HTTP. HTTPS does not mean the same thing now. Years ago Google 128 bit HTTPS meant that someone in your coffee shop could not intercept your email, save it and rent enough computer time from Amazon to crack the code to your stuff. Today, 2048 bit HTTPS means that the Chinese Army and/or NSA (they might share interest in the same Google users) can't break the code.

4
1

This post has been deleted by its author

What's the Point of Encryption?

This is just a PR stunt. According to the NSA slides, Google, Microsoft, and other big tech companies had been collaborating with the NSA by giving them direct access to their servers. Of course, after being caught red-handed, the big behemoths are going to lie and spin the truth. They allege that there was a "lock box" that they used to place files in in the case of a court order, as they have a lot to lose if they fessed up to what was really going on. Plus, there may be a gag order in place that would land them in severe legal trouble if they admitted to what was (and still is) happening. Does this give these lying fools clemency? No, it doesn't. Google and Microsoft do not care about your privacy or you, or the constitution (if you live in the USA). What they care about is money, and they will lie through their teeth to no extent in order to attempt to extinguish the image that people are getting that any type of cloud computing isn't safe. Guess what -- it's not, and never will be. That's why there's this thing called a hard drive and your own network inside your own walls. There are services for encrypted email (one of them got shut down by the government recently), but Gmail and Hotmail are not services for sending sensitive messages over a secure path. Gmail and Hotmail are for sexting your flings, and make good spam accounts.

If people don't want to believe the whistleblower who risked his life to tell the world what was really going on in clandestine, and instead believe big companies that risk losing hundreds of millions if not billions of dollars because of their tarnished and tarnishing image, the joke is on you. This is nothing more than a PR stunt. Even though HTTPS can be broken by the NSA, there's no point of encrypting web traffic in the context of the NSA listening, as they get the data before it's even encrypted. So what if Google is encrypting data as it moves around their network. Big whoop. Google, you don't fool me; I am no sheep.

5
6
Anonymous Coward

Re: What's the Point of Encryption?

I imagine there's a littile bit of foam on your lips after typing that one.

4
1
Silver badge

Re: What's the Point of Encryption?

FYI, there is no indication from the NSA slides that any company, big or small, has willingly let the NSA read its data except under a court order or other legal requirement.

3
3

Re: What's the Point of Encryption?

Sure pal, whatever you say.

http://gigaom.com/2013/07/09/snowden-maintains-the-nsa-has-direct-access-to-company-servers-which-means-someone-is-lying/

3
0
Bronze badge

Re: What's the Point of Encryption?

You started to lose me when you started foaming at the mouth.

You totally lost me when you blathered "risked his life".

Risked imprisonment, yes, his life, no.

But, I don't expect a paranoid person to comprehend that modest difference. Or to seek professional mental health care guidance.

2
2

Re: What's the Point of Encryption?

"You started to lose me when you started foaming at the mouth.

You totally lost me when you blathered "risked his life".

Risked imprisonment, yes, his life, no.

But, I don't expect a paranoid person to comprehend that modest difference. Or to seek professional mental health care guidance."

US government officials said they would like to kill Snowden. Do some research before enlightening us all to your true idiocy, please.

1
0
Anonymous Coward

So they encrypt them in transit so 'other people' cannot snoop (as easily) but assume that does nothing for THEM mining your data for profit or giving government agencies access via a court order etc.?

4
1
Bronze badge

"So they encrypt them in transit so 'other people' cannot snoop (as easily) but assume that does nothing for THEM mining your data for profit or giving government agencies access via a court order etc.?"

No, but that's the choice you make when you select a service to to use rather than a home email server.

At least they're trying to protect us from the numpties who use their email and the like over coffee shop wifi and make it less trivial to snoop on their traffic. Doesn't matter how careful we are if at the other end it's being beamed across Starbucks unencrypted.

2
0
Bronze badge

Cryptic

I'm assuming the phone calls coming in from the NSA/GCHQ to ask for any of their users' sh*t will be encrypted as well? Because I'm fine with that. Not.

0
0
TRT
Silver badge

Pissing Tiscali...

Still don't have SSL enabled on their IMAP server. But you try telling THAT to the helpdesk monkeys.

1
0

Re: Pissing Tiscali...

Eh?

imap.googlemail.com and imap.gmail.com both support IMAPS (port 993).

1
0
TRT
Silver badge

Re: Pissing Tiscali...

tiscali.

I've just redirected all my tiscali mail to my gmail account as tiscali won't do SSL and gmail does. TalkTalk support refuse point blank to accept that they do not have SSL on all the accounts (from ex-ISPs they've taken over) that they service.

In this day and age of unencrypted WiFi in coffee shops and tube stations etc. you'd think end-to-end encryption was mandatory.

0
0
Gold badge

https not universal

Google really pisses me off with their HTTPS insistance. I was visiting a site in a not so friendly place, and ALL https from that part of the world went to /dev/null. Doesn't matter what you use, wired or GSM, https just gets blocked (similarly VPN). Go to www.google.com (or .co.uk) and it just redirects to HTTPS, and fails right there.

Google's solution is to login using https, and turn it off. Firstly the fact that HTTPS doesn't work is lost on them. Secondly it requires you to log in just to use search, and that if you only use HTTP, it means logging in with the password in clear text.

I had to find out in that moment how bad Bing really was.

0
1
TRT
Silver badge

Re: https not universal

You don't have a VPN tunnel?

0
0
Gold badge

Re: https not universal

No. At this particular site, all traffic that is not clear-text gets bocked. EVERYTHING. You can use http, and smtp in the clear, but https, ssl, vpn, etc gets blocked by the regional/national firewall. I seem to remeber having mixed results with ftp sometimes working, sometimes not. At one point they started allowing https, but they were actually doing a man in the middle, so the certs all reported failures, and it was god awful slow, but they've turned that off again.

0
0
Bronze badge
Meh

I was visiting a site in a not so friendly place, and ALL https from that part of the world went to /dev/null.

Doesn't that say more about that unfriendly country than it does HTTPS? I'm sorry you were inconvenienced, but you couldn't ask for a more blatant message than if there were a sign above your (rotary) phone that said "Please speak loudly and clearly, our reel-to-reel tape machines are wobbly."

4
0

It's Secure*

"Every single email message you send or receive ... is encrypted while moving internally"

Yup. Gotta be clear about that little point. INTERNALLY. Once it leaves their server, all bets are off.

1
0

Re: It's Secure*

Also, if people send you an e-mail from non-gmail servers the MX record offers STARTTLS, and the certificate appears to be genuine, however:

- I suspect most mail servers don't try STARTTLS when delivering mail (at least in my experience)

- even those that do STARTTLS, most of those won't validate the certificate so MITM attacks are still very real

Also, unless you use PGP or S/MIME to encrypt the contents of the e-mail, it's still stored in plain text, so any intermediate SMTP operator can read your e-mail or it can be intercepted.

So being able to browse your mail over SSL is all well and good, but it's still not secure.

0
0
Silver badge

Re: It's Secure*

"the MX record offers STARTTLS,"

Huh?

0
0

Re: It's Secure*

@Jamie Jones

Sorry, poor phrasing

The servers pointed to by their MX record offer STARTTLS

0
0
Silver badge
Happy

Re: It's Secure*

Sorry, I was being a pedantic little twit (Hey, it's the internet, I'm allowed!)

0
0

This post has been deleted by its author

Bronze badge

One small step...

It's a step in the right direction, certainly - but they still have no DNSSEC (or indeed DNScurve!) on google.com, which still bugs me. (I have both on my personal domain; I use Fastmail for mail services, which does do STARTTLS with valid certificates as well, redirects HTTP to HTTPS and supports several one-time password setups - but no DNSSEC on their domain either.)

So, not bulletproof - indeed, a BT subsidiary (accidentally?) hijacked traffic to some of Google's DNS servers last week: http://www.itnews.com.au/News/375278,google-dns-servers-suffer-brief-traffic-hijack.aspx - but still, better than nothing ... not to mention, better than Hotmail's SMTP servers offer!

0
0
This topic is closed for new posts.