Just hours after Google disclosed it and at least 20 other large companies were the targets of highly sophisticated cyberattacks, the online giant said it would enhance the security of its email service by automatically encrypting entire web sessions. The change, which Google is in the process of rolling out now, means Gmail …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Wednesday 13th January 2010 20:11 GMT Anonymous Coward

Silver lining.

A modest thumb's-up to Google for having belatedly done the right thing. CPUs and networks are fast these days, I think I'd be willing to put up with the overhead pretty much everywhere.

0 0
Wednesday 13th January 2010 20:11 GMT Anonymous Coward

Engineering Director FAIL

"encrypted data doesn't travel across the web as quickly as unencrypted data"

Nothing to do with the load on our servers, honest guv.

1 0
1. Wednesday 13th January 2010 20:57 GMT Lou Gosselin
  
  @Engineering Director FAIL
  
  "https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data," Gmail Engineering Director Sam Schillace wrote
  
  I noticed this as well. Especially as director of engineering, his words were poorly chosen. Though in his defense, maybe he was thinking that deep packet inspection at the ISPs would throttle the traffic because it was encrypted?
  
  As for end to end HTTPS, that's a big duh. Plain HTTP has always been vulnerable to man in the middle, even if HTTPS is used to authenticate the HTTP session. Frankly we all should have know that well before the China incident.
  
  0 0
  1. Thursday 14th January 2010 19:43 GMT Jamie Jones
    
    Mr.
    
    In some cases he's correct, due to compression.
    
    Sure, if the webserver does gzip compression on the document before encryption, then the compression holds out, but many places use compresssion on a link, vpns, etc. and some networks, so therefore it would take longer in those cases.
    
    Also, local caching of objects doesn't exist with https, and he might simply be describing this in a less technical way.
    
    Both of these situations, in layman terms does mean "https is slower than http"
    
    0 0
Wednesday 13th January 2010 20:12 GMT (AMPC) Anonymous and mostly paranoid coward

There is no such thing as bad publicity

I like, I like.... could we finally return back to the era of sealed envelopes? Only Google knows for sure.

0 0
Wednesday 13th January 2010 20:57 GMT Anonymous Coward

Fastmail

Have been doing this for years

0 0
Wednesday 13th January 2010 21:07 GMT Anonymous 16

Google's spin

Could someone please explain how end to end encryption would prevent phishing attacks. Isn't it like putting two locks on door to stop thieves, when the thieves already have keys to both locks?

0 0
1. Wednesday 13th January 2010 22:38 GMT Anonymous Coward
  
  @Anonymous 16
  
  Theyre talking about Packet Injection phising.
  
  Where fields are added to web forms
  
  0 0
Wednesday 13th January 2010 21:07 GMT Anonymous Coward

Cool

On my moderately used GMail account I of course had ssl always on enabled, so no big deal for me, but Mr. Average user probably didn't, so a good move.

0 0
Wednesday 13th January 2010 21:07 GMT Anonymous Coward

Email melts down after china attack

The China Syndrome 2.0 ?

0 0
Wednesday 13th January 2010 23:03 GMT Anonymous Coward

iPhone

What do the millions of iPhone users do, the mail client transport does not appear to be encrypted for gmail...

<cue iPhone user abuse comments>

0 0
1. Thursday 14th January 2010 12:46 GMT John 62
  
  GMail on iPhone works fine
  
  I've had https enabled for ages and it GMail works fine with Mail.ipa
  
  0 0
Thursday 14th January 2010 00:09 GMT heyrick

You what?

"encrypted data doesn't travel across the web as quickly as unencrypted data"

Data is data, it's just packets right, only really making sense to the machines at either end of the link... ?

0 0
1. Thursday 14th January 2010 04:15 GMT Cliff
  
  Compression?
  
  I'm guessing randomised binary data is harder to compress than ASCII where on-the-fly compression is used, and maybe there are checksum overheads and stuff too?
  
  Purely guessing, but I could imagine how that could easily be the case, y'know?
  
  0 0
Thursday 14th January 2010 00:09 GMT raving angry loony

translation

translation: "China based hackers" == "Chinese government". But I guess one has to be polite to the new 500lb gorilla on the playing field.

Now to get email vendors to implement "always on" encryption of ALL email. Have people setup a public key as part of the email setup or something.

Someday, I personally hope to see the death of http:// (replaced by https://) and of unsecured, unencrypted pop/imap/smtp/etc. sessions. I won't hold my breath though.

0 0
Thursday 14th January 2010 00:09 GMT Andrew Witham

SSL for Search Next?

It wouldn't stop access from being blocked altogether.... but it would prevent the possibility of selective blocking of search terms which would other wise manipulate results.

0 0
1. Thursday 14th January 2010 19:43 GMT Anonymous Coward
  
  SSL for Search Next?
  
  https://ssl.scroogle.org/
  
  0 0
Thursday 14th January 2010 00:21 GMT Long Fei

Ads

I wonder how this will affect their targeted ads.

0 0
Thursday 14th January 2010 04:15 GMT RobE

HAHAHahahahaha

about time some one did something sensible like this. Although it wont stop attacks it will make them far less successful.

0 0
Thursday 14th January 2010 04:15 GMT Patrick O'Reilly

Gmail is one thing.

It's all well and good having your gmail session encrypted, but what about when you move to another part of the Google domain?

0 0
Thursday 14th January 2010 04:15 GMT Anonymous Coward

great but why is the announcement going to an unencrypted HTTP page

Was most bemused to see that although I was in a httpS secure session on my gmail account, that clicking on the Announcement message took me to a http page.

0 0
Thursday 14th January 2010 11:02 GMT floweracre

Mobile Phones

We use Nokia N71's. The GMail client is great but if the "use SSL" is turned on on the account, you cant get at it on the mobile. The only way is to, unfortunatly, uncheck this option.

Or is there a way to use SSL on the Nokia?

Open to idea

Tony

0 0
1. Thursday 14th January 2010 11:48 GMT ph3d
  
  uh..
  
  login on a pc and change the settings then login via mobile?
  
  0 0
Thursday 14th January 2010 13:05 GMT Anonymous Coward

Next Week...

Next week, Google will announce their "selected partner" program that (for a fee, of course) will allow "inspection" of the encrypted data going in/out of Google's servers. Their first customer? A small nation sitting roughly between Russia and India....

^

this is the ... step in Google's "South Park" plan:

1. Get people to use your e-mail service

2. Tell your customers the service cannot be hacked

3. ...

4. Profit

0 0
Thursday 14th January 2010 19:43 GMT Anonymous Coward

Gmail Notifier

I wonder if they'll update the default behaviour in GMail Notifier to use https now, rather than making those using "Always use https" install a registry hack to get it to work (http://mail.google.com/support/bin/answer.py?hl=en&answer=9429)

No sign of it yet.

0 0
Saturday 16th January 2010 00:32 GMT Mr Templedene

Well they broke it for me

I can no longer login in to ANY google service using my browser of choice Opera. I've not been able to login to my blogger account for nearly 2 weeks.

It works in fine firefox but I don't want to have to have two browsers open just to access google services.

I have used Opera for years and all my bookmarks, special site settings, customised options and "muscle memory" of the various keyboard shortcuts are just too much effort to move over. Plus Opera has just too many features firefox cannot match.

I'd rather not use google services than change browser.

They just lost a user, but as I never had to pay for any of it I guess I can't complain.

0 0