A modest thumb's-up to Google for having belatedly done the right thing. CPUs and networks are fast these days, I think I'd be willing to put up with the overhead pretty much everywhere.
Just hours after Google disclosed it and at least 20 other large companies were the targets of highly sophisticated cyberattacks, the online giant said it would enhance the security of its email service by automatically encrypting entire web sessions. The change, which Google is in the process of rolling out now, means Gmail …
"https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data," Gmail Engineering Director Sam Schillace wrote
I noticed this as well. Especially as director of engineering, his words were poorly chosen. Though in his defense, maybe he was thinking that deep packet inspection at the ISPs would throttle the traffic because it was encrypted?
As for end to end HTTPS, that's a big duh. Plain HTTP has always been vulnerable to man in the middle, even if HTTPS is used to authenticate the HTTP session. Frankly we all should have know that well before the China incident.
In some cases he's correct, due to compression.
Sure, if the webserver does gzip compression on the document before encryption, then the compression holds out, but many places use compresssion on a link, vpns, etc. and some networks, so therefore it would take longer in those cases.
Also, local caching of objects doesn't exist with https, and he might simply be describing this in a less technical way.
Both of these situations, in layman terms does mean "https is slower than http"
translation: "China based hackers" == "Chinese government". But I guess one has to be polite to the new 500lb gorilla on the playing field.
Now to get email vendors to implement "always on" encryption of ALL email. Have people setup a public key as part of the email setup or something.
Someday, I personally hope to see the death of http:// (replaced by https://) and of unsecured, unencrypted pop/imap/smtp/etc. sessions. I won't hold my breath though.
Next week, Google will announce their "selected partner" program that (for a fee, of course) will allow "inspection" of the encrypted data going in/out of Google's servers. Their first customer? A small nation sitting roughly between Russia and India....
this is the ... step in Google's "South Park" plan:
1. Get people to use your e-mail service
2. Tell your customers the service cannot be hacked
I can no longer login in to ANY google service using my browser of choice Opera. I've not been able to login to my blogger account for nearly 2 weeks.
It works in fine firefox but I don't want to have to have two browsers open just to access google services.
I have used Opera for years and all my bookmarks, special site settings, customised options and "muscle memory" of the various keyboard shortcuts are just too much effort to move over. Plus Opera has just too many features firefox cannot match.
I'd rather not use google services than change browser.
They just lost a user, but as I never had to pay for any of it I guess I can't complain.
Biting the hand that feeds IT © 1998–2019