Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Gmail Goes HTTPS Only For All Connections

Unknown Lamer posted about 4 months ago | from the nsa-already-has-the-private-key dept.

Google 141

Trailrunner7 (1100399) writes "Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections. The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure. This makes life much more difficult for anyone—including the NSA–who is trying to snoop on those Gmail sessions." GMail also does TLS for SMTP, but regrettably Talk (what's left of it) does not do TLS for XMPP server-to-server connections, effectively forcing XMPP server admins to lower their security if they want to federate with Google.

cancel ×

141 comments

More lip service (5, Insightful)

Anonymous Coward | about 4 months ago | (#46537277)

The NSA has compromised certificates so this will make no real difference.
This is the backscatter xray machine of internet security.

Re: More lip service (3, Informative)

vadim_t (324782) | about 4 months ago | (#46537575)

Google has their own CA. Of course the NSA may demand certs from them, but Google will have to know, so the NSA can't do it secretly anymore

Uhmm (4, Insightful)

nashv (1479253) | about 4 months ago | (#46537607)

I don't know if you've been keeping up. But people fully EXPECT the NSA to be upto nasty secret snooping habits. That is actually the minor part of the story that caused the outrage. The more dangerous fact is that the NSA can demand companies or individuals turn over data to them and impose a gag order thus forcing them to keep it secret.

So AC is right in this case. Just more lip service. Encryption on your own servers is the only way to remain relatively protected.

It's not just the warrants. (5, Interesting)

Ungrounded Lightning (62228) | about 4 months ago | (#46538125)

... people fully EXPECT the NSA to be upto nasty secret snooping habits. That is actually the minor part of the story that caused the outrage. The more dangerous fact is that the NSA can demand companies or individuals turn over data to them and impose a gag order thus forcing them to keep it secret.

I agree that the latter IS a big problem. But I don't agree that it's the ONLY problem, or the only BIG one.

National Security Letters are still relatively narrow compared to what the NSA did. They also tapped the fibers Google and others used to communicate with each other, and used these taps to snoop everything that went across them, without Google's knowledge.

I encountered a Google engineer with job responsibilities related to that at a conference last year, and he was LIVID. They'd tapped fibers OWNED BY GOOGLE - trespassing and damaging them (aong with Google's credibility) in the process - with no letters, warrants, wink-wink-nudge-nudge, or what-have-you. Google has since been installing encryption thorughout it's network - not just where it leaves the building, but even from rack to rack.

Maybe they're still stuck disclosing SOME stuff. But at least they're trying to know what it is, do their best to minimize it (and protect their model), and avoid inadvertently firehosing EVERYTHING into the maw of the NSA.

Re:Uhmm (1)

Severus Snape (2376318) | about 4 months ago | (#46538227)

Absolutely. You just made my point for me. The problem shall be now a lot of the media will now present this as a milestone to easing public anger over what the public knows. By now the NSA and GCHQ will know the files Snowden has through investigation (police greeting David Miranda with Terrorism laws at Heathrow to make copies of his HDD must have helped) so here comes the game of cat and mouse; possibly until Congress freaks out.

It's the comedy that doesn't stop giving!

Re: More lip service (2)

AlphaWolf_HK (692722) | about 4 months ago | (#46537679)

So long as Google can read your emails, so can the NSA. All they have to do is get a court order. With the way email works, any email provider can read your emails really, so it's not just google.

What ultimately needs to happen is for emails to become assymetric encrypted.

Re: More lip service (1)

vadim_t (324782) | about 4 months ago | (#46537871)

Obviously. I didn't claim otherwise

Re: More lip service (0)

Anonymous Coward | about 4 months ago | (#46537995)

What ultimately needs to happen is for emails to become assymetric encrypted.

I don't think that will stop the NSA....

Re: More lip service (3, Informative)

heypete (60671) | about 4 months ago | (#46537969)

Google has their own intermediate CA, which is a subsidiary of GeoTrust. Given that such an intermediate could issue certs for the global internet, GeoTrust probable provides a "managed PKI" service where they retain control of the intermediate so that it will only issue certs for Google-controlled domains.

In such a situation, GeoTrust could be compelled to issue certs using Google's intermediate CA without Google's knowledge.

Alternatively, if Google maintained control of the intermediate, the NSA would need to compel Google to generate certs for them from their own intermediate. However, if the NSA went to GeoTrust and demanded that they generate an intermediate CA with all the same details (CN, O, OU, etc.) as the Google one, the NSA could generate certs for Google without Google knowing.

Re: More lip service (1, Informative)

Wootery (1087023) | about 4 months ago | (#46538089)

but Google will have to know, so the NSA can't do it secretly anymore

Sure, but that doesn't matter. Google (will roll | have rolled | are rolling) over for the NSA, so you don't gain anything by this.

The moment the NSA have to ask you personally, that's when you're onto something. End-to-end crypto gives you that, of course.

Related: Tox secure IM [tox.im] , the Blackphone [blackphone.ch] . Do keep an eye on those two projects. Promising stuff.

Re: More lip service (1)

AmiMoJo (196126) | about 4 months ago | (#46538637)

Of course it matters. The NSA is trying to spy on everyone all the time, and this means they will have to do far more to target individual Gmail users instead of just hoovering it all up. That's the goal, to make mass surveillance impossible or at least extremely costly. It doesn't have to be perfect to do a lot of good.

Re: More lip service (1)

Wootery (1087023) | about 4 months ago | (#46538825)

Google is in bed with the NSA. The NSA have Google's keys. There is at best some level of inconvenience for the NSA, but nothing more. Nothing to stop them spying on millions.

You, the spied-on end-user, do not benefit. (Well, HTTPS might keep others out, but not the NSA.) You are not made aware of when the NSA spy on you.

Anyway, even before Gmail 'went HTTPS only', virtually all use of GMail was surely still through HTTPS.

Re: More lip service (1)

Khashishi (775369) | about 4 months ago | (#46538467)

Google may have to know, but you won't know.

Re: More lip service (2)

AmiMoJo (196126) | about 4 months ago | (#46538537)

More over Google have positioned themselves so that even if there was a secret court order to provide a certificate to the NSA it would be immediately obvious what had happened. Chrome pins Google certificates so if they change the user will be notified immediately. The court could order Chrome to have the new cert pinned as well, but of course it wouldn't affect older versions released prior to the order.

Google does seem to be genuinely trying to resist, even if ultimately it may be futile. At least they made that much harder.

Re: More lip service (1)

epyT-R (613989) | about 4 months ago | (#46538623)

What google's doing is just a stupid PR stunt. They are legally bound by law not to acknowledge any NSA wiretapping, so when it became public knowledge they put on a show of faux outrage as a PR stunt. I guarantee the NSA is still getting google traffic and that google is complicit in it.

Re:More lip service (4, Insightful)

DickBreath (207180) | about 4 months ago | (#46537579)

Better to compromise certificate authorities than to compromise certificates.

After all, who wouldn't trust a certificate authority. There are so many to choose from.

If your browser is presented with a genuine signed Google.com certificate, issued by Honest Achmed's Trusty Certificates of Tehran Iran, then why shouldn't your browser just trust this certificate from a trusted CA?

Re:More lip service (0)

Anonymous Coward | about 4 months ago | (#46538197)

If you use Chrome, certificate pinning, which actually stopped an attack in Iran specifically... all the way back in 2011:

http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html
http://blog.chromium.org/2011/06/new-chromium-security-features-june.html

Re:More lip service (2)

ObsessiveMathsFreak (773371) | about 4 months ago | (#46538359)

If your browser is presented with a genuine signed Google.com certificate, issued by Honest Achmed's Trusty Certificates of Tehran Iran, then why shouldn't your browser just trust this certificate from a trusted CA?

Because if you don't accept, your browser will emit a shrill piercing wail [youtube.com] , loudly declaiming your obscene and hertical attempts to use a secure connection which has not been certified. A yellow clad official [pingdom.com] -- likely of Arstotzkan [knowyourmeme.com] origin -- will appear to lend an air of official disapproval to the disgraceful suggestion that you should prefer encryption, any encryption, over plain text without authentication.

So, you must Accept Our Glorious CA Validated HTTPS Protocols or else revert to wide open plain text. Cause no trouble.

P.S.

I personally believe that Firefox's self signed policies were the result of NSA lobbying/influence at Mozilla. The secure web was set back a decade by this decision, and the fallout has render the entire CA and hence https infrastructure all but useless.

Re:More lip service (1)

AmiMoJo (196126) | about 4 months ago | (#46538607)

If your browser is presented with a genuine signed Google.com certificate, issued by Honest Achmed's Trusty Certificates of Tehran Iran, then why shouldn't your browser just trust this certificate from a trusted CA?

Because Google pin their certificates in Chrome, so the user would be instantly warned of the change. For non-pinned certificates you need to install a plug-in.

Re:More lip service (1)

whoever57 (658626) | about 4 months ago | (#46538621)

Better to compromise certificate authorities than to compromise certificates.

Let's say you work for a large tech company based in Mountain View and, when connecting from home, you actually inspect the certificate that is presented to your browser and it isn't the certificate that you expect. What do you do?

Next, assume you tell your bosses. What do they do?

Re:More lip service (2)

Trax3001BBS (2368736) | about 4 months ago | (#46537741)

The NSA has compromised certificates

Odd you should mention that. The link in the summery gave me a bad cert alert for */hs.llnwd.net this has happened to me before (Opera 12). llnwd.net is a source for video http://support.brightcove.com/... [brightcove.com]

I see it as a problem with Opera, but reject them just in case.

Google agreed to NSA spying anyway (1)

AkkarAnadyr (164341) | about 4 months ago | (#46538245)

So says the NSA's lawyer. [theguardian.com]

It's not so much "lip service" as "bullshit".

Re:More lip service (1)

kqs (1038910) | about 4 months ago | (#46538437)

Oh noes! You are clearly smarter than Google, since they didn't think of that [blogspot.com] !

Uh the NSA post it says different (5, Informative)

goombah99 (560566) | about 4 months ago | (#46537283)

Does Google not recall the NSA post it note showing that they intercept the post-SSL server to server commuincations within the googleshpere? NSA doesn't care about HTTPS to google as long as that back channel is still there.

Re:Uh the NSA post it says different (4, Informative)

goombah99 (560566) | about 4 months ago | (#46537293)

Here's a link:

http://www.gizmodo.com.au/2013... [gizmodo.com.au]

Re:Uh the NSA post it says different (2)

swillden (191260) | about 4 months ago | (#46538541)

Here's a link:

http://www.gizmodo.com.au/2013... [gizmodo.com.au]

That document is what motivated Google to encrypt all links between data centers, specifically to stop that.

Re:Uh the NSA post it says different (0)

Anonymous Coward | about 4 months ago | (#46538877)

Unless google invented practical homomorphic algorithms, It's still decrypted somewhere. Just a different post it note.

Re:Uh the NSA post it says different (0)

Anonymous Coward | about 4 months ago | (#46537355)

Google said they would secure their internal communications and were furious when they found out.

Re:Uh the NSA post it says different (3, Insightful)

Anonymous Coward | about 4 months ago | (#46537429)

Google was only furious because the NSA was accessing the data without paying.

Re:Uh the NSA post it says different (4, Funny)

DickBreath (207180) | about 4 months ago | (#46537591)

> Google was only furious because the NSA was accessing the data without paying.

Wrong. Google was only furious because the NSA was accessing the data without seeing ads.

Re:Uh the NSA post it says different (1)

SlickUSA (1749194) | about 4 months ago | (#46537603)

Clever girl....

Re:Uh the NSA post it says different (0)

Anonymous Coward | about 4 months ago | (#46537675)

slowclap.gif

Re:Uh the NSA post it says different (1)

SuperKendall (25149) | about 4 months ago | (#46537767)

Even worse, the NSA was NOT contributing metrics back for what they were viewing.

There's real value in knowing to properly target ads for tinfoil to people that actually need it.

Re:Uh the NSA post it says different (1)

swillden (191260) | about 4 months ago | (#46538559)

Google was only furious because the NSA was accessing the data without paying.

Google doesn't sell user data to anyone. What makes you think they'd be happy to give it to the NSA if they were paid? If Google were interested in exchanging user data for money (and if it didn't contradict Google's privacy policy), they could sell lots of it.

Re:Uh the NSA post it says different (1)

Charliemopps (1157495) | about 4 months ago | (#46537363)

Supposedly Google recently closed that loophole. But I seriously doubt that was the NSA's only way in. If I were running the NSA, half the staff at google would be my agents. If that's truly the case, there's basically nothing google can do to stop them.

Re:Uh the NSA post it says different (1)

gstoddart (321705) | about 4 months ago | (#46538515)

If that's truly the case, there's basically nothing google can do to stop them.

Walk in with a couple of FISA warrants and a few guys in dark suits .. and guess what? There's still not a fucking thing Google can do to stop them.

At best Google will encourage better security from other parties, but if you think you can stop Big Brother carrying a FISA warrant that says your ass goes to jail for a long time if you tell anybody ... well, you're awfully naive.

This is good PR, and it's good security practice. But it can do nothing at all from having the feds simply demand they hand something over, or give them hooks into the system where it's unencrypted, or handing over their entire database, or any other thing they want.

The PATRIOT Act more or less guarantees that no American company could legally keep the NSA out (or whatever agency has the right paperwork).

No company operating in American soil has that ability any more. Period. And in other countries, either they just do it by sneaky means, or the local government steps in and makes the same kind of request.

We have entered a world in which the most raving tin-foil hat conspiracies are essentially true. And due to the secrecy requirements of the secret laws, if you tell someone (or try to) they'll just unleash those powers on you personally. And that will not end well for you.

Big Brother is here, right now. And he'll neither give up the powers he's got, nor allow you to tell someone when he exercised them.

Re:Uh the NSA post it says different (2)

bill_mcgonigle (4333) | about 4 months ago | (#46538665)

Walk in with a couple of FISA warrants and a few guys in dark suits .. and guess what? There's still not a fucking thing Google can do to stop them.

If I were Google and seriously concerned about this, I'd encrypt the data in a chaining mode and keep half(+-) of the bits in different data centers in different jurisdictions.

Yeah, the bandwidth issue is real. But the best a gang could do is seize some drives with nothing useful on them. They'd be better off attacking the suspect's machine, and then at that point it's no longer Google's secret problem.

Re:Uh the NSA post it says different (1)

gstoddart (321705) | about 4 months ago | (#46538855)

If I were Google and seriously concerned about this, I'd encrypt the data in a chaining mode and keep half(+-) of the bits in different data centers in different jurisdictions.

Right. Sounds good in a paperback novel.

But when they can compel you to hand over your data and not tell anybody, they can compel you to hand over all your data, including how to assemble the bits again. A National Security Letter is an all powerful writ if they want them to be.

You really think "no sir" or "we don't know how" are going to hold up to this kind of pressure? When they can march everyone involved off to jail and simply find the next batch of Google folks who know how to do it?

Are you missing the whole thing where they can compel you (under threat of secret federal law), detain you (under whatever secret provisions they have), and generally make life miserable for you and your family? "Sorry Ma'am, but, yes, we do need to seize your house and your kids' college fund. No Ma'am, we can't tell you why. No Ma'am, we can't tell you where your husband is. No Ma'am, nobody is going to give a job to someone married to someone who helped terrorists."

I seriously doubt as a practical matter Google could keep the NSA out. Because as long as they're legally entitled to it (so they say) and in possession of the paperwork from the right judge (who may or may not just rubber stamp it) ... what is your recourse when the all powerful Big Brother shows up?

The terms of the PATRIOT Act more or less say that if Uncle Sam comes knocking with the right paperwork, non-compliance isn't an option, and telling someone about it isn't an option.

If you as a private individual hold out and are willing to go to jail for your convictions, I'm sure they'd accommodate you. But a corporation? No way that would happen -- which is why they get compensated for their manpower and reminded not to tell anybody. But it really is a case where there's nothing voluntary about this when you're talking about corporations. Unless the company more or less caves in and decides to be as helpful as possible to make their lives easier.

I wish you were right, and that what you say could happen. But I fear the US has more or less created their own all-powerful agency of State Security, which is ruthless, powerful, and capable of doing whatever the fuck they want.

And that's before you start assuming they're doing more than is either strictly legal, or that they're even willing to allow us know is happening.

Re:Uh the NSA post it says different (3, Informative)

QuasiSteve (2042606) | about 4 months ago | (#46537367)

Isn't that in part what this..

The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers.

..is supposed to refer to?

Of course if they're just going to pretend to be Google and fool browsers into thinking they're talking to Google and decrypt/re-encrypt at that point, there's not much Google can do about it anyway.

Re:Uh the NSA post it says different (1)

kqs (1038910) | about 4 months ago | (#46538465)

Of course if they're just going to pretend to be Google and fool browsers into thinking they're talking to Google and decrypt/re-encrypt at that point, there's not much Google can do about it anyway.

Yeah, not much they can do [chromium.org] .

Encryption is not the answer (5, Insightful)

rudy_wayne (414635) | about 4 months ago | (#46537611)

Ultimately, encryption is meaningless. If the NSA (or any other governmental agency) wants something, they will get it.

Even if you invent some suoer-duoer-impossible-to-crack encryption, they will simply go to a secret court (that is accountable to no one) and get a secret order, that you must comply with and that you aren't allowed to talk about under penalty of going to prison, on the grounds of NATIONAL SECURITY.

Until *THAT* problem is addressed, encryption is meaningless.

Re:Encryption is not the answer (0)

Anonymous Coward | about 4 months ago | (#46538419)

Except that not everybody lives in Soviet USA, thus it's still a solution for those outside that regime.

Re: Uh the NSA post it says different (0)

Anonymous Coward | about 4 months ago | (#46538151)

Can I trade my government minder in for a U.S. hater living in a cave in the middle of the desert please! I'd rather deal with the 0.00000012% chance of sudden death by religious crazies, than being subject to SECRET govt law enforcement because I might type something suspicious someday!

Doesn't matter (1)

Anonymous Coward | about 4 months ago | (#46537291)

The feds have all the SSL keys anyhow.

Re:Doesn't matter (4, Interesting)

Agent ME (1411269) | about 4 months ago | (#46537353)

If perfect forward secrecy is used in the connections (which most HTTPS sites seem to do last I checked), then knowing the private keys doesn't even help them decrypt a connection, *unless* they're actively man-in-the-middling the connection from the start (which I'm sure they do often against interesting people, but probably not anywhere near 100% of everything).

Re:Doesn't matter (4, Informative)

vux984 (928602) | about 4 months ago | (#46537411)

Unless Google is just handing them everything anyway via Prism, or whatever other programs are in place.

This is like installing bars over the windows to keep the govt out, knowing full well you already gave them the keys to the front door.

Re:Doesn't matter (5, Informative)

glenebob (414078) | about 4 months ago | (#46537651)

Somebody mod this up. This is dead right.

Google can encrypt the data all they want, right down to encrypting it when it arrives, and leaving it encrypted for its lifetime on their servers, but the NSA can just say "gimme the data AND the keys to unlock it". The keys are just data, and obviously Google has access to them, therefore so does the NSA.

Re:Doesn't matter (4, Insightful)

swillden (191260) | about 4 months ago | (#46538589)

Somebody mod this up. This is dead right.

Google can encrypt the data all they want, right down to encrypting it when it arrives, and leaving it encrypted for its lifetime on their servers, but the NSA can just say "gimme the data AND the keys to unlock it". The keys are just data, and obviously Google has access to them, therefore so does the NSA.

More precisely, the NSA would just say "gimme the decrypted data". But it's simply wrong to say that's not an important difference.

If the NSA can snoop all connections they can scoop up terabytes of data and figure out later what's interesting and no one is the wiser. If they have to ask Google, they have to make the request specific and they have to provide justification that will satisfy some set of legally-defined standards -- and Google will then add the request to the published transparency statistics so legislators and voters can see how much is being done and decide if it's excessive.

There's a huge difference there.

Oh, and I can't think of any case in which the government could legally demand the keys.

Re:Doesn't matter (1)

vux984 (928602) | about 4 months ago | (#46538747)

Oh, and I can't think of any case in which the government could legally demand the keys.

Pretty sure that's exactly what they did to Lavabit:

The government's move against Lavabit was resisted tenaciously by Levison. After much wrangling, Levison eventually handed over Lavabit's cryptographic key in digital form, after earlier trying to satisfy a court order by printing out and handing over a copy of the key in 4-point type, a move that irked the judge handling the case.

After Lavabit resisted complying with government demands, it was held in contempt of court and fined $5,000 a day until it turned a machine-readable version of the key over.

http://www.theregister.co.uk/2... [theregister.co.uk]

Re:Doesn't matter (1)

Khashishi (775369) | about 4 months ago | (#46538511)

It exists is to protect against folks like lulzsec, not the government.

Re:Doesn't matter (1)

vux984 (928602) | about 4 months ago | (#46538697)

Of course that is true, and I wouldn't have made my comment if THAT is what the summary stated... but instead the entire summary is framed around the NSA...

From the first sentence:
"Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions."

to the last one:
"This makes life much more difficult for anyoneâ"including the NSAâ"who is trying to snoop on those Gmail sessions."

So... its only natural that any argument is also framed within the context of the NSA.

https://NSA.certificate.gov (1)

fustakrakich (1673220) | about 4 months ago | (#46537313)

This is nothing but a waste of bandwidth and only makes tracking easier. Oh, wait... now I get it.

What version? Also, Google Talk is pretty dead. (2)

twocows (1216842) | about 4 months ago | (#46537327)

Are they using SSL, or are they using TLS? Which version of either are they using? Most modern browsers support TLS 1.1 and 1.2, but I can imagine Google falling back to 1.0 or even SSL for compatibility with fossils.

As much as I personally love Google Talk, it's about as dead as you can get. Most links have been redirected to Hangouts, and those that aren't, you have to access manually. If anyone cares, here's the only working link that I'm aware of for Google Talk: http://www.google.com/talk/ind... [google.com]

Re:What version? Also, Google Talk is pretty dead. (2)

Baloroth (2370816) | about 4 months ago | (#46537471)

I just checked, TLS 1.2 when supported, but they will fall back to 1.0 if the browser doesn't support newer 1.1/1.2. Didn't see if they'll fall back to SSL or not (or if it falls back to 1.1 at all).

Re:What version? Also, Google Talk is pretty dead. (0)

Anonymous Coward | about 4 months ago | (#46537837)

Awesome, thanks!

NSA claims Google and others are lying (0)

JoeyRox (2711699) | about 4 months ago | (#46537329)

NSA LAWYER: Tech Companies Knew We Collected Their Data http://www.businessinsider.com... [businessinsider.com]

Re:NSA claims Google and others are lying (4, Informative)

poetmatt (793785) | about 4 months ago | (#46537405)

Please. This was debunked already. http://www.techdirt.com/articl... [techdirt.com]

Re:NSA claims Google and others are lying (3)

fustakrakich (1673220) | about 4 months ago | (#46537539)

And exactly why should we believe the companies' denials? Why should we believe they have any concern at all about any of this, aside from the possible bad PR?

Re:NSA claims Google and others are lying (2)

kqs (1038910) | about 4 months ago | (#46538543)

Good point. You're very wise to believe the NSA, and to ignore all of the "stories" about Google encrypting everything, and suing the government, and trying to limit search warrants. After all, it would be crazy, completely crazy to think that the NSA would try and cast blame on the very companies that tried to stop them. Why, the fact that the NSA tapped Google's dark fiber between datacenters proves that Google is lying and was giving everything to the NSA!

Another possibility is that the NSA is lying and that a bunch of gullible morons are attacking the very companies which (while not perfect) are trying to protect your data from the government.

Re:NSA claims Google and others are lying (0)

Anonymous Coward | about 4 months ago | (#46537563)

Guardianista bullshit then.

Whew! (1)

Anonymous Coward | about 4 months ago | (#46537339)

Glad to know that the copy of my mail stored for "archival purposes" in the service formerly known as Postini was sent there securely.

Pheww! (3, Informative)

Anonymous Coward | about 4 months ago | (#46537341)

What a relief. Now the only people that can get my data are government agencies that ask for it and advertisers that pay for it.

Encrypting Data at Motion, not Data at Rest (1)

joeflies (529536) | about 4 months ago | (#46537377)

SSL/TLS is only for data in motion, and applications that choose to use it. Anyone who gets access to the backend will still be able to freely read as much content as they like

Re:Encrypting Data at Motion, not Data at Rest (2)

blueg3 (192743) | about 4 months ago | (#46537733)

Encrypting data at rest doesn't get you much. Anyone who gets access to the backend gets access to the cryptographic keys used to read the data at rest.

This is the case whenever the attacker has access to the cryptographic endpoint. The fact is, as long as Google is one of the cryptographic endpoints, if you have access to Google's data, you have access to it regardless of whether you pretend to encrypt it. The only way you can significantly change that is to make yourself (that is, the person sending and the person receiving the e-mail) the cryptographic endpoint, so that Google only ever sees ciphertext.

But that's not very convenient.

Re:Encrypting Data at Motion, not Data at Rest (1)

joeflies (529536) | about 4 months ago | (#46537815)

I was primarily commenting because the summary said "Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure." which is obviously incorrect. The messages aren't encrypted at all, only the network connections are.

Re:Encrypting Data at Motion, not Data at Rest (1)

blueg3 (192743) | about 4 months ago | (#46538045)

That's true. The messages really are never encrypted at all. :-)

Re:Encrypting Data at Motion, not Data at Rest (0)

Anonymous Coward | about 4 months ago | (#46538267)

I wouldn't say super difficult either: http://www.gnupg.org/
For Outlook users: https://code.google.com/p/outlook-privacy-plugin/

Also it's pretty important if you are ever dealing with PII.

HTTPS (0)

Anonymous Coward | about 4 months ago | (#46537385)

Anyone with the authorization can decrypt https though... I recall: http://yro.slashdot.org/story/13/01/10/1356228/nokia-admits-decrypting-user-data-claiming-it-isnt-looking

nsa (0)

Anonymous Coward | about 4 months ago | (#46537453)

I'm sure the NSA holds a master wild card cert with all the major vendors.

Pot, Kettle, Pokadot (4, Insightful)

Marxist Hacker 42 (638312) | about 4 months ago | (#46537455)

Isn't this a bit like the company that mines your data for profit is complaining about the government that mines your data for power?

Re:Pot, Kettle, Pokadot (1)

Overzeetop (214511) | about 4 months ago | (#46537557)

Nobody want's competition. What if* Google wanted to move into the power market? No sense in giving the NSA a shortcut.

*when

Re:Pot, Kettle, Pokadot (1)

Anonymous Coward | about 4 months ago | (#46537659)

Google may be many things, but at least they aren't doing it behind your back. Each service's ToS clearly say what they do and don't do with your data when you are on their domains.

Re:Pot, Kettle, Pokadot (1)

Anonymous Coward | about 4 months ago | (#46537987)

You can opt out of using Google's services. You cannot opt out of your government.

Re:Pot, Kettle, Pokadot (1)

LookIntoTheFuture (3480731) | about 4 months ago | (#46538025)

Isn't this a bit like the company that mines your data for profit is complaining about the government that mines your data for power?

Well said.

Re:Pot, Kettle, Pokadot (0)

Anonymous Coward | about 4 months ago | (#46538087)

What did well say?

Re:Pot, Kettle, Pokadot (4, Insightful)

bill_mcgonigle (4333) | about 4 months ago | (#46538641)

Isn't this a bit like the company that mines your data for profit is complaining about the government that mines your data for power?

If showing you ads is like targeting your for a Hellfire drone missile strike, then sure. To me that fails the moral equivalence test.

Weak SMTP SSL (5, Insightful)

Anonymous Coward | about 4 months ago | (#46537457)

Sure they use SSL on their SMTP servers, but when testing it using checktls.com I see that they use RC4-SHA, not a Perfect Forward Secrecy algorithm like Yahoo is now using (DHE-RSA-CAMELLIA256-SHA). If NSA were to get a copy of Google's private key, they could decrypt all of the traffic. So to me, no PFS is the same as no SSL.

Re:Weak SMTP SSL (1)

viperidaenz (2515578) | about 4 months ago | (#46537519)

traffic over SSL connections is not encrypted using public key cryptography.
the certificate is only used to assert there is no man in the middle during key exchange. The data is encrypted with the randomly generated keys exchanged during the SSL handshake.

Re:Weak SMTP SSL (0)

Anonymous Coward | about 4 months ago | (#46537723)

So if the NSA had the private key, no issue? If they recorded traffic for 3 months ago and then demanded the SSL private key of the server, no issue? What is all the fuss about PFS SSL about then?

Re:Weak SMTP SSL (1)

heypete (60671) | about 4 months ago | (#46538097)

traffic over SSL connections is not encrypted using public key cryptography.
the certificate is only used to assert there is no man in the middle during key exchange. The data is encrypted with the randomly generated keys exchanged during the SSL handshake.

Your statement is true if and only if both sides of the connection use Perfect Forward Secrecy.

If PFS is not supported by one or both sides, they revert to RSA key exchange which does use the server's RSA key to encrypt the session key. If the server's private key is compromised any non-PFS traffic that was logged in the past could be decrypted.

The AC above says that the connection between checktls.com and Gmail is made using RC4-SHA -- in that case, no Perfect Forward Secrecy is being used and the connection could be decrypted later if the server's private key was compromised.

In the case of my server connecting to Gmail, the connection is secured with ECDHE-RSA-AES128-GCM-SHA256 -- the ECDHE indicates that it uses elliptic curve-based ephemeral Diffie-Hellman key exchange, which does have PFS.

Perhaps shockingly, most secure sites on the internet don't have PFS enabled or, if they do, don't set them as a high priority. See https://www.trustworthyinterne... [slashdot.org] ">here for details: 42% of sites have PFS enabled, but only 5.6% are configured so that PFS will be used by browsers (the rest have them set as a lower-priority).

Re:Weak SMTP SSL (1)

heypete (60671) | about 4 months ago | (#46538033)

That depends on the cipher preferences of the client (that is, the system sending mail to Gmail). In my case, connections from my server to Gmail's SMTP servers are made using ECDHE-RSA-AES128-GCM-SHA256.

Connections from other services depend on how they're configured. Geocaching.com's outgoing mail server sends mail to Gmail using ECDHE-RSA-RC4-SHA.

because (1)

Anonymous Coward | about 4 months ago | (#46537459)

Because Google wants noone besides themselves spying on your email!

Opportunistic TLS for SMTP? (1)

dave562 (969951) | about 4 months ago | (#46537509)

The article briefly mentions this, but does anyone have any additional detail? Are they using opportunistic TLS on SMTP connections?

Re:Opportunistic TLS for SMTP? (1)

whoever57 (658626) | about 4 months ago | (#46537937)

Are they using opportunistic TLS on SMTP connections?

Google has been doing this for a long time.

Re:Opportunistic TLS for SMTP? (1)

heypete (60671) | about 4 months ago | (#46538137)

The article briefly mentions this, but does anyone have any additional detail? Are they using opportunistic TLS on SMTP connections?

Yes.

Depending on what ciphers are supported by the remote system, different ciphersuites will be supported. CheckTLS.com will only connect with RC4-SHA, but my server connects with ECDHE-RSA-AES128-GCM-SHA256. Your mileage may vary.

Google just hates the competition. (0)

Anonymous Coward | about 4 months ago | (#46537589)

Don't kid yourself otherwise.

SSL Cert Key (0)

Anonymous Coward | about 4 months ago | (#46537597)

Doesn't the NSA have all the CERT keys anyways? So they won't care if it's encrypted.

About XMPP Security (4, Informative)

qpqp (1969898) | about 4 months ago | (#46537627)

effectively forcing XMPP server admins to lower their security if they want to federate with Google

Just for the Google server, if you use a proper XMPP server (like Prosody, for example).

Beware that many servers on the XMPP network use self-signed or invalid certificates, or even don't support TLS at all (such as gmail.com and all Google-hosted domains). It is possible to make exceptions like this:

-- These hosts are allowed to authenticate via weaker mechanisms, such as dialback:
s2s_insecure_domains = { "gmail.com" }

[Server-to-server XMPP [prosody.im] ]

XMPP server operators are pushing for a wholly encrypted XMPP network [github.com] with several test-days, where they'll be flipping the switch to allow only encrypted communication, and the final switch to disallow unencrypted communication on May 19, 2014.
It's going to include SSLv3, unfortunately, but we'll get there.

Yeah, maybe ignore everything in this post . . . (1)

Kimomaru (2579489) | about 4 months ago | (#46537693)

. . . because the NSA stated yesterday that tech companies were fully aware of snooping the who time (http://yro.slashdot.org/story/14/03/20/1745254/nsa-general-counsel-insists-us-companies-assisted-in-data-collection). If they're encrypting, it's either for show (porbable) or to prevent eavesdropping by anyone else but the NSA (unlikely, if this mattered to them they would have done it a long time ago.) So, yeah, this feels like it's for show so that people can continue to have confidence in Google's platforms.

Re:Yeah, maybe ignore everything in this post . . (1)

Trax3001BBS (2368736) | about 4 months ago | (#46537881)

. . . because the NSA stated yesterday that tech companies were fully aware of snooping the who time (http://yro.slashdot.org/story/14/03/20/1745254/nsa-general-counsel-insists-us-companies-assisted-in-data-collection).

Not only aware, not one to let a dime slip by: "Billing invoices and other documents show Microsoft charging the FBI hundreds of thousands of dollars a month to comply with legal requests for customer information," http://www.dailydot.com/news/m... [dailydot.com]

Messages Are Not Encrypted (5, Insightful)

Bob9113 (14996) | about 4 months ago | (#46537855)

Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure.

Horseshit. The message is not encrypted. It is cleartext travelling over encrypted channels. It is on their machines in the clear, which enables them to do things for you, like search and filter, and against you, like profiling you and anyone who sends you email.

Re:Messages Are Not Encrypted (1)

rastoboy29 (807168) | about 4 months ago | (#46538667)

mod parent up.  encryption is not magic.

Doesn't NSA own SSL already? (1)

Roger Wilcox (776904) | about 4 months ago | (#46537885)

I seem to remember hearing they had already cracked SSL among all of the recent revelations.

Either way, this is obviously a PR move. It should give nobody any high hope for Google's intentions...

Oh the irony... (1)

David_W (35680) | about 4 months ago | (#46537985)

You know, if I didn't know better, I'd think someone did this on purpose... right now the fortune at the bottom is:

Today is a good day for information-gathering. Read someone else's mail file./quote.

https (0)

Anonymous Coward | about 4 months ago | (#46538129)

i though Google had already switched to HTTPS for all connections in January or February.

Gmail Goes HTTPS Only For All Connections (0)

Anonymous Coward | about 4 months ago | (#46538295)

There goes HTTPS..

SSL will only give them garantees of who's who (0)

Anonymous Coward | about 4 months ago | (#46538339)

When they get the keys (if they don't have them already) the tapped communications will be certified.

SSL/HTTPS is a joke (0)

Anonymous Coward | about 4 months ago | (#46538711)

There is absolutely no reason to believe that the certificate trust system is itself trustworthy. The major root signers are all in bed with the NSA, and it is probably a trivial matter for NSA to inject itself into an SSL connection and snoop the data.

Meaningless (0)

Anonymous Coward | about 4 months ago | (#46538817)

As the NSA has more ways to get around this than Obama has crack pipes, it's a nice try but it won't help.

federate with Google? (1)

nurb432 (527695) | about 4 months ago | (#46538981)

Why would anyone still be doing this? They wont be supporting this really soon now, so everyone should have moved on by now.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...