Slashdot Mirror
Gmail Goes HTTPS Only For All Connections
Trailrunner7 (1100399) writes "Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections. The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure. This makes life much more difficult for anyone—including the NSA–who is trying to snoop on those Gmail sessions."
GMail also does TLS for SMTP, but regrettably Talk (what's left of it) does not do TLS for XMPP server-to-server connections, effectively forcing XMPP server admins to lower their security if they want to federate with Google.
Does Google not recall the NSA post it note showing that they intercept the post-SSL server to server commuincations within the googleshpere? NSA doesn't care about HTTPS to google as long as that back channel is still there.
Some drink at the fountain of knowledge. Others just gargle.
What a relief. Now the only people that can get my data are government agencies that ask for it and advertisers that pay for it.
Please. This was debunked already. http://www.techdirt.com/articl...
Unless Google is just handing them everything anyway via Prism, or whatever other programs are in place.
This is like installing bars over the windows to keep the govt out, knowing full well you already gave them the keys to the front door.
Google has their own CA. Of course the NSA may demand certs from them, but Google will have to know, so the NSA can't do it secretly anymore
Just for the Google server, if you use a proper XMPP server (like Prosody, for example).
XMPP server operators are pushing for a wholly encrypted XMPP network with several test-days, where they'll be flipping the switch to allow only encrypted communication, and the final switch to disallow unencrypted communication on May 19, 2014.
It's going to include SSLv3, unfortunately, but we'll get there.
Somebody mod this up. This is dead right.
Google can encrypt the data all they want, right down to encrypting it when it arrives, and leaving it encrypted for its lifetime on their servers, but the NSA can just say "gimme the data AND the keys to unlock it". The keys are just data, and obviously Google has access to them, therefore so does the NSA.
Google has their own intermediate CA, which is a subsidiary of GeoTrust. Given that such an intermediate could issue certs for the global internet, GeoTrust probable provides a "managed PKI" service where they retain control of the intermediate so that it will only issue certs for Google-controlled domains.
In such a situation, GeoTrust could be compelled to issue certs using Google's intermediate CA without Google's knowledge.
Alternatively, if Google maintained control of the intermediate, the NSA would need to compel Google to generate certs for them from their own intermediate. However, if the NSA went to GeoTrust and demanded that they generate an intermediate CA with all the same details (CN, O, OU, etc.) as the Google one, the NSA could generate certs for Google without Google knowing.
but Google will have to know, so the NSA can't do it secretly anymore
Sure, but that doesn't matter. Google (will roll | have rolled | are rolling) over for the NSA, so you don't gain anything by this.
The moment the NSA have to ask you personally, that's when you're onto something. End-to-end crypto gives you that, of course.
Related: Tox secure IM, the Blackphone. Do keep an eye on those two projects. Promising stuff.
You really need to read the whole Lavabit story. Basically, the government was able to convince the court that the combination of Lavabit's security architecture and the company's early stonewalling demonstrated that the only way to be sure they got all of the data the court had ordered Lavabit to hand over was to require the keys. Had Lavabit complied initially and just handed over the requested data the question of keys would never have come up.
That may seem like a subtle distinction, but it's not. The court never said that the government has a general right to demand keys, it just said that in that particular case there were factors which meant that merely asking for the data was not going to work, and that, therefore, the government could demand the key.
In Google's case, if the government asks -- through correct legal channels and with an appropriately-specific request -- for your e-mail, Google can and will simply comply with the request, which means that the government has no need to get keys. The only reason the government would ask for keys is in order to obtain the ability to do mass surveillance which cannot be justified Constitutionally -- and Google has the legal and technical resources to make that argument and to appeal it to the highest level.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.