Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Goes HTTPS Only For All Connections

Posted by Unknown on from the nsa-already-has-the-private-key dept.

Trailrunner7 (1100399) writes "Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections. The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure. This makes life much more difficult for anyone—including the NSA–who is trying to snoop on those Gmail sessions." GMail also does TLS for SMTP, but regrettably Talk (what's left of it) does not do TLS for XMPP server-to-server connections, effectively forcing XMPP server admins to lower their security if they want to federate with Google.

6 of 141 comments (clear)

  1. Uh the NSA post it says different by goombah99 · · Score: 5, Informative

    Does Google not recall the NSA post it note showing that they intercept the post-SSL server to server commuincations within the googleshpere? NSA doesn't care about HTTPS to google as long as that back channel is still there.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Uh the NSA post it says different by goombah99 · · Score: 4, Informative

      Here's a link:

      http://www.gizmodo.com.au/2013...

      --
      Some drink at the fountain of knowledge. Others just gargle.
  2. Re:NSA claims Google and others are lying by poetmatt · · Score: 4, Informative

    Please. This was debunked already. http://www.techdirt.com/articl...

  3. Re:Doesn't matter by vux984 · · Score: 4, Informative

    Unless Google is just handing them everything anyway via Prism, or whatever other programs are in place.

    This is like installing bars over the windows to keep the govt out, knowing full well you already gave them the keys to the front door.

  4. About XMPP Security by qpqp · · Score: 4, Informative

    effectively forcing XMPP server admins to lower their security if they want to federate with Google

    Just for the Google server, if you use a proper XMPP server (like Prosody, for example).

    Beware that many servers on the XMPP network use self-signed or invalid certificates, or even don't support TLS at all (such as gmail.com and all Google-hosted domains). It is possible to make exceptions like this:

    -- These hosts are allowed to authenticate via weaker mechanisms, such as dialback:
    s2s_insecure_domains = { "gmail.com" }

    [Server-to-server XMPP]

    XMPP server operators are pushing for a wholly encrypted XMPP network with several test-days, where they'll be flipping the switch to allow only encrypted communication, and the final switch to disallow unencrypted communication on May 19, 2014.
    It's going to include SSLv3, unfortunately, but we'll get there.

  5. Re:Doesn't matter by glenebob · · Score: 5, Informative

    Somebody mod this up. This is dead right.

    Google can encrypt the data all they want, right down to encrypting it when it arrives, and leaving it encrypted for its lifetime on their servers, but the NSA can just say "gimme the data AND the keys to unlock it". The keys are just data, and obviously Google has access to them, therefore so does the NSA.