Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Goes HTTPS Only For All Connections

Posted by Unknown on from the nsa-already-has-the-private-key dept.

Trailrunner7 (1100399) writes "Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections. The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure. This makes life much more difficult for anyone—including the NSA–who is trying to snoop on those Gmail sessions." GMail also does TLS for SMTP, but regrettably Talk (what's left of it) does not do TLS for XMPP server-to-server connections, effectively forcing XMPP server admins to lower their security if they want to federate with Google.

4 of 141 comments (clear)

  1. More lip service by Anonymous Coward · · Score: 5, Insightful

    The NSA has compromised certificates so this will make no real difference.
    This is the backscatter xray machine of internet security.

  2. Weak SMTP SSL by Anonymous Coward · · Score: 5, Insightful

    Sure they use SSL on their SMTP servers, but when testing it using checktls.com I see that they use RC4-SHA, not a Perfect Forward Secrecy algorithm like Yahoo is now using (DHE-RSA-CAMELLIA256-SHA). If NSA were to get a copy of Google's private key, they could decrypt all of the traffic. So to me, no PFS is the same as no SSL.

  3. Encryption is not the answer by rudy_wayne · · Score: 5, Insightful

    Ultimately, encryption is meaningless. If the NSA (or any other governmental agency) wants something, they will get it.

    Even if you invent some suoer-duoer-impossible-to-crack encryption, they will simply go to a secret court (that is accountable to no one) and get a secret order, that you must comply with and that you aren't allowed to talk about under penalty of going to prison, on the grounds of NATIONAL SECURITY.

    Until *THAT* problem is addressed, encryption is meaningless.

  4. Messages Are Not Encrypted by Bob9113 · · Score: 5, Insightful

    Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure.

    Horseshit. The message is not encrypted. It is cleartext travelling over encrypted channels. It is on their machines in the clear, which enables them to do things for you, like search and filter, and against you, like profiling you and anyone who sends you email.

    --
    Stop-Prism.org: Opt Out of Surveillance