Slashdot Mirror
Gmail Goes HTTPS Only For All Connections
Trailrunner7 (1100399) writes "Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections. The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure. This makes life much more difficult for anyone—including the NSA–who is trying to snoop on those Gmail sessions."
GMail also does TLS for SMTP, but regrettably Talk (what's left of it) does not do TLS for XMPP server-to-server connections, effectively forcing XMPP server admins to lower their security if they want to federate with Google.
The NSA has compromised certificates so this will make no real difference.
This is the backscatter xray machine of internet security.
Does Google not recall the NSA post it note showing that they intercept the post-SSL server to server commuincations within the googleshpere? NSA doesn't care about HTTPS to google as long as that back channel is still there.
Some drink at the fountain of knowledge. Others just gargle.
What a relief. Now the only people that can get my data are government agencies that ask for it and advertisers that pay for it.
If perfect forward secrecy is used in the connections (which most HTTPS sites seem to do last I checked), then knowing the private keys doesn't even help them decrypt a connection, *unless* they're actively man-in-the-middling the connection from the start (which I'm sure they do often against interesting people, but probably not anywhere near 100% of everything).
Please. This was debunked already. http://www.techdirt.com/articl...
Unless Google is just handing them everything anyway via Prism, or whatever other programs are in place.
This is like installing bars over the windows to keep the govt out, knowing full well you already gave them the keys to the front door.
Isn't this a bit like the company that mines your data for profit is complaining about the government that mines your data for power?
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Sure they use SSL on their SMTP servers, but when testing it using checktls.com I see that they use RC4-SHA, not a Perfect Forward Secrecy algorithm like Yahoo is now using (DHE-RSA-CAMELLIA256-SHA). If NSA were to get a copy of Google's private key, they could decrypt all of the traffic. So to me, no PFS is the same as no SSL.
And exactly why should we believe the companies' denials? Why should we believe they have any concern at all about any of this, aside from the possible bad PR?
“He’s not deformed, he’s just drunk!”
I don't know if you've been keeping up. But people fully EXPECT the NSA to be upto nasty secret snooping habits. That is actually the minor part of the story that caused the outrage. The more dangerous fact is that the NSA can demand companies or individuals turn over data to them and impose a gag order thus forcing them to keep it secret.
So AC is right in this case. Just more lip service. Encryption on your own servers is the only way to remain relatively protected.
Entia non sunt multiplicanda praeter necessitatem.
Ultimately, encryption is meaningless. If the NSA (or any other governmental agency) wants something, they will get it.
Even if you invent some suoer-duoer-impossible-to-crack encryption, they will simply go to a secret court (that is accountable to no one) and get a secret order, that you must comply with and that you aren't allowed to talk about under penalty of going to prison, on the grounds of NATIONAL SECURITY.
Until *THAT* problem is addressed, encryption is meaningless.
Just for the Google server, if you use a proper XMPP server (like Prosody, for example).
XMPP server operators are pushing for a wholly encrypted XMPP network with several test-days, where they'll be flipping the switch to allow only encrypted communication, and the final switch to disallow unencrypted communication on May 19, 2014.
It's going to include SSLv3, unfortunately, but we'll get there.
Somebody mod this up. This is dead right.
Google can encrypt the data all they want, right down to encrypting it when it arrives, and leaving it encrypted for its lifetime on their servers, but the NSA can just say "gimme the data AND the keys to unlock it". The keys are just data, and obviously Google has access to them, therefore so does the NSA.
Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure.
Horseshit. The message is not encrypted. It is cleartext travelling over encrypted channels. It is on their machines in the clear, which enables them to do things for you, like search and filter, and against you, like profiling you and anyone who sends you email.
Stop-Prism.org: Opt Out of Surveillance
... people fully EXPECT the NSA to be upto nasty secret snooping habits. That is actually the minor part of the story that caused the outrage. The more dangerous fact is that the NSA can demand companies or individuals turn over data to them and impose a gag order thus forcing them to keep it secret.
I agree that the latter IS a big problem. But I don't agree that it's the ONLY problem, or the only BIG one.
National Security Letters are still relatively narrow compared to what the NSA did. They also tapped the fibers Google and others used to communicate with each other, and used these taps to snoop everything that went across them, without Google's knowledge.
I encountered a Google engineer with job responsibilities related to that at a conference last year, and he was LIVID. They'd tapped fibers OWNED BY GOOGLE - trespassing and damaging them (aong with Google's credibility) in the process - with no letters, warrants, wink-wink-nudge-nudge, or what-have-you. Google has since been installing encryption thorughout it's network - not just where it leaves the building, but even from rack to rack.
Maybe they're still stuck disclosing SOME stuff. But at least they're trying to know what it is, do their best to minimize it (and protect their model), and avoid inadvertently firehosing EVERYTHING into the maw of the NSA.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Somebody mod this up. This is dead right.
Google can encrypt the data all they want, right down to encrypting it when it arrives, and leaving it encrypted for its lifetime on their servers, but the NSA can just say "gimme the data AND the keys to unlock it". The keys are just data, and obviously Google has access to them, therefore so does the NSA.
More precisely, the NSA would just say "gimme the decrypted data". But it's simply wrong to say that's not an important difference.
If the NSA can snoop all connections they can scoop up terabytes of data and figure out later what's interesting and no one is the wiser. If they have to ask Google, they have to make the request specific and they have to provide justification that will satisfy some set of legally-defined standards -- and Google will then add the request to the published transparency statistics so legislators and voters can see how much is being done and decide if it's excessive.
There's a huge difference there.
Oh, and I can't think of any case in which the government could legally demand the keys.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
You really need to read the whole Lavabit story. Basically, the government was able to convince the court that the combination of Lavabit's security architecture and the company's early stonewalling demonstrated that the only way to be sure they got all of the data the court had ordered Lavabit to hand over was to require the keys. Had Lavabit complied initially and just handed over the requested data the question of keys would never have come up.
That may seem like a subtle distinction, but it's not. The court never said that the government has a general right to demand keys, it just said that in that particular case there were factors which meant that merely asking for the data was not going to work, and that, therefore, the government could demand the key.
In Google's case, if the government asks -- through correct legal channels and with an appropriately-specific request -- for your e-mail, Google can and will simply comply with the request, which means that the government has no need to get keys. The only reason the government would ask for keys is in order to obtain the ability to do mass surveillance which cannot be justified Constitutionally -- and Google has the legal and technical resources to make that argument and to appeal it to the highest level.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.