Slashdot Mirror
Gmail's Encryption Warning Spurs 25% Increase In Encrypted Inbound Emails (theverge.com)
An anonymous reader quotes a report from The Verge: Google's efforts to keep users safe might be forcing other email providers to make better security decisions. In February, the company started flagging unencrypted emails, allowing Gmail users to know whether they're sending emails to, or receiving emails from, providers that don't support TLS encryption. Since then, the amount of inbound mail sent over an encrypted connection to Gmail users has increased by 25 percent, Google explained in a blog post released today. The majority of the uptick likely comes from providers updating their clients so they can avoid getting flagged by Google, the company said in a comment to The Verge. Without in-transit encryption, which Google provides by default, emails could potentially be read by attackers because their body and data are sent in plain text.
Google is also going to send Gmail users a full-page warning notice if they click on a potentially malicious link. In addition, they are going to increase warnings about state-sponsored attackers with a full-page alert about how to secure accounts through two-factor authentication and the use of a security key.
If the ISP or email provider host the domain that your email is at, is it really that much of a problem?
Sure end-to-end is nice, but these guys can accept, redirect and intercept your email in a million other ways anyway.
Personal domains, forwarded emails, etc. - that's another matter entirely. But Google can read anything@gmail.com if they want, etc.
In some ways I think of this push by Google to encrypt mail as being like that thing they do in the Israeli prisons, where they have a dummy microphone in the cell that's easily discoverable and avoidable and then they hide the real mics where people go to avoid the dummy one - and pick up all the juicy intel, undetected.
This form of encryption provides the illusion of security; it's like: 'go back to sleep, everything's fine, your government can't snoop on you with it's giant, multi-tentacled panopticon'. All the while, the NSA and GCHQ are rather happy and completely undeterred.
I can't decide who Google is trying to help with this.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
Complaining about lack of TLS on the connection is about encrypting the link, not the email. Certainly, email in transit really must be encrypted. But the email itself still sits in the clear on the ISP or email provider's server unless otherwise noted. That's still a problem.
Clearly, email in clear at the ISP is vulnerable if the ISP is hacked, and to employees of the ISP, etc. But unencrypted e-mail in transit is vulnerable to many people at many locations all along the connection path. End-to-end encryption is better, than encryption only on the wire but it's much better than plaintext on the wire.
But Google can read anything@gmail.com if they want, etc.
Not true if one utilizes end to end encryption (pgp/gpg, s/mime, etc).
Not true if one utilizes end to end encryption (pgp/gpg, s/mime, etc).
Using gmail, one cannot encrypt the header. This includes the source and destination addresses, as well as the trace information.
One can tell a lot from a traffic analysis, even if you can't read the specific words in a messages.
With encryption: Google and the US government spy on you.
Without encryption: Google, the US government, Russia, China, half of Europe, Canada, the script kiddie who hacked your router and an organised crime gang spy on you.
I think it's exactly the opposite. For so long PGP and other security features were email were ignored because you can't communicate with users on email providers that don't enable it. Same thing with various spam controls - we've always bitched that we can't turn them on because the big vendors ignore it.
This is a GOOD thing by Google. By turning it on, and making it blatantly obvious to their users, they force the industry as a whole into better practices. They've done the same thing with HTTPS (now mixed-mode errors invalidate your "lock" status) and also spam control (reverse DNS lookups, etc). They are using their position of influence to encourage improvements across the industry and should be applauded.
It's going to take multiple steps to get to the final goal of end-to-end encryption. You can't jump to the end overnight. Give credit where credit is due.
I'm out of my mind right now, but feel free to leave a message.....
I can't decide who Google is trying to help with this.
You're overthinking this. Google is trying to do exactly what it says it's trying to do: Make Gmail more secure for Gmail users. After investing a lot in making its own servers use encryption for every communication, inside and outside, it really bugs Google engineers that they then have to send plaintext to other mail servers whose administrators don't care enough about security to install SSMTP. Then someone realized that Google has an avenue to pressure other mail providers to step up and that Google can highlight the effort it's put into security at the same time. Win/win: Google makes the world better and looks good doing it.
Why are you looking for some deeper reasons, when the obvious and plainly-stated ones perfectly explain the move?
(Disclosure: I'm a Google security engineer, though I'm speaking only for myself. If you want an official company position, look at press releases or contact PR.)
Well, almost. With encryption, Google spy on you. Everyone else, including US.gov, have to ask Google for that or at very least make Google know about that, and have no way to know the quality of the result they get.