'Google Just Made Gmail the Most Secure Email Provider on the Planet'

Google announced on Tuesday that it would offer stronger online security for "high risk" users who may be frequent targets of online attacks. The company said anyone with a personal Google account can enroll in the new "advanced protection," while noting that it will require users to "trade off a bit of convenience" for extra security. Motherboard reports: The main advantage in terms of security is the need for a key or token to log in as the second factor, instead of a code sent via SMS or via app. This is much better because there's no way for hackers to steal or phish this key from afar (there have been isolated incidents of hackers using social engineering to gain access to someone's cell phone number by getting the provider to issue a new SIM card, for instance). Thanks to these new features, Gmail is now the most secure email provider available on the internet if you are worried about hackers breaking into your private correspondence. "This is a major step in the right direction in offering the same kind of protection available to high-profile figures to everyday people," Kenneth White, a Washington D.C. based security consultant to federal agencies, told Motherboard. "They have really thought this through, and while it may not make sense for everyone, for those that need it, it's a much needed option."

Re:what if I phish your password?

[sqorbit]

Hi sir! please enter your gmail password here: ____________

Oh i see, google doesn't protect against this. This seems super secure.

I think you missed the point. It's two factor authentication. If I know your password I still need to know the key to log in.

Re:Chrome only...

[darkmeridian]

No one else supports the FIDO U2F security key standard in their browser. FireFox should be getting around to it anytime now, and I believe that Opera does. But that's probably why: the valid technical reason is that no one else supports the security standard.

Re:They did?

[swillden]

Mod parent up.

Without encryption on server and with law enforcement having backdoor access to Gmail, etc., this is meaningless.

Actually, Google does encrypt all of the email (and all other user data) on its servers, and even in-transit between servers in Google data centers, as well as in-transit between Google servers and your browser and (if supported by the other end) in transit between Google servers and non-Google email servers. Google encrypts all the things, all the time.

Oh, and law enforcement does not have "backdoor access", at least not the way that I would interpret the phrase. What law enforcement does have is search warrants, subpoenas and national security letters (though NSLs provide access to metadata only, not content -- not that metadata isn't very valuable). If law enforcement or other authorized agents of the courts present a valid and duly authorized document which legally compels Google to hand over your data, Google will hand over your data. If it's not correctly executed, is overly broad or has some other legal defect, Google will refuse.

If you don't like that warrants, subpoenas and NSLs can be used to access your data, either move it to a jurisdiction not subject to such rules, or take it up with your political representatives. Or switch from email to a communication protocol that was designed with end-to-end security in mind, with all of the limitations that entails (mostly, that you will have a hard time keeping old messages for a long time... and if it's really easy to use, chances are god that implies there is some entity playing a trusted role which could defeat the security).