'Google Just Made Gmail the Most Secure Email Provider on the Planet'

Google announced on Tuesday that it would offer stronger online security for "high risk" users who may be frequent targets of online attacks. The company said anyone with a personal Google account can enroll in the new "advanced protection," while noting that it will require users to "trade off a bit of convenience" for extra security. Motherboard reports: The main advantage in terms of security is the need for a key or token to log in as the second factor, instead of a code sent via SMS or via app. This is much better because there's no way for hackers to steal or phish this key from afar (there have been isolated incidents of hackers using social engineering to gain access to someone's cell phone number by getting the provider to issue a new SIM card, for instance). Thanks to these new features, Gmail is now the most secure email provider available on the internet if you are worried about hackers breaking into your private correspondence. "This is a major step in the right direction in offering the same kind of protection available to high-profile figures to everyday people," Kenneth White, a Washington D.C. based security consultant to federal agencies, told Motherboard. "They have really thought this through, and while it may not make sense for everyone, for those that need it, it's a much needed option."

It's the same tool my identity theft plan uses

[bluefoxlucid]

I specify that Congress should make broad legislation allowing a regulatory agency to select the most-appropriate, affordable, and effective technology of today; and today, that is the FIDO U2F Security key with RSA or ECC encryption. That's how I'm going to defeat identity theft once and for all.

Re: It's the same tool my identity theft plan uses

Doesnâ(TM)t matter. Their keys are used by other providers already. A friend of mine uses Auth-Anvil as a two-factor for his service which includes email access.

The most secure system is to host it yourself, and encrypt the contents with a key you only have access to.

Re:It's the same tool my identity theft plan uses

[ctilsie242]

How about FIDO U2F and the Google Authenticator ( RFC 6238 and RFC 4226)? The six digit TOTP code has been proven across many, many sites (I use it on Microsoft's, Amazon's, gmail's, and many others.)

What would be nice would be a dedicated PDA-like device with a camera for reading QR codes, a touch screen for inputting codes by hand, a charge-only USB interface, and a SD card interface for backing up the OTP seeds. The device never sees, nor cares about the Internet, and is only connected to a USB cable to get power.

The closest to this we have now is an iPod Touch.

Re: It's the same tool my identity theft plan uses

[Comboman]

The most secure system is to host it yourself, and encrypt the contents with a key you only have access to.

"Is that you Hillary?"

Sorry, my jokes are 6 months behind, I meant,"Is that you Jared?"

I want even less security

somehow I wish the reverse, I hate it google block me access to their web site everytime I change my location, I would like to somehow turn off whatever they had till now. As a user want to have the choice to access my email account as it fits to me, from whenever I want to, is missing with Google.

For a given value of secure

Is it secure from Google?

Re:For a given value of secure

[arth1]

If they can still centrally read all GMail, then so can anyone else (with a large enough budget).

Or anyone with a secret court order or national security letter.

That doesn't just include the government, but any individual working for the government in a position to gain such access, as well as anyone who controls such a person. And anyone who works in a position of trust in Google, and anyone who controls such a person.
And anyone who has breached either Google's or the government's security.

The front door is the least of the worries here.

Re:what if I phish your password?

[sqorbit]

Hi sir! please enter your gmail password here: ____________

Oh i see, google doesn't protect against this. This seems super secure.

I think you missed the point. It's two factor authentication. If I know your password I still need to know the key to log in.

good for some, not for others

[supernova87a]

Good options. But think before enabling such high security for things that don't need it. Forgetful parents for example -- give them these things and if they ever lose them or forget one piece of information, their accounts are gone forever.

Some things just need "good enough" security and the likelihood that anyone cares enough to hack them is a risk you accept for the practical real-world usability of the thing.

Chrome only...

[mrsam]

I skimmed Google's write-up of their new offering, and was seriously considering looking into this. I bear no delusions of self-grandeur, or that anyone would have any reason to be interested in sorting through all the confirmation e-mails for the coffee I buy off Amazon; but I do have some key data tied up in the Googleverse, and the cost of an extra keyfob would not exactly break the bank. However, then I came to this:

Google services on the web

You will only be able to use the Chrome browser to access signed-in services like Gmail or Photos.

That breaks the deal for me, since I don't use Chrome, and it would not be convenient for me, for a few reasons. I can't really think of any valid technical reason why this results in any actual security, unless Chrome pins Google's CA; but the same thing can be done in any other browser too.

Re:Chrome only...

[darkmeridian]

No one else supports the FIDO U2F security key standard in their browser. FireFox should be getting around to it anytime now, and I believe that Opera does. But that's probably why: the valid technical reason is that no one else supports the security standard.

Re:Chrome only...

[ctilsie242]

This also is a deal-breaker for me, since I use a program called Boxcryptor with Google Drive and other cloud services. I like packing my own parachute and having my own encryption layer.

They did?

[JohnFen]

So they're now encrypting all the emails being stored on their servers and don't hold the key themselves?

Because if they're not doing that, then they're not anything close to "the most secure email provider on the planet".

Re:They did?

[swillden]

Mod parent up.

Without encryption on server and with law enforcement having backdoor access to Gmail, etc., this is meaningless.

Actually, Google does encrypt all of the email (and all other user data) on its servers, and even in-transit between servers in Google data centers, as well as in-transit between Google servers and your browser and (if supported by the other end) in transit between Google servers and non-Google email servers. Google encrypts all the things, all the time.

Oh, and law enforcement does not have "backdoor access", at least not the way that I would interpret the phrase. What law enforcement does have is search warrants, subpoenas and national security letters (though NSLs provide access to metadata only, not content -- not that metadata isn't very valuable). If law enforcement or other authorized agents of the courts present a valid and duly authorized document which legally compels Google to hand over your data, Google will hand over your data. If it's not correctly executed, is overly broad or has some other legal defect, Google will refuse.

If you don't like that warrants, subpoenas and NSLs can be used to access your data, either move it to a jurisdiction not subject to such rules, or take it up with your political representatives. Or switch from email to a communication protocol that was designed with end-to-end security in mind, with all of the limitations that entails (mostly, that you will have a hard time keeping old messages for a long time... and if it's really easy to use, chances are god that implies there is some entity playing a trusted role which could defeat the security).

Re:They did?

[dbialac]

Not just that, but everything requires Google's apps (Chrome, Gmail, etc.), which requires you to let Google track you.

Re:They did?

[bobbied]

Right, exactly. So this keeps your email safer from prying hackers, but what keeps it safe from google?

Well, they do promise to not peek.. Oh wait, they don't even do that.

Re:They did?

[bill_mcgonigle]

Oh, and law enforcement does not have "backdoor access", at least not the way that I would interpret the phrase.

PRISM wasn't exactly a backdoor either, but it was effectively.

NSLs provide access to metadata only, not content

Do you have a source for that? NSL's, generically, have no such inherent limitation (cf. Lavabit). is Google under an NSL to transmit all metadata to the US Government? This sounds like news.

Re:They did?

[hackertourist]

AIU, the whole point of developing Gmail was to give Google access to the contents of your mail for advertising/profiling purposes. If that's still done, the encryption is mostly pointless.

Re:They did?

[sl3xd]

What difference does it make that Google encrypts data in-house? Google is the one holding the keys, and they're as much a problem as any government monitoring.

Google is doing its users a disservice by making any claims that they can "secure" a fundamentally insecure messaging system.

The current industry titans have no interest in providing customers with truly secure messaging. Every company does its best to insert themselves as a man in the middle -- as if they are somehow trustworthy.

Even Facebook and Google adopting the Signal are the companies inserting themselves as a man in the middle to collect metadata. God forbid if they were to interoperate, and Google or Facebook doesn't get to see both sides of the conversation.

Identity vs. content and identity

[DrYak]

To elaborate more :

- 2 factor identification (like the suggested bluetooth and usb dongles) only solve 1 single problem : identity.

Making sure that when Alice receives an e-mail from "bob@gmail.com" it's indeed written by Bob, and not by Eve trying to steal bob's gmail credential by hacking the SMS 2 factors.

But any exchange between Alice and Bob can still be read on Google servers 100% for sure (that's how GMail's Ads work), and maybe by any goverment agency that has agreements (or plain just did an inside jobs without Google's knowledge) and eventually on any mail transmitting node (or, worse case scenario : on any internet router, if some of the mail transmitting nodes use un-encrypted traffic).

- public keys systems (like PGP implementation, and like S/MIME standard) on the other hand solve 2 problems : identity and privacy.

Identity : well, Eve could try to hack bob's Gmail credentials all she likes, she still won't have access to Bob's private key, and thus cannot sign any new e-mail with the same key.
Basically, the private key stored on bob's computer acts as a second factor for establishing the authenticity of the writer.
(On the other hand, if bob uses gmail's access on any other site, e.g.: as OAuth provider, or as recovery e-mail, then those sites will be toast - e.g.: because no site currently uses GPG or S/MIME encryption when clicking on "forgoten password".
It's not a fault of GPG nor S/MIME, it's a fault of most other providers not using it for the password reset e-mails, and Google's fault of not supporting client certs as an additional security measure when doing OAuth).

Privacy :
Without access to Alice's private key, nobody could either read the message : it stay encrypted on the whole trajectory - on Google's servers, on all relaying nodes and even on router, no matter if non encrypted protocols are used.
(On the other hand, if non encrypted protocols are used, Eve could at least guess that Alice and Bob are communicating, even if she can't read the content of the encrypted e-mails. GPG S/MIME encryption only hides the content - that's their limitation. Use HTTPS or even better Tor if you want to hide traffic).

Re:Identity vs. content and identity

[Immerman]

If you have nothing to hide, you have nothing to fear?

Knowledge is power, and the more the government knows about you, the more power they have over you, and the less resistance you can provide against fascism, corruption, and other abuses of power. It's not just KGB-style threats and "tactical removal" of people who may present an obstacle to those in power (though the legal basis for "disappearing" people was put in place by the PATRIOT Act), it's also the more subtle manipulation of opinions and directing of actions in ineffective directions, as recently demonstrated by the highly targeted Russian Facebook ads.

Watch the population closely enough, and you can derail credible resistance long before it becomes a threat.

Also breaking

[31415926535897]

In related news, the fox has made the hen house safer from outside predators. Hens everywhere are rejoicing!

Re:Also breaking

[bjdevil66]

Exactly. Google is allegedly making it safer by keeping everyone from reading it - except themselves, of course.

Not by a long shot

[Troed]

I just switched from Gmail to ProtonMail because I wanted the most secure email provider. This little feature change by Google does nothing to change any of the important factors - one being that with ProtonMail all my emails are stored using client side encryption.

You cannot, ever, trust a US company where National Security Letters come into play.

They did. The agency requires MD5 (SHA256 not ok)

[raymorris]

> I specify that Congress should make broad legislation allowing a regulatory agency to select the most-appropriate, affordable, and effective technology of today;

They did. The federal government requires MD5. SHA256 is not acceptable for many federal uses (though it is now FIPS), because they haven't updated the relevant federal standards. Our system of government was designed to be fair, transparent, and flexible. It was not designed to be fast and efficient.

Safest of all? WHAT?

[bill.pev]

Dare I say the more aggressive reader of other people's email may be THE Google itself.
Who will protect me from them?

Hoops

[sjbe]

Oh, and law enforcement does not have "backdoor access", at least not the way that I would interpret the phrase.

And you have what evidence for this? Unless you actually work at Google in a fairly technically privileged position you would have no way to know if they do or do not have backdoor access under any definition of the term you care to use. You would have to be daft to presume that organizations like the NSA or law enforcement agencies don't have or cannot get access to your communications with or without Google's permission. While you are correct that in general they would need to jump through hoops, there is substantial evidence to suggest that these hoops aren't much of an obstacle.

If law enforcement or other authorized agents of the courts present a valid and duly authorized document which legally compels Google to hand over your data, Google will hand over your data. If it's not correctly executed, is overly broad or has some other legal defect, Google will refuse.

No, Google MIGHT refuse at their discretion. You have no way to be certain of their behavior and you should adjust your own behavior accordingly.

Re:Have they fixed the 'dot' problem yet?

[null+etc.]

What kind of weird version of Gmail are you using? Gmail has supported dots in account names (and thus, email addresses) since inception. The rules are very simple:

1. You can enter any number of dots anywhere in your Google account name when signing in. The dots get silently discarded when Google authenticates you. Thus "foobar" is the same as "foo.bar" is the same as "f...o.o.b.a..r".

2. Your email address only contains the exact dots that you specified in your Google account name when you created it. If you specified your account name as "foobar", your email address will be "foobar@gmail.com". If you specified your account name as "foo.bar", your email address will be "foo.bar@gmail.com".

3. When people send email to your Google account, once again it strips out any periods when matching your account name, and then replaces all variations with the exact account name you specified when creating it. Mail sent to "foo...bar@gmail.com" will properly arrive to Google account "foo.bar", where it will show up in headers as "foo.bar@gmail.com".

It's really not that confusing.

Re:Have they fixed the 'dot' problem yet?

[mark-t]

All correct except for the part about what it puts in the headers.

The "To" field in the header still contains all of the dots that were originally used to address the email, and someone you are telling your gmail address to has no way to tell which, if any, of the dots in your email before the @ sign are actually part of your real email address. The message still makes it way to your real gmail inbox, but because the header "To" field might not contain your exact REAL email address, you can very easily filter it, immediately label it spam, delete it, or whatever.

Re:Don't see point of required bluetooth security

[bluefoxlucid]

You know how passwords are stored hashed?

With the TOTP 2FA, a shared secret is stored in plaintext: the server and client must both know a secret string, which seeds a PRNG, and generates a time-based numeric output. That means the server doesn't take your 6-digit code and "verify" it; it calculates the same code and compares it. If you hack the server, you can grab the secret key and generate the same codes. It has the same at-rest security as a database of plaintext passwords.

With FIDO U2F devices, the device establishes trust by generating a key pair and sending the public key out. The private key stays on-device and is used to sign challenges. The secret required to prove your identity physically exists in one place: the FIDO device. You can't hack Google's servers and steal it.

Re:what if I phish your password?

[Immerman]

Which is exactly why the "key" in proper two-factor authentication is something you physically have, and not a piece of information you can share. Whether it's a constantly changing "password" that can only be used once, or a bit of challenge-response encryption where the encryption key never leaves a secured dongle, the effect is the same - without having the device in-hand, social engineering and man-in-the-middle attacks can grant, at most, one-time access.

Gmail doesn't take security seriously

[mark.engelberg]

Google changed gmail a few months ago so that it no longer logs you out when you close your browser (or when the browser crashes, or the computer powers off), and worse, *they've removed all options to enable this auto-logout behavior*. It used to be that you could choose between convenience (remember me so I don't need to login again) and security (always require a password to get into gmail), but they removed the choice! They've decided that they don't care about your security needs. So this claim of being "the most secure email provider" is laughable. They've already shown they don't care about security by disabling even the most basic protection of logging someone out if the browser should close, or crash, or the computer loses power, etc.