Forgot your password?
typodupeerror
Google Security

Gmail Goes HTTPS Only For All Connections 141

Posted by Unknown Lamer
from the nsa-already-has-the-private-key dept.
Trailrunner7 (1100399) writes "Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections. The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure. This makes life much more difficult for anyone—including the NSA–who is trying to snoop on those Gmail sessions." GMail also does TLS for SMTP, but regrettably Talk (what's left of it) does not do TLS for XMPP server-to-server connections, effectively forcing XMPP server admins to lower their security if they want to federate with Google.
This discussion has been archived. No new comments can be posted.

Gmail Goes HTTPS Only For All Connections

Comments Filter:
  • by goombah99 (560566) on Thursday March 20, 2014 @03:19PM (#46537283)

    Does Google not recall the NSA post it note showing that they intercept the post-SSL server to server commuincations within the googleshpere? NSA doesn't care about HTTPS to google as long as that back channel is still there.

  • by goombah99 (560566) on Thursday March 20, 2014 @03:20PM (#46537293)

    Here's a link:

    http://www.gizmodo.com.au/2013... [gizmodo.com.au]

  • Pheww! (Score:3, Informative)

    by Anonymous Coward on Thursday March 20, 2014 @03:25PM (#46537341)

    What a relief. Now the only people that can get my data are government agencies that ask for it and advertisers that pay for it.

  • by QuasiSteve (2042606) on Thursday March 20, 2014 @03:27PM (#46537367)

    Isn't that in part what this..

    The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers.

    ..is supposed to refer to?

    Of course if they're just going to pretend to be Google and fool browsers into thinking they're talking to Google and decrypt/re-encrypt at that point, there's not much Google can do about it anyway.

  • by poetmatt (793785) on Thursday March 20, 2014 @03:30PM (#46537405) Journal

    Please. This was debunked already. http://www.techdirt.com/articl... [techdirt.com]

  • Re:Doesn't matter (Score:5, Informative)

    by vux984 (928602) on Thursday March 20, 2014 @03:32PM (#46537411)

    Unless Google is just handing them everything anyway via Prism, or whatever other programs are in place.

    This is like installing bars over the windows to keep the govt out, knowing full well you already gave them the keys to the front door.

  • Re: More lip service (Score:4, Informative)

    by vadim_t (324782) on Thursday March 20, 2014 @03:52PM (#46537575) Homepage

    Google has their own CA. Of course the NSA may demand certs from them, but Google will have to know, so the NSA can't do it secretly anymore

  • About XMPP Security (Score:5, Informative)

    by qpqp (1969898) on Thursday March 20, 2014 @03:59PM (#46537627)

    effectively forcing XMPP server admins to lower their security if they want to federate with Google

    Just for the Google server, if you use a proper XMPP server (like Prosody, for example).

    Beware that many servers on the XMPP network use self-signed or invalid certificates, or even don't support TLS at all (such as gmail.com and all Google-hosted domains). It is possible to make exceptions like this:

    -- These hosts are allowed to authenticate via weaker mechanisms, such as dialback:
    s2s_insecure_domains = { "gmail.com" }

    [Server-to-server XMPP [prosody.im]]

    XMPP server operators are pushing for a wholly encrypted XMPP network [github.com] with several test-days, where they'll be flipping the switch to allow only encrypted communication, and the final switch to disallow unencrypted communication on May 19, 2014.
    It's going to include SSLv3, unfortunately, but we'll get there.

  • Re:Doesn't matter (Score:5, Informative)

    by glenebob (414078) on Thursday March 20, 2014 @04:00PM (#46537651)

    Somebody mod this up. This is dead right.

    Google can encrypt the data all they want, right down to encrypting it when it arrives, and leaving it encrypted for its lifetime on their servers, but the NSA can just say "gimme the data AND the keys to unlock it". The keys are just data, and obviously Google has access to them, therefore so does the NSA.

  • Re: More lip service (Score:4, Informative)

    by heypete (60671) <pete@heypete.com> on Thursday March 20, 2014 @04:34PM (#46537969) Homepage

    Google has their own intermediate CA, which is a subsidiary of GeoTrust. Given that such an intermediate could issue certs for the global internet, GeoTrust probable provides a "managed PKI" service where they retain control of the intermediate so that it will only issue certs for Google-controlled domains.

    In such a situation, GeoTrust could be compelled to issue certs using Google's intermediate CA without Google's knowledge.

    Alternatively, if Google maintained control of the intermediate, the NSA would need to compel Google to generate certs for them from their own intermediate. However, if the NSA went to GeoTrust and demanded that they generate an intermediate CA with all the same details (CN, O, OU, etc.) as the Google one, the NSA could generate certs for Google without Google knowing.

  • Re: More lip service (Score:2, Informative)

    by Wootery (1087023) on Thursday March 20, 2014 @04:48PM (#46538089)

    but Google will have to know, so the NSA can't do it secretly anymore

    Sure, but that doesn't matter. Google (will roll | have rolled | are rolling) over for the NSA, so you don't gain anything by this.

    The moment the NSA have to ask you personally, that's when you're onto something. End-to-end crypto gives you that, of course.

    Related: Tox secure IM [tox.im], the Blackphone [blackphone.ch]. Do keep an eye on those two projects. Promising stuff.

  • Re:Doesn't matter (Score:4, Informative)

    by swillden (191260) <shawn-ds@willden.org> on Thursday March 20, 2014 @06:46PM (#46539099) Homepage Journal

    You really need to read the whole Lavabit story. Basically, the government was able to convince the court that the combination of Lavabit's security architecture and the company's early stonewalling demonstrated that the only way to be sure they got all of the data the court had ordered Lavabit to hand over was to require the keys. Had Lavabit complied initially and just handed over the requested data the question of keys would never have come up.

    That may seem like a subtle distinction, but it's not. The court never said that the government has a general right to demand keys, it just said that in that particular case there were factors which meant that merely asking for the data was not going to work, and that, therefore, the government could demand the key.

    In Google's case, if the government asks -- through correct legal channels and with an appropriately-specific request -- for your e-mail, Google can and will simply comply with the request, which means that the government has no need to get keys. The only reason the government would ask for keys is in order to obtain the ability to do mass surveillance which cannot be justified Constitutionally -- and Google has the legal and technical resources to make that argument and to appeal it to the highest level.

All the evidence concerning the universe has not yet been collected, so there's still hope.

Working...