Gmail Goes HTTPS Only For All Connections 141
Trailrunner7 (1100399) writes "Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections. The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure. This makes life much more difficult for anyone—including the NSA–who is trying to snoop on those Gmail sessions."
GMail also does TLS for SMTP, but regrettably Talk (what's left of it) does not do TLS for XMPP server-to-server connections, effectively forcing XMPP server admins to lower their security if they want to federate with Google.
More lip service (Score:5, Insightful)
The NSA has compromised certificates so this will make no real difference.
This is the backscatter xray machine of internet security.
Re:Uh the NSA post it says different (Score:3, Insightful)
Google was only furious because the NSA was accessing the data without paying.
Pot, Kettle, Pokadot (Score:5, Insightful)
Isn't this a bit like the company that mines your data for profit is complaining about the government that mines your data for power?
Weak SMTP SSL (Score:5, Insightful)
Sure they use SSL on their SMTP servers, but when testing it using checktls.com I see that they use RC4-SHA, not a Perfect Forward Secrecy algorithm like Yahoo is now using (DHE-RSA-CAMELLIA256-SHA). If NSA were to get a copy of Google's private key, they could decrypt all of the traffic. So to me, no PFS is the same as no SSL.
Re:More lip service (Score:5, Insightful)
After all, who wouldn't trust a certificate authority. There are so many to choose from.
If your browser is presented with a genuine signed Google.com certificate, issued by Honest Achmed's Trusty Certificates of Tehran Iran, then why shouldn't your browser just trust this certificate from a trusted CA?
Uhmm (Score:5, Insightful)
I don't know if you've been keeping up. But people fully EXPECT the NSA to be upto nasty secret snooping habits. That is actually the minor part of the story that caused the outrage. The more dangerous fact is that the NSA can demand companies or individuals turn over data to them and impose a gag order thus forcing them to keep it secret.
So AC is right in this case. Just more lip service. Encryption on your own servers is the only way to remain relatively protected.
Encryption is not the answer (Score:5, Insightful)
Ultimately, encryption is meaningless. If the NSA (or any other governmental agency) wants something, they will get it.
Even if you invent some suoer-duoer-impossible-to-crack encryption, they will simply go to a secret court (that is accountable to no one) and get a secret order, that you must comply with and that you aren't allowed to talk about under penalty of going to prison, on the grounds of NATIONAL SECURITY.
Until *THAT* problem is addressed, encryption is meaningless.
Messages Are Not Encrypted (Score:5, Insightful)
Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure.
Horseshit. The message is not encrypted. It is cleartext travelling over encrypted channels. It is on their machines in the clear, which enables them to do things for you, like search and filter, and against you, like profiling you and anyone who sends you email.
Re:Doesn't matter (Score:5, Insightful)
Somebody mod this up. This is dead right.
Google can encrypt the data all they want, right down to encrypting it when it arrives, and leaving it encrypted for its lifetime on their servers, but the NSA can just say "gimme the data AND the keys to unlock it". The keys are just data, and obviously Google has access to them, therefore so does the NSA.
More precisely, the NSA would just say "gimme the decrypted data". But it's simply wrong to say that's not an important difference.
If the NSA can snoop all connections they can scoop up terabytes of data and figure out later what's interesting and no one is the wiser. If they have to ask Google, they have to make the request specific and they have to provide justification that will satisfy some set of legally-defined standards -- and Google will then add the request to the published transparency statistics so legislators and voters can see how much is being done and decide if it's excessive.
There's a huge difference there.
Oh, and I can't think of any case in which the government could legally demand the keys.
Re:Pot, Kettle, Pokadot (Score:5, Insightful)
Isn't this a bit like the company that mines your data for profit is complaining about the government that mines your data for power?
If showing you ads is like targeting your for a Hellfire drone missile strike, then sure. To me that fails the moral equivalence test.