Gmail Goes HTTPS Only For All Connections 141
Trailrunner7 (1100399) writes "Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections. The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure. This makes life much more difficult for anyone—including the NSA–who is trying to snoop on those Gmail sessions."
GMail also does TLS for SMTP, but regrettably Talk (what's left of it) does not do TLS for XMPP server-to-server connections, effectively forcing XMPP server admins to lower their security if they want to federate with Google.
More lip service (Score:5, Insightful)
The NSA has compromised certificates so this will make no real difference.
This is the backscatter xray machine of internet security.
Re: More lip service (Score:4, Informative)
Google has their own CA. Of course the NSA may demand certs from them, but Google will have to know, so the NSA can't do it secretly anymore
Uhmm (Score:5, Insightful)
I don't know if you've been keeping up. But people fully EXPECT the NSA to be upto nasty secret snooping habits. That is actually the minor part of the story that caused the outrage. The more dangerous fact is that the NSA can demand companies or individuals turn over data to them and impose a gag order thus forcing them to keep it secret.
So AC is right in this case. Just more lip service. Encryption on your own servers is the only way to remain relatively protected.
It's not just the warrants. (Score:5, Interesting)
... people fully EXPECT the NSA to be upto nasty secret snooping habits. That is actually the minor part of the story that caused the outrage. The more dangerous fact is that the NSA can demand companies or individuals turn over data to them and impose a gag order thus forcing them to keep it secret.
I agree that the latter IS a big problem. But I don't agree that it's the ONLY problem, or the only BIG one.
National Security Letters are still relatively narrow compared to what the NSA did. They also tapped the fibers Google and others used to communicate with each other, and used these taps to snoop everything that went across them, without Google's knowledge.
I encountered a Google engineer with job responsibilities related to that at a conference last year, and he was LIVID. They'd tapped fibers OWNED BY GOOGLE - trespassing and damaging them (aong with Google's credibility) in the process - with no letters, warrants, wink-wink-nudge-nudge, or what-have-you. Google has since been installing encryption thorughout it's network - not just where it leaves the building, but even from rack to rack.
Maybe they're still stuck disclosing SOME stuff. But at least they're trying to know what it is, do their best to minimize it (and protect their model), and avoid inadvertently firehosing EVERYTHING into the maw of the NSA.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It's the comedy that doesn't stop giving!
Re: (Score:3)
So long as Google can read your emails, so can the NSA. All they have to do is get a court order. With the way email works, any email provider can read your emails really, so it's not just google.
What ultimately needs to happen is for emails to become assymetric encrypted.
Re: More lip service (Score:2)
Obviously. I didn't claim otherwise
Re: (Score:2)
This was meant to be a reply to a different post (I hit a different reply link from what I intended) but anyways I think I got my point across enough that I didn't create a second identical post in the correct place.
Re: (Score:3)
If the cryptography used is strong enough it would be. Even though RSA rigged one of their implementations, the math behind it is still solid and can be used without the NSA breaking it. If that really bothers you still, you could always go with elliptic curve. The bonus of EC is that its smaller keys are as good as longer RSA keys, so no need for crazy 4096 bit pads.
Re: More lip service (Score:4, Informative)
Google has their own intermediate CA, which is a subsidiary of GeoTrust. Given that such an intermediate could issue certs for the global internet, GeoTrust probable provides a "managed PKI" service where they retain control of the intermediate so that it will only issue certs for Google-controlled domains.
In such a situation, GeoTrust could be compelled to issue certs using Google's intermediate CA without Google's knowledge.
Alternatively, if Google maintained control of the intermediate, the NSA would need to compel Google to generate certs for them from their own intermediate. However, if the NSA went to GeoTrust and demanded that they generate an intermediate CA with all the same details (CN, O, OU, etc.) as the Google one, the NSA could generate certs for Google without Google knowing.
Re: More lip service (Score:2)
Google gets chrome to randomly send back certificates, and they then analyse them.
Yes, the return certs could be modified in transit, or blocked, but that's tricky.
Re: (Score:2, Informative)
but Google will have to know, so the NSA can't do it secretly anymore
Sure, but that doesn't matter. Google (will roll | have rolled | are rolling) over for the NSA, so you don't gain anything by this.
The moment the NSA have to ask you personally, that's when you're onto something. End-to-end crypto gives you that, of course.
Related: Tox secure IM [tox.im], the Blackphone [blackphone.ch]. Do keep an eye on those two projects. Promising stuff.
Re: (Score:2)
Of course it matters. The NSA is trying to spy on everyone all the time, and this means they will have to do far more to target individual Gmail users instead of just hoovering it all up. That's the goal, to make mass surveillance impossible or at least extremely costly. It doesn't have to be perfect to do a lot of good.
Re: (Score:2)
Google is in bed with the NSA. The NSA have Google's keys. There is at best some level of inconvenience for the NSA, but nothing more. Nothing to stop them spying on millions.
You, the spied-on end-user, do not benefit. (Well, HTTPS might keep others out, but not the NSA.) You are not made aware of when the NSA spy on you.
Anyway, even before Gmail 'went HTTPS only', virtually all use of GMail was surely still through HTTPS.
Re: (Score:2)
I hope you're right, but there's not much in this privacy/NSA game to inspire anything but cynicism.
What evidence do you have for this?
Got me there; not sure where I heard this actually.
Re: (Score:2)
Google may have to know, but you won't know.
Re: (Score:3)
More over Google have positioned themselves so that even if there was a secret court order to provide a certificate to the NSA it would be immediately obvious what had happened. Chrome pins Google certificates so if they change the user will be notified immediately. The court could order Chrome to have the new cert pinned as well, but of course it wouldn't affect older versions released prior to the order.
Google does seem to be genuinely trying to resist, even if ultimately it may be futile. At least they m
Re: (Score:2)
What google's doing is just a stupid PR stunt. They are legally bound by law not to acknowledge any NSA wiretapping, so when it became public knowledge they put on a show of faux outrage as a PR stunt. I guarantee the NSA is still getting google traffic and that google is complicit in it.
Re:More lip service (Score:5, Insightful)
After all, who wouldn't trust a certificate authority. There are so many to choose from.
If your browser is presented with a genuine signed Google.com certificate, issued by Honest Achmed's Trusty Certificates of Tehran Iran, then why shouldn't your browser just trust this certificate from a trusted CA?
Re: (Score:3)
Because if you don't accept, your browser will emit a shrill piercing wail [youtube.com], loudly declaiming your obscene and hertical attempts to use a secure connection which has not been certified. A yellow clad official [pingdom.com] -- likely of Arstotzkan [knowyourmeme.com] origin -- will appear to lend an air of official disapproval to
Re: (Score:2)
If your browser is presented with a genuine signed Google.com certificate, issued by Honest Achmed's Trusty Certificates of Tehran Iran, then why shouldn't your browser just trust this certificate from a trusted CA?
Because Google pin their certificates in Chrome, so the user would be instantly warned of the change. For non-pinned certificates you need to install a plug-in.
Re: (Score:2)
Let's say you work for a large tech company based in Mountain View and, when connecting from home, you actually inspect the certificate that is presented to your browser and it isn't the certificate that you expect. What do you do?
Next, assume you tell your bosses. What do they do?
Re: (Score:2)
Re: (Score:3)
The NSA has compromised certificates
Odd you should mention that. The link in the summery gave me a bad cert alert for */hs.llnwd.net this has happened to me before (Opera 12). llnwd.net is a source for video http://support.brightcove.com/... [brightcove.com]
I see it as a problem with Opera, but reject them just in case.
Re: (Score:2)
Oh noes! You are clearly smarter than Google, since they didn't think of that [blogspot.com]!
Re: (Score:2)
All it takes is for one compromised certificates to be saved for analysis. It is not going to match the standard certificate and either someone forged it with the certificate authority's key or the certificate authority made it. Either way, it represents proof that they were compromised.
Uh the NSA post it says different (Score:5, Informative)
Does Google not recall the NSA post it note showing that they intercept the post-SSL server to server commuincations within the googleshpere? NSA doesn't care about HTTPS to google as long as that back channel is still there.
Re:Uh the NSA post it says different (Score:5, Informative)
Here's a link:
http://www.gizmodo.com.au/2013... [gizmodo.com.au]
Re: (Score:3)
Here's a link:
http://www.gizmodo.com.au/2013... [gizmodo.com.au]
That document is what motivated Google to encrypt all links between data centers, specifically to stop that.
Re: (Score:3)
Unless google invented practical homomorphic algorithms, It's still decrypted somewhere. Just a different post it note.
Obviously it's decrypted, but only inside data centers... and maybe only inside servers. In either case it's still ultimately accessible, but we're talking about different classes of spying problems: tapping a fiber running hundreds of miles across open country vs tapping a switched network inside an access-controlled building vs extracting data from a running machine.
Granted that it wouldn't be too hard for an organization like the NSA to obtain surrepititious access to a Google data center, but the logi
Re: (Score:2)
Supposedly Google recently closed that loophole. But I seriously doubt that was the NSA's only way in. If I were running the NSA, half the staff at google would be my agents. If that's truly the case, there's basically nothing google can do to stop them.
Re: (Score:2)
Walk in with a couple of FISA warrants and a few guys in dark suits .. and guess what? There's still not a fucking thing Google can do to stop them.
At best Google will encourage better security from other parties, but if you think you can stop Big Brother carrying a FISA warrant that says your ass goes to jail for a long time if you tell anybody ... well, you're awfully naive.
This is good PR, and it's good security practice. Bu
Re: (Score:3)
Walk in with a couple of FISA warrants and a few guys in dark suits .. and guess what? There's still not a fucking thing Google can do to stop them.
If I were Google and seriously concerned about this, I'd encrypt the data in a chaining mode and keep half(+-) of the bits in different data centers in different jurisdictions.
Yeah, the bandwidth issue is real. But the best a gang could do is seize some drives with nothing useful on them. They'd be better off attacking the suspect's machine, and then at that p
Re: (Score:2)
Right. Sounds good in a paperback novel.
But when they can compel you to hand over your data and not tell anybody, they can compel you to hand over all your data, including how to assemble the bits again. A National Security Letter is an all powerful writ if they want them to be.
You really think "no sir" or "we don't know how" are go
Re:Uh the NSA post it says different (Score:4, Informative)
Isn't that in part what this..
..is supposed to refer to?
Of course if they're just going to pretend to be Google and fool browsers into thinking they're talking to Google and decrypt/re-encrypt at that point, there's not much Google can do about it anyway.
Re: (Score:2)
Of course if they're just going to pretend to be Google and fool browsers into thinking they're talking to Google and decrypt/re-encrypt at that point, there's not much Google can do about it anyway.
Yeah, not much they can do [chromium.org].
Encryption is not the answer (Score:5, Insightful)
Ultimately, encryption is meaningless. If the NSA (or any other governmental agency) wants something, they will get it.
Even if you invent some suoer-duoer-impossible-to-crack encryption, they will simply go to a secret court (that is accountable to no one) and get a secret order, that you must comply with and that you aren't allowed to talk about under penalty of going to prison, on the grounds of NATIONAL SECURITY.
Until *THAT* problem is addressed, encryption is meaningless.
Re: (Score:2)
That would be a considerable extra step for NSA to comply with. If your data is unencrypted, they merely need to scrape the data and away they go- easy mass surveillance of any number of 100's of millions of people.
If they had to take every one of their targets to a secret court (alerting them to their presence while they're at it), mass surveillance would simply not be practical.
The same logic goes for throwing up almost any security barrier. Nothing is unbreakable in the long run, but you can make it so d
Re: (Score:3, Insightful)
Google was only furious because the NSA was accessing the data without paying.
Re:Uh the NSA post it says different (Score:5, Funny)
Wrong. Google was only furious because the NSA was accessing the data without seeing ads.
Re: (Score:2)
Even worse, the NSA was NOT contributing metrics back for what they were viewing.
There's real value in knowing to properly target ads for tinfoil to people that actually need it.
Re: (Score:2)
Re: (Score:2)
Google was only furious because the NSA was accessing the data without paying.
Google doesn't sell user data to anyone. What makes you think they'd be happy to give it to the NSA if they were paid? If Google were interested in exchanging user data for money (and if it didn't contradict Google's privacy policy), they could sell lots of it.
Doesn't matter (Score:1)
The feds have all the SSL keys anyhow.
Re:Doesn't matter (Score:5, Interesting)
If perfect forward secrecy is used in the connections (which most HTTPS sites seem to do last I checked), then knowing the private keys doesn't even help them decrypt a connection, *unless* they're actively man-in-the-middling the connection from the start (which I'm sure they do often against interesting people, but probably not anywhere near 100% of everything).
Re:Doesn't matter (Score:5, Informative)
Unless Google is just handing them everything anyway via Prism, or whatever other programs are in place.
This is like installing bars over the windows to keep the govt out, knowing full well you already gave them the keys to the front door.
Re:Doesn't matter (Score:5, Informative)
Somebody mod this up. This is dead right.
Google can encrypt the data all they want, right down to encrypting it when it arrives, and leaving it encrypted for its lifetime on their servers, but the NSA can just say "gimme the data AND the keys to unlock it". The keys are just data, and obviously Google has access to them, therefore so does the NSA.
Re:Doesn't matter (Score:5, Insightful)
Somebody mod this up. This is dead right.
Google can encrypt the data all they want, right down to encrypting it when it arrives, and leaving it encrypted for its lifetime on their servers, but the NSA can just say "gimme the data AND the keys to unlock it". The keys are just data, and obviously Google has access to them, therefore so does the NSA.
More precisely, the NSA would just say "gimme the decrypted data". But it's simply wrong to say that's not an important difference.
If the NSA can snoop all connections they can scoop up terabytes of data and figure out later what's interesting and no one is the wiser. If they have to ask Google, they have to make the request specific and they have to provide justification that will satisfy some set of legally-defined standards -- and Google will then add the request to the published transparency statistics so legislators and voters can see how much is being done and decide if it's excessive.
There's a huge difference there.
Oh, and I can't think of any case in which the government could legally demand the keys.
Re: (Score:2)
Oh, and I can't think of any case in which the government could legally demand the keys.
Pretty sure that's exactly what they did to Lavabit:
The government's move against Lavabit was resisted tenaciously by Levison. After much wrangling, Levison eventually handed over Lavabit's cryptographic key in digital form, after earlier trying to satisfy a court order by printing out and handing over a copy of the key in 4-point type, a move that irked the judge handling the case.
After Lavabit resisted complying with g
Re:Doesn't matter (Score:4, Informative)
You really need to read the whole Lavabit story. Basically, the government was able to convince the court that the combination of Lavabit's security architecture and the company's early stonewalling demonstrated that the only way to be sure they got all of the data the court had ordered Lavabit to hand over was to require the keys. Had Lavabit complied initially and just handed over the requested data the question of keys would never have come up.
That may seem like a subtle distinction, but it's not. The court never said that the government has a general right to demand keys, it just said that in that particular case there were factors which meant that merely asking for the data was not going to work, and that, therefore, the government could demand the key.
In Google's case, if the government asks -- through correct legal channels and with an appropriately-specific request -- for your e-mail, Google can and will simply comply with the request, which means that the government has no need to get keys. The only reason the government would ask for keys is in order to obtain the ability to do mass surveillance which cannot be justified Constitutionally -- and Google has the legal and technical resources to make that argument and to appeal it to the highest level.
Re: (Score:2)
So to sum up:
As long as you give them everything they ask for, AND they believe you have done so. Then they can't ask for the keys.
If you don't give them everything they want, or they don't beleive you gave them everything they want, then they can ask for the keys too, and get them.
That's a loophole big enough to drive a truck through.
The only reason the government would ask for keys is in order to obtain the ability to do mass surveillance which cannot be justified Constitutionally
Well that, or they don't
Re: (Score:2)
As long as you give them everything they ask for, AND they believe you have done so. Then they can't ask for the keys.
No. There hasn't been a single example, AFAIK, of a company complying with a court order then not being believed.
That's a loophole big enough to drive a truck through.
It's not a "loophole" because (a) that's not what happened and (b) even if it had happened it would have been a case of one unreasonable judge, not a systemic issue. That's what appeals are for, etc.
Re: (Score:2)
There hasn't been a single example, AFAIK,
And how exactly would we know? When the court proceedings are largely secret with national security gag orders attached?
The lavabit situation is pretty unique in that we even found out about it.
And whether or not its a loophole is mooted by the fact that you suggest we can avoid even being asked for the keys by handing over anything and everything that is requested in the first place.
Re: (Score:2)
It exists is to protect against folks like lulzsec, not the government.
Re: (Score:2)
Of course that is true, and I wouldn't have made my comment if THAT is what the summary stated... but instead the entire summary is framed around the NSA...
From the first sentence:
"Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions."
to the last one:
"This makes life much more
https://NSA.certificate.gov (Score:1)
This is nothing but a waste of bandwidth and only makes tracking easier. Oh, wait... now I get it.
What version? Also, Google Talk is pretty dead. (Score:2)
As much as I personally love Google Talk, it's about as dead as you can get. Most links have been redirected to Hangouts, and those that aren't, you have to access manually. If anyone cares, here's the only working link that I'm aware of for Google Talk: http://www.google.com/talk/ind... [google.com]
Re: (Score:3)
I just checked, TLS 1.2 when supported, but they will fall back to 1.0 if the browser doesn't support newer 1.1/1.2. Didn't see if they'll fall back to SSL or not (or if it falls back to 1.1 at all).
NSA claims Google and others are lying (Score:1)
Re:NSA claims Google and others are lying (Score:5, Informative)
Please. This was debunked already. http://www.techdirt.com/articl... [techdirt.com]
Re: (Score:3)
And exactly why should we believe the companies' denials? Why should we believe they have any concern at all about any of this, aside from the possible bad PR?
Re: (Score:3)
Good point. You're very wise to believe the NSA, and to ignore all of the "stories" about Google encrypting everything, and suing the government, and trying to limit search warrants. After all, it would be crazy, completely crazy to think that the NSA would try and cast blame on the very companies that tried to stop them. Why, the fact that the NSA tapped Google's dark fiber between datacenters proves that Google is lying and was giving everything to the NSA!
Another possibility is that the NSA is lying an
Whew! (Score:1)
Glad to know that the copy of my mail stored for "archival purposes" in the service formerly known as Postini was sent there securely.
Pheww! (Score:3, Informative)
What a relief. Now the only people that can get my data are government agencies that ask for it and advertisers that pay for it.
Encrypting Data at Motion, not Data at Rest (Score:2)
SSL/TLS is only for data in motion, and applications that choose to use it. Anyone who gets access to the backend will still be able to freely read as much content as they like
Re: (Score:3)
Encrypting data at rest doesn't get you much. Anyone who gets access to the backend gets access to the cryptographic keys used to read the data at rest.
This is the case whenever the attacker has access to the cryptographic endpoint. The fact is, as long as Google is one of the cryptographic endpoints, if you have access to Google's data, you have access to it regardless of whether you pretend to encrypt it. The only way you can significantly change that is to make yourself (that is, the person sending and t
Re: (Score:2)
I was primarily commenting because the summary said "Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure." which is obviously incorrect. The messages aren't encrypted at all, only the network connections are.
Re: (Score:2)
That's true. The messages really are never encrypted at all. :-)
Re: (Score:2)
Super usable! And it's not like it ignores the hardest problem, with is operating PKI properly.
Pot, Kettle, Pokadot (Score:5, Insightful)
Isn't this a bit like the company that mines your data for profit is complaining about the government that mines your data for power?
Re: (Score:2)
Nobody want's competition. What if* Google wanted to move into the power market? No sense in giving the NSA a shortcut.
*when
Re: (Score:1)
Google may be many things, but at least they aren't doing it behind your back. Each service's ToS clearly say what they do and don't do with your data when you are on their domains.
Re: (Score:2)
You actually believe that ToS is a contract?
Re: (Score:1)
You can opt out of using Google's services. You cannot opt out of your government.
Re: (Score:2)
Yes, you can. But only by getting off the net completely. Don't forget, they also index Slashdot.
Re: (Score:2)
The government is slightly different, but all one needs to opt out of it, is a good boat.
Re: (Score:2)
Isn't this a bit like the company that mines your data for profit is complaining about the government that mines your data for power?
Well said.
Re:Pot, Kettle, Pokadot (Score:5, Insightful)
Isn't this a bit like the company that mines your data for profit is complaining about the government that mines your data for power?
If showing you ads is like targeting your for a Hellfire drone missile strike, then sure. To me that fails the moral equivalence test.
Re: (Score:2)
And your friends ads. And of course, selling the NSA the information they have, since the only real qualm they have with privacy is not being able to make money off of it.
Weak SMTP SSL (Score:5, Insightful)
Sure they use SSL on their SMTP servers, but when testing it using checktls.com I see that they use RC4-SHA, not a Perfect Forward Secrecy algorithm like Yahoo is now using (DHE-RSA-CAMELLIA256-SHA). If NSA were to get a copy of Google's private key, they could decrypt all of the traffic. So to me, no PFS is the same as no SSL.
Re: (Score:2)
traffic over SSL connections is not encrypted using public key cryptography.
the certificate is only used to assert there is no man in the middle during key exchange. The data is encrypted with the randomly generated keys exchanged during the SSL handshake.
Re: (Score:2)
traffic over SSL connections is not encrypted using public key cryptography.
the certificate is only used to assert there is no man in the middle during key exchange. The data is encrypted with the randomly generated keys exchanged during the SSL handshake.
Your statement is true if and only if both sides of the connection use Perfect Forward Secrecy.
If PFS is not supported by one or both sides, they revert to RSA key exchange which does use the server's RSA key to encrypt the session key. If the server's private key is compromised any non-PFS traffic that was logged in the past could be decrypted.
The AC above says that the connection between checktls.com and Gmail is made using RC4-SHA -- in that case, no Perfect Forward Secrecy is being used and the connecti
Re: (Score:2)
That depends on the cipher preferences of the client (that is, the system sending mail to Gmail). In my case, connections from my server to Gmail's SMTP servers are made using ECDHE-RSA-AES128-GCM-SHA256.
Connections from other services depend on how they're configured. Geocaching.com's outgoing mail server sends mail to Gmail using ECDHE-RSA-RC4-SHA.
because (Score:1)
Because Google wants noone besides themselves spying on your email!
Opportunistic TLS for SMTP? (Score:2)
The article briefly mentions this, but does anyone have any additional detail? Are they using opportunistic TLS on SMTP connections?
Re: (Score:2)
Google has been doing this for a long time.
Re: (Score:2)
The article briefly mentions this, but does anyone have any additional detail? Are they using opportunistic TLS on SMTP connections?
Yes.
Depending on what ciphers are supported by the remote system, different ciphersuites will be supported. CheckTLS.com will only connect with RC4-SHA, but my server connects with ECDHE-RSA-AES128-GCM-SHA256. Your mileage may vary.
Re: (Score:2)
If your side does not support TLSv1.2, then Google favors RC4 cipher to thwart BEAST vulnerability. There is only one RC4 cipher that brings PFS: ECDHE-RSA-RC4-SHA. It uses Ellipitic curve cryptography. If you do not support it, nor you support TLSv1.2, you will not get PFS from Google.
The goal is to avoid BEAST, but RC4 is weak, and PFS is highly desirable.
About XMPP Security (Score:5, Informative)
Just for the Google server, if you use a proper XMPP server (like Prosody, for example).
XMPP server operators are pushing for a wholly encrypted XMPP network [github.com] with several test-days, where they'll be flipping the switch to allow only encrypted communication, and the final switch to disallow unencrypted communication on May 19, 2014.
It's going to include SSLv3, unfortunately, but we'll get there.
Yeah, maybe ignore everything in this post . . . (Score:2)
Re: (Score:2)
. . . because the NSA stated yesterday that tech companies were fully aware of snooping the who time (http://yro.slashdot.org/story/14/03/20/1745254/nsa-general-counsel-insists-us-companies-assisted-in-data-collection).
Not only aware, not one to let a dime slip by: "Billing invoices and other documents show Microsoft charging the FBI hundreds of thousands of dollars a month to comply with legal requests for customer information," http://www.dailydot.com/news/m... [dailydot.com]
Re: (Score:2)
Messages Are Not Encrypted (Score:5, Insightful)
Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure.
Horseshit. The message is not encrypted. It is cleartext travelling over encrypted channels. It is on their machines in the clear, which enables them to do things for you, like search and filter, and against you, like profiling you and anyone who sends you email.
Re: (Score:2)
Doesn't NSA own SSL already? (Score:2)
I seem to remember hearing they had already cracked SSL among all of the recent revelations.
Either way, this is obviously a PR move. It should give nobody any high hope for Google's intentions...
Oh the irony... (Score:2)
You know, if I didn't know better, I'd think someone did this on purpose... right now the fortune at the bottom is:
Today is a good day for information-gathering. Read someone else's mail file./quote.
federate with Google? (Score:2)
Why would anyone still be doing this? They wont be supporting this really soon now, so everyone should have moved on by now.
Re: (Score:2)