Gmail Moves To HTTPS By Default 275
clone53421 writes "Although Gmail has long supported HTTPS as an option, Gmail announced their decision yesterday to switch everyone to HTTPS by default: 'We initially left the choice of using it up to you because there's a downside: https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data. Over the last few months, we've been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.' I wonder if this has anything to do with the reports of Chinese users having their accounts hacked? 'Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,' said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail's servers."
Re:The beginning of HTTPS for everything by defaul (Score:3, Interesting)
Encrypt everything.
I agree, and let me add I always thought Freenet's model was onto something. It's very failure proof and it caches static content. Which unfortunately is everything. But there's probably a way to get something wiki-like using the current message board implementation, providing one had an application that could interpret the data from a dedicated board.
Next step: encryption at rest (Score:3, Interesting)
Now the next feature we all need is encryption of the content of our data when it is at rest on disks in Google's data center. That way even Google employees cannot read our mail. Not for serving up ads. Not for any reason whatsoever.
And after that, Facebook and Twitter...
Nah, I'm dreaming.
Will Yahoo! follow suit? (Score:3, Interesting)
Anyone care to guess if Yahoo! will so the same thing?
I really hope so. I use a Yahoo account and I know how easy it is to sniff Ethernet. I hate to read mail at cafes and other places where I'm not certain of the LAN security.
No Brainer (Score:3, Interesting)
Encryption has some overhead, but so what? It's not like modern hardware isn't up to it.
Anybody who cares about security has stopped using open protocols to send sensitive data. FTP is out, SFTP is in. Goodbye Telnet, hello SSH. And anybody who sends passwords over an open HTTP, SMTP, or IMAP connection is begging to be hacked. (POP? You're still using POP?) The issue is not security versus performance, it's the usual case of people not going to the trouble of upgrading their technology until they can't ignore the problem any more.
As usual, Google leads the pack in creating groundbreaking technology, and comes in dead last in dealing with the boring stuff, like dealing with security issues, or making sure you the resources to properly support your latest product. They need to hire fewer geniuses and start hiring more ordinary drudges with the patience to make things work in the real world.
Re:Wait, what? (Score:1, Interesting)
I think is a common misconception to think that encrypted data cannot be compressed.
On Compression of Data Encrypted with Block Ciphers (from DCC2009, http://dx.doi.org/10.1109/DCC.2009.71).
From the article conclusions: "Simulation results indicate that, while still far from theoretical limits, considerable compression gains are attainable and improved performance can be expected as block sizes increase in the future."
Re:Great! (Score:2, Interesting)
Great move by Google,
Especially considering yahoo & hotmail don't have any option for https.
Not really informative (Score:3, Interesting)
1a - If your email is encrypted with IPSEC, then there's a per-packet overhead from the extra packet header; it's not really a percentage, though you could think of it that way for average packet sizes. It's not significant for most applications except VOIP, which typically has very small data wrapped in lots of RTP/UDP/IPSEC/IP headers.
1b - If your email is encrypted at or above the transport layer, there's typically minimal overhead. The data encryption doesn't take extra space, except sometimes for the last packet of a session which might not contain a full block of plaintext so it gets padded by a few bytes.
1c - There's typically some setup overhead for key exchange. It doesn't take much transmission time unless you're on some funky very-low-bit-rate transmission medium, but there can be a couple of RTTs and some public-key math calculation time. So maybe it takes an extra second for you to start Gmail - big deal.
2 - That's why you compress the data *before* encrypting. Not many people use compressed transmission systems these days (e.g. fancy WAN optimizer tricks), and if anybody's still using SLIP or PPP with header compression, it doesn't care about HTTPS vs HTTP because that's not a Layer 1/2/3 problem.
Re:Not through sniffing (Score:5, Interesting)
That access is actually provided in a ton of places you wouldn't expect.
Did you know that Xbox Live encrypts everything by default?
Did you know the one and only exception is... voice communication? Hmm...
Re:The beginning of HTTPS for everything by defaul (Score:2, Interesting)
The day someone implements DNSSEC based server key delivery in a popular browser, there will be a grass-roots effort to make your dream come true.
Gmail gadget for iGoogle (Score:4, Interesting)
I removed the Gmail gadget for iGoogle from my iGoogle homepage, because despite the iGoogle being loaded via HTTPS, the Gmail gadget would use plain HTTP.
Have they changed the Gmail Gadget to also use HTTPS? I couldn't find anything about it.
Correction to summary (Score:5, Interesting)
"Only two Gmail accounts appear to have been accessed"... by attacking Google systems directly. Using other methods, the attackers were highly successful.
Google disclosed that upon investigating users suspected of being attacked, they found "dozens" of Chinese human rights activists who had been compromised through phishing, malware or other systems that allowed security forces (presumably) to read their mail via a valid authentication. So, while Google itself may be mostly reliable on the backend, the security ecosystem as a whole is deeply flawed.
Google: "as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers."
http://googleblog.blogspot.com/2010/01/new-approach-to-china.html [blogspot.com]
So go change your passwords.
Use HTTPS on the authentication only? (Score:2, Interesting)
Is it obvious to everybody that encrypting everything is good only for privacy but doesn't seem to add much to security when compared to encrypting just the authentication data then using a session ID? Or rather, could the gurus please clarify where's the security increase in putting everything over https?
Re:The beginning of HTTPS for everything by defaul (Score:2, Interesting)
How big an effort is that to do in, say, WebKit? Firefox? Why isn't anyone working on it? Or are people? What are the benefits?
Forgive my ignorance, I truly didn't know. Is it something that a few thousand dollars of programming time would buy?
Re:The beginning of HTTPS for everything by defaul (Score:2, Interesting)
How do you effectively search your email history if it's all encrypted? Are there algorithms for indexing encrypted data without giving too much away?
What about slashdot? (Score:5, Interesting)
I really want EVERY site I visit to use https. Why doesn't slashdot?
Doesn't exist (Score:2, Interesting)
The standard e-mail addressing scheme for nearly all institutions is firstname.lastname@blahblah... It is most certainly valid.
Google just - being a service where anyone can register - wanted to ignore dots so that johnsmit@gmail couldn't impersonate john.smith@gmail and the other way around. In addition, google only allows a-z, . and 0-9, so you can't register john-smith@gmail, john_smith@gmail... etc... You actually need to have different letters and number combination than anyone else.
Re:Hang on... (Score:3, Interesting)
> Maybe that cert has been compromised by a Chinese insider.
i don't see mail.google.com's cert on any revocation lists, so it's probably ok.
given the approach google has taken in other aspects of the unfolding drama,
i think it's a fairly safe bet that it would've been revoked by now if there was any doubt that it may have been compromised.
Secure HTTPS is not nearly enough (Score:1, Interesting)
Purge logs within a reasonable time since making the last octet of IP is not really making the log anonymous.
Do not store IPs in any of the search logs. I still have not figured out why Google does it. Aside from geographical information and abuse detection you can't really use IP anything, unless you want to provide information to authorities.
Expire Google cookie each week.
Provide an anonymous proxy with limited search capabilities. That way people who really care can get their top 10-20 results while the rest of us can enjoy more garbage and ads :)
Stop any self-sensoring. Information is out there to be free.
Put up information on how to make searches anonymous, e.g. how to use TOR, privoxy and other secure tools.
Re:No Brainer (Score:3, Interesting)
Yeah, GMail is pretty good — now. Do you recall that it was in beta mode for 3 years? Any other software company would have hired some QA people and gone final in 6 months. But QA is boring, and beneath the dignity of the geniuses they insist on hiring.
I have a Google Voice account. If it were a mature product, I'd switch over in a heartbeat — it's got tons of free features that I'm currently paying PhoneTag and Skype to receive. But the UI is cranky and tends to freeze, and there are a few other issues that make me refuse to trust it. For the next couple of years, Google Voice users will be tearing out their hair, while people who actually need reliable service will go elsewhere. Then when all the bugs are swatted you'll be saying "show me another free voice mail system that...."
Re:What about slashdot? (Score:3, Interesting)
What is SSL complicated or something?
Why even have logins at all? Why require passwords? Why not let anyone post under whatever name they want?
Slashdot is a service with accounts and authentication, all of which is made useless when nothing is encrypted. People said the same bullshit about freenode, and then lilo got his password popped because he logged into freenode, in cleartext, at a coffee shop, and the GNAA ran freenode for a week. Remember that? And freenode still doesn't support encryption.
I would bet that mentality of "no one will hack me, I'm not important enough" causes a majority of the security breaches you read about every day. Slashdot is the only web service I know of on the Internet where you are supposed to log in, but is not even running ssl on the web server.
Free SSL certificates (Score:2, Interesting)
Re:Ouch. (Score:3, Interesting)
encrypted data doesn't travel across the web as quickly as unencrypted data
That just hurts my brain.
Actually, that is possible. Encrypted data doesn't generally compress as well as plaintext, and it's quite common for web servers to compress data before sending it to the client.
Re:Found the source (Score:3, Interesting)
But please do tone down the rhetoric. Nobody is being killed. Even knock on effects can't be called a "war".
We're all just chillin' here hk0ring each other's shti.