Network News

X My Profile
View More Activity

Top Security Minds Urge Google to Encrypt All Services

A who's-who of more than three dozen high-tech and security experts from industry and academia is urging Google to beef up the privacy and security settings of its Gmail, Google Docs and Calendar online services.

At issue is whether Google is doing enough to block hackers from hijacking a user's Webmail account or intercepting information from online documents. An increasing number of free, publicly available tools may make it simple for even novice hackers to launch such attacks.

"Google's default settings put customers at risk unnecessarily. Google's services protect customers' usernames and passwords from interception and theft," said the experts, including luminaries from AT&T, PGP Corp. and top researchers from Berkeley, Harvard, MIT, Oxford and Purdue. "However, when a user composes email, documents, spreadsheets, presentations and calendar plans, this potentially sensitive content is transferred to Google's servers in the clear, allowing anyone with the right tools to steal that information."

Google uses encryption technology to block would-be cyber snoops from eavesdropping on information transmitted between users and Google online services such as Adsense, Adwords or Google Health. Users of these services will note that from the time they submit their username and password to the moment they log out, the Web address in their browser begins with an "https://" , indicating a persistent, encrypted connection.

But signatories to the letter to Google chief executive Eric Schmidt note that Google employs those same protections only sporadically or not at all on services like Gmail, Google Docs and Google Calendar.

For example, while Gmail has a setting that allows users to remain in an encrypted connection with Google indefinitely, that setting is somewhat buried and is not the default.

What's more, this setting does not affect whether Google Docs or Calendar data is encrypted. In fact, the letter points out, "there is no encryption setting available for Docs or Calendar. The only way for users of these other Google services to protect themselves is to remember to type and into their browser's location bar every time they employ those applications. Google does not explain this difference between applications, and users may incorrectly believe that setting the Gmail preference will protect all of their Google sessions."

Google executives have stated publicly that the company lets users decide whether to enable encryption all of the time for Gmail and other services, in part because encrypting everything can slow these services down. But Eugene H. Spafford, a professor of computer science at Purdue University and one of the letter signatories, said most Google users are not in a position to make an informed decision about that that trade-off.

"What we're saying in this letter is that as an iconic service, and one that professes to be concerned about user safety, Google could set a good example and set the right defaults, and if users want to switch back to something less secure, then they can," Spafford said. "We have many things in society where users aren't well enough educated about the dangers to pick the best choice, and so we depend on professionals to select what the best defaults are. We're simply asking Google to do that."

The letter acknowledges that in offering users an option to always encrypt Gmail, Google already has gone beyond the default setting of Webmail services offered by its peers, including Microsoft Hotmail and Yahoo!. But another contributor to the letter -- Markus Jakobsson, principal scientist at the Palo Alto Research Center -- said Google could further differentiate itself from its competitors by allowing users to encrypt sessions across all Google services.

Jakobsson said Google's decision to enable encryption by default on its lesser used services but not on its most-used service (Gmail) comes down to a decision about saving money, as enabling encryption across the board would undoubtedly place a higher computational load on Google's servers.

"A savings of money is the only reason not to turn encryption on if you already have it implemented," Jakobsson said. "This letter says that even if they don't have to, they ought to. They'd be investing in people's confidence by doing that."

In a post to its Online Security blog today, Google said it is currently looking into whether it would make sense to turn on HTTPS as a default for all Gmail users. From that blog post, by Alma Whitten, software engineer for Google's security and privacy teams:

We know HTTPS is a good experience for many power users who've already turned it on as their default setting. And in this case, the additional cost of offering HTTPS isn't holding us back. But we want to more completely understand the impact on people's experience, analyze the data, and make sure there are no negative effects. Ideally we'd like this to be on by default for all connections, and we're investigating the trade-offs, since there are some downsides to HTTPS -- in some cases it makes certain actions slower.

We're planning a trial in which we'll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their email. Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS?

Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users. We're also considering how to make this work best for other apps including Google Docs and Google Calendar (we offer free HTTPS for those apps as well).

A copy of the letter sent to Google is available here (PDF).

By Brian Krebs  |  June 16, 2009; 10:57 AM ET
Categories:  From the Bunker , Safety Tips  | Tags: encryption, google, https  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Apple Patches Java Flaws, At Last
Next: An Odyssey of Fraud


"... said the experts, including luminaries from AT&T, PGP Corp. and top researchers from Berkeley, Harvard, MIT, Oxford and Perdue."

Wow, I never knew Frank was into computer security -- I thought he just did chicken.
(The university in Indiana is Purdue.)

Posted by: richg74 | June 16, 2009 11:14 AM | Report abuse

yikes. fixed. tx rich

Posted by: BTKrebs | June 16, 2009 11:18 AM | Report abuse

Your link 'remain in an encrypted connection with Google indefinitely' does not appear to be valid. I get "We are unable to locate the page you requested."

Posted by: jayjordan | June 16, 2009 11:18 AM | Report abuse

@Jayjordan -- Should work now. Not sure why, but the blog tool inserted an extra space (%20) in the link.

Posted by: BTKrebs | June 16, 2009 11:23 AM | Report abuse

typo: "...make sense to turn on HTTP as a default " (should be HTTPS)

Posted by: apasserby | June 16, 2009 11:43 AM | Report abuse

But to comment on the substance of the blog: most people have NO IDEA how vulnerable they are to snoops on the network, most especially when they are using public unencrypted wireless networks (e.g. at Starbucks).

The tools to eavesdrop on your session and grab your login credentials are easy to use and available to anyone who cares to Google for them; and once some bored teen-ager has the keys to your e-mail, there's really no limit to the mischief he can get into.

Forcing Google (and other providers) to make HTTPS not only the default setting, but also the *mandatory* setting, is the only answer. If HTTPS is 'optional' (i.e., if the server will still talk to you without going through a cryptographic authentication step), there are easily available "man-in-the-middle" attack techniques to grab your login credentials.

These are huge, easily exploitable security vulnerabilities. The only saving grace is that a trivial attack requires physical proximity (e.g. the casual hacker has to be on the same wireless network as you). If/when kids decide this is the "cool" thing to do, we'll all be in a world of hurt.

Posted by: DupontJay | June 16, 2009 12:53 PM | Report abuse

Just use the Firefox extension CustomizeGoogle, which allows you to switch to HTTPS every time you login to Gmail, Google Docs or Google Calendar.

Posted by: member5 | June 16, 2009 1:39 PM | Report abuse

I use CustomizeGoogle with Firefox as well.

Works for me.

Posted by: tntsa | June 16, 2009 2:00 PM | Report abuse

Good post. Anyone in the DC area interested in Privacy, please attend the first ever bar camp on privacy: PrivacyCampDC 6.20 09.



Shaun Dakin

Posted by: shimane1 | June 16, 2009 2:18 PM | Report abuse

It seems to me there are several issues here, each of which a user needs to understand/address:

1. Security of login credentials: if you do not want someone commandeering your email (or whatever) account, make sure that the login page employs HTTPS.
2. Privacy of messages: if you are concerned about people snooping on public WiFi, HTTPS addresses this issue as well.
3. Privacy of sensitive information: just because you are using HTTPS, your message/document is not protected from prying eyes. Email should be treated as secure as a snail mail post card. Assume anyone who wants to, could read it. Google does not, to my knowledge encrypt your messages. When the recipient reads the message, there is no guarantee that he or she will be employing a secure connection nor that the PC on which the email may ultimately be stored is secure.

Bottom line: if the message is sensitive, do not send it via email, nor store it in "the cloud".

Posted by: MikeWyman | June 16, 2009 2:43 PM | Report abuse

I use a user script in Google Chrome which forces HTTPS for a number of Google sites as well as non-Google sites like Amazon.

Posted by: BIGELLOW | June 16, 2009 3:06 PM | Report abuse

If you use the "CustomizeGoogle" add-on in Firefox, you can force encryption of all the services listed above (Calendar, Reader, History, etc.). In addition, you can anonymize the Google GUID and you can also strip out much of the advertising on things like GMail and Reader. Good Stuff.

Posted by: JRandomReader | June 16, 2009 4:42 PM | Report abuse

Protecting Your Most Critical Information:

Trade secrets and confidential information truly are the crown jewels of many businesses. This is the information that allows businesses to compete effectively, and that provides a competitive edge. Despite the critical nature of this information, my experience is that many business people do not understand what they should be doing to protect the crown jewels. I repeatedly see posts on LinkedIn and elsewhere asking for a “form” or a link to a “free site” to get an NDA. Given the potential value of the information, this cavalier approach is surprising.

Posted by: anthonymfreed | June 17, 2009 10:24 AM | Report abuse

That’s good to see - having good security on email is a good thing – but it’s not enough. When you send out an email, after it leaves your PC and Google’s servers anyone can see it, scan it, access it. That’s why you need end-to-end protection---not just protection between your PC and the Gmail server. I like Voltage because it’s so easy and intuitive. Check it out here:

Posted by: jvarr | June 17, 2009 1:19 PM | Report abuse

Mike Wyman's points above are well taken - people do need to realise that using https does not make the information they send via, e g, email more secure. Still, as a first step, making https settings the default for such applications as Gmail, Google Docs, and Google Calendar as advocated by the security experts would certainly be a good beginning. Hope Google is listening !...


Posted by: mhenriday | June 17, 2009 6:41 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company