Feeds

Google cloud told to encrypt itself

R in RSA wants s in https

SANS - Survey on application security programs

Updated A small army of security and privacy researchers has called on Google to automatically encrypt all data transmitted via its Gmail, Google Docs, and Google Calendar services.

Google already uses Hypertext Transfer Protocol Secure (https) encryption to mask login information on this trio of cloud-based web-based applications. And netizens have the option of turning on https for all transmissions. But full-fledged https protection isn't flipped on by default.

"Google’s default settings put customers at risk unnecessarily," reads a letter lobbed to Google CEO Eric Schmidt by 37 academics and researchers. "Google’s services protect customers’ usernames and passwords from interception and theft. However, when a user composes email, documents, spreadsheets, presentations and calendar plans, this potentially sensitive content is transferred to Google’s servers in the clear, allowing anyone with the right tools to steal that information."

Signatories includes Harvard-based Google watcher Benjamin Edelman; Chris Hoofnagle, the director of Information Privacy Programs at Berkeley Center for Law & Technology; and Ronald L. Rivest, the R in RSA.

In the past, Google has said it doesn't automatically enable https for performance reasons. "https can make your mail slower," the company explained in a July 2008 blog post announcing Gmail's https-session option. "Your computer has to do extra work to decrypt all that data, and encrypted data doesn't travel across the internet as efficiently as unencrypted data. That's why we leave the choice up to you."

But 37 researchers see things a differently. "Once a user has loaded Google Mail or Docs in their browser, performance does not depend upon a low latency Internet connection," they write. "The user’s interactions with Google’s applications typically do not depend on an immediate response from Google’s servers. This separation of the application from the Internet connection enables Google to offer ‘offline’ versions of its most popular Web applications."

Even where low latency matters, they say, outfits such as Bank of America, American Express, and Adobe have protected their via https without a heavy performance hit. Adobe automatically encrypts Photo Express sessions.

Of course, another good example is...Google itself. The company does automatic encryption with Google Health, Google Voice, AdSense, and Adwords. "Google’s engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense – we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs, and Calendar work equally well in order to enable encryption by default," the researchers write.

The problem, they say, is that everyday netizens don't realize the importance of encryption - and that Google fails to properly protect them from their own ignorance. Gmail now includes a setting that lets you "always use https." But the researchers complain that most users don't know it's there. And with Docs and Calendar, they point out, users can't use session encryption unless they remember to type https into their browser address bar every time they use the services.

If Google refuses to turn on https by default, the researchers say, the company should at least make sure that users understand the risks of encryption-less transmissions. There are four things they suggest:

  • Place a link or checkbox on the login page for Gmail, Docs, and Calendar that causes that session to be conducted entirely over https. This is similar to the "remember me on this computer" option already listed on various Google login pages. As an example, the text next to the option could read "protect all my data using encryption.'
  • Increase visibility of the "always use https" configuration option in Gmail. It should not be the last option on the Settings page, and users should not need to scroll down to see it.
  • Rename this option to increase clarity, and expand the accompanying description so that its importance and functionality is understandable to the average user.
  • Make the "always use https" option universal, so that it applies to all of Google’s products. Gmail users who set this option should have their Docs and Calendar sessions equally protected.

We have asked Google for a response to the letter, and once it arrives, we'll toss it your way. Odd are, it will be completely non-committal.

In defense of Google, the company does go farther than many other big-name web outfits. As the researchers point out in their letter, Microsoft Hotmail, Yahoo Mail, Facebook, and MySpace don't even offer an https option. But the 37 hold Google to a higher standard. "Google has made important privacy promises to users, and users naturally and reasonably expect Google to follow through on those promises." ®

Update

Google has responded with a blog post. "Free, always-on HTTPS is pretty unusual in the email business, particularly for a free email service, but we see it as an another way to make the web safer and more useful. It's something we'd like to see all major webmail services provide," the company says. "In fact, we're currently looking into whether it would make sense to turn on HTTPS as the default for all Gmail user."

Google is planning a trial with a small number of Gmail users to test the affect of https all-the-time. "Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS?" the blog continues. "Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users."

The company is also considering how best to make automatic https work with docs and spreadsheets.

Correction

Google has also said that the researchers were in error in saying that a cookie from Docs or Calendar also gives access to Gmail without https. We have removed this error from our story as well.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.