
Staying at the forefront of email security and reliability - alternize
http://googleenterprise.blogspot.com/2014/03/staying-at-forefront-of-email-security.html
======
bananas
So how does this work when the CA's are less than reputable, Google has to
comply with various homeland security acts, they didn't notice people tapping
their fibre, have had numerous problems with their own staff and they have
done evil before?

Sounds like marketing fluff to me.

~~~
pfg
They have addressed and/or solved some of those issues:

>So how does this work when the CA's are less than reputable

Chrome has been using certificate pinning for Gmail for quite some time. Not
sure what has been implemented in other browsers yet.

>Google has to comply with various homeland security acts

That's a legislative issue, and not something Google can fix. I would argue
their track record on pushing for new legislation in that area is quite okay.

>they didn't notice people tapping their fibre

Traffic passing between their DCs is now being encrypted (well, it's been
confirmed for Gmail.)

>have had numerous problems with their own staff

I can think of two cases from the top of my head. There's always going to be a
small group of people who need full access to production data to do their job.
All they can do is keep that group as small as possible and audit everything.

>they have done evil before?

please elaborate.

~~~
cottonseed
> Traffic passing between their DCs is now being encrypted (well, it's been
> confirmed for Gmail.)

Encrypted how? With what keys? There's still a single point of failure to
capture a huge amount of GMail traffic and an aggressive adversary who has
penetrated Google's networks before. Google could be saying this and still
handling over the keys to the gov't. The key is increasing the cost of bulk
surveillance. This doesn't help. The only acceptable solution is one where I
encrypt my data with my own keys.

> That's a legislative issue, and not something Google can fix.

Yes, but technical architecture changes what it means for Google to comply. If
all they have is my encrypted data, that's all they can hand over.

~~~
pfg
Sure, that's a valid point. That's something that is true for any email
provider though. Google isn't stopping you from encrypting your mail, and you
can't really expect them to force their users to do that, because sadly, the
majority doesn't care and would switch to other providers who wouldn't _annoy_
them with that whole encryption stuff.

~~~
cottonseed
That's the point: Google has their own interests, and they're not aligned with
my privacy or security, except to not be embarrassed. There is a lot they
could do besides forcing encryption on everyone, but I honestly think they
have other priorities.

------
vaadu
Email security? How do they do that when they are data-mining everyone's
inbox? Most of us have a choice on using Gmail, some kids don't
[http://www.alternet.org/education/do-no-evil-google-sued-
dat...](http://www.alternet.org/education/do-no-evil-google-sued-data-mining-
kids-emails-its-education-app)

~~~
ntakasaki
I guess the new changes are meant to guard against some external actors, while
internal actors will continue to have unencrypted access like this fiasco from
a while ago.

[http://gawker.com/5637234/gcreep-google-engineer-stalked-
tee...](http://gawker.com/5637234/gcreep-google-engineer-stalked-teens-spied-
on-chats)

~~~
aiiane
Google has long since implemented other measures to safeguard against internal
bad actors.

~~~
ntakasaki
So if Larry Page wants to read my email, he cannot? I somehow doubt that.

~~~
markdown
He has greater disincentives than anyone else, and 3rd party hosts have the
ability to read your email no matter where you host it.

------
Cuuugi
Encryption is irrelevant when one party will give out the info for a price.

~~~
cromwellian
Google does not, nor have they ever, as far as I'm aware, sell personal user
information to third parties. Google sells ads targeted at keywords and other
interests, and while in an indirect way, this is profiting from user behavior,
it is not the same as claiming they give out your personal info.

Using third party hosted mail is a trade off, especially webmail. Unless you
are using end-to-end encryption, intermediary servers will need plaintext
access, not only to route the email, but to present it, to permit search,
filtering, and other operations users value in the webmail client.

Google is taking steps to ensure all data is encrypted-at-rest and encrypted-
in-flight. That's not a perfect defense, but it is an improvement. What is to
be gained by bashing them for taking positive steps that everyone in the
industry, we hope, are also taking?

~~~
belorn
For money, one could have Google provide ads to users who vote for specific
party. After a few days, you look at the logs and create a database of people
and their voting habits. Thus you will now have a database of personal
information, created by the action of giving money to Google. When you pay
money for a product, its called bought.

So I will call it bought personal user information, regardless if it has been
laundered by advertisement clicks.

~~~
cromwellian
How is Google going to know what party you voted for, when votes are by secret
ballot? Voter registration databases, which are public information available
for a small fee from state governments, are far more likely to yield a profile
of your voting behavior than your gmail contents.

Not only that, but anyone can opt-out of interest based ads for Gmail. Just go
to Ad Settings
([https://support.google.com/ads/answer/2662922?hl=en](https://support.google.com/ads/answer/2662922?hl=en))

You have the choice of not seeing targeted and relevant ads, or of not using
gmail at all. Try Fastmail for instance. I don't see the need to bash Google
for doing the right thing on security.

------
d0ugie
I'd like to see Google evangelize and hand out to their competitors, no
strings as with SPDY, any technology they develop or contribute to that helps
people communicate securely, and their competitors doing that as well.

~~~
cbr
What tech would you like to see open sourced?

------
theboss
It is incredible that gmail even had HTTP enabled. It was an option in the
gmail account settings. Honestly I am ashamed it took this long.

Their documentation stated that by default HTTPS was enabled, but this wasn't
the case for me. Mine was set to HTTP and all my emails were disclosed
whenever I accessed them from firefox (which I guess doesn't have the pins for
auto https in gmail like I'm assuming chrome does).

~~~
crystaln
You're ashamed it took this long for google, but not ashamed you didn't notice
you were accessing with ssl?

~~~
theboss
Clearly I did notice otherwise I wouldn't have a personal story about how I
noticed.

Also, there isn't much you can do. You type in gmail.com, and on one browser I
would be automatically taken to https for years. I switch to a different
browser (I only use burp with firefox) and it is suddenly http. Easy OpSec
failure to make.

~~~
magicalist
Gmail has defaulted to an encrypted connection for over four years years now,
including redirecting if you attempt to access over http (yes, even in
Firefox). Really the only way that setting could have been made is if _you_
made it at some point. Everyone else was opted in to https access.

 _" We are currently rolling out default https for everyone. If you've
previously set your own https preference from Gmail Settings, nothing will
change for your account. If you trust the security of your network and don't
want default https turned on for performance reasons, you can turn it off at
any time by choosing "Don't always use https" from the Settings menu."_

And seriously, you accessed your email for years over an http connection and
never even searched to find out why that was happening?

[http://gmailblog.blogspot.com/2010/01/default-https-
access-f...](http://gmailblog.blogspot.com/2010/01/default-https-access-for-
gmail.html)

~~~
theboss
You clearly did not understand what I said. I wrote that I used chrome, which
I assume has a pin for google sites because even when you allow HTTP in your
Gmail account, you would be taken to the HTTPS site.

Then, when going to firefox, It would take me to gmail over http. This is
because my account was set to http (by default) and chrome doesn't allow
connections to gmail over anything but https.

I accessed gmail one time over http in firefox (when I was connected to burp)
before I realized there was a problem. My account had been set to "Allow
Connection of HTTP" for years, but chrome will only connect with https.

Despite what they say was default, a few of my friends and I experienced a bug
where ours was set to "Allow HTTPS" but we didn't realize it since we were
using chrome.

------
jamesclarke
> In 2013, Gmail was available 99.978% of the time, which averages to less
> than two hours of disruption for a user for the entire year.

Does anyone understand why they use the term "averages" in this statement?
What is being averaged? Isn't it just 0.022% * minutes in a year.

~~~
bredman
I think this means not all outages tracked affected all users equally. Some
users would have seen more or less downtime than the 2 hours mentioned.

~~~
jamesclarke
You are probably right. In which case they should also mention that 99.978% is
also an average.

------
Oletros
Is really depressing reading the cynical comments right here.

~~~
throwwit
Being cynical is the only way security works.

------
sandstrom
What are some good alternatives to using Hosted Gmail (custom domain)?

I know of Gandi and fastmail.fm [hosted in US though, so not much of an
improvement].

~~~
fuzzythinker
zoho mail, it's a breeze (1-2 mins) to add in a new domain.

------
bredman
Am I the only one that's not that impressed by 2 hours of downtime a year?
I've worked at other companies where I was responsible for running a service
and 2 hours of downtime a year was considered a failure.

------
heinrich5991
Nice to hear they're reacting to the revelations by Snowden. I guess the
government will have a harder time eavesdropping mails at Google without them
noticing.

~~~
nathancahill
They were "shocked" and "outraged" at the NSA datacenter hack [0]

[0] [http://money.cnn.com/2013/11/04/technology/google-nsa-
snowde...](http://money.cnn.com/2013/11/04/technology/google-nsa-snowden/)

------
sreejithr
And UI clutter

