

Google speeding up end-to-end crypto between data centers worldwide - Suraj-Sun
http://arstechnica.com/tech-policy/2013/09/google-speeding-up-end-to-end-crypto-between-data-centers-worldwide/

======
eksith
I'm still quite astonished that (according to some of the comments) it's
fairly standard that traffic between datacenters is not encrypted.

Granted we're talking about _extremely_ large throughput, but I thought Google
of all companies would have invested in routers capable of doing this or at
least gone to the trouble of designing their own hardware that does it; since
Google is no stranger to this already.

~~~
revelation
Why would routers do this? IPSec didn't exactly take off (this weeks news
reminded us why), so end-to-end encryption wouldn't really happen on their
level.

That said, I certainly expected and assumed Google would already encrypt
traffic between data centers. Whats the point of forcing HTTPS on gmail when
you constantly backup my complete email repository across the world over
unencrypted connections? In this new context, the statements on Prism ("we do
not give them direct access!") certainly seem misleading. Right, you do not
give them direct access, you just sync your databases over fibers that you
know they have access to, without encrypting the data.

~~~
abcd_f
> _IPSec didn 't exactly take off_

Oh, jezus. Did you read it on the Internets?

IPsec (s is in lowercase) is _the_ standard to securing L2 connectivity and it
has been ubiquitously used for site-to-site and client-to-site connectivity
for ages. In addition to several mature FOSS implementations, every network
equipment vendor ships one. There is also a ton of client software - Windows
supported it since Windows 2000, the SSH company (you know, _the_ ssh
creators) has been selling an IPsec Toolkit since as early as 1999, Cisco has
a VPN client that is de-facto software in Cisco-based shops for remote
workers, etc.

~~~
gonzo
IPsec, which runs at layer 3, secures IP (layer 3) traffic.

To protect L2 connectivity with IPsec, you'll need to tunnel the l2 frames
inside IP.

~~~
drdaeman
You're right. And he's right too.

Standalone IPsec is supposedly nearly non-existent, but there's a plenty of
L2TP/IPsec traffic out there.

------
brokenparser
Anyone who wants their mail to remain encrypted until it's read by the
recipient should use GPG.

~~~
icebraining
The PGP encrypted emails I sent were very secure - no one ever read them!

------
rdl
If Google comes up with a much more sane version of or alternative to IPsec,
deployed on all their boxes, it would be an amazing improvement for the world.

~~~
scrrr
At this point everything they could come up with, would have the feature to be
accessible by the NSA, don't you think?

~~~
rdl
No, since they don't fall under CALEA. It's possible Google Voice specific
stuff would need CALEA access, but I'm sure they handle that at a higher level
in the application.

Google needs this kind of stuff not to defend against just NSA but also every
_other_ intelligence agency out there. For 0.1% of the IC's annual budget, I
could give a third-tier country (Belgium? Nigeria?) about 5% of NSA's
capability. That, IMO, is the true risk here.

------
pjc50
This is _not_ end-to-end crypto, that would require users storing the keys to
their own emails on their own systems. This is basically TLS on a giant scale
but does not prevent email from being intercepted while "at rest" on a gmail
server.

~~~
djim
let's not pretend these emails are sitting in plaintext on google's servers
though. they are "fragmented and obfuscated" at rest.

------
frank_boyd
The timing suggests this is supposed to be a PR move. And a cheap/ridiculous
one at that.

~~~
abcd_f
Don't know why you are downvoted, but it's clearly a damage control move.

~~~
raverbashing
Damage control yes, but not necessarily external.

Google probably knows even though they're mostly in good terms, this may
change.

I guess they got uncomfortable with people knowing too much already and don't
trust too much

------
Mordor
It's all about protecting the data from non-US interests, Google has probably
already given the keys to the NSA.

