Hacker News new | past | comments | ask | show | jobs | submit login

If you're going to continue using Google Mail, it's a dumb idea to deliberately switch away from Chrome. The connection between Gmail and Chrome is among the more carefully guarded TLS connections on the Internet.

It's cute how many people think nobody can break free from gmail.

Also, what's the point of having a "carefully guarded TLS connections on the Internet", if at least one of the ends is completely compromised?

My comment didn't say "nobody can break free from gmail", but I'm happy to provide a coat rack on which to hang that argument.

Then my comment didn't say your comment said that. But I want to add that I remember very few nicknames from HN, and yours is one of those. I remember it because you once said that Google takes their users' privacy very seriously, which is hard to forget. Ever since, I saw you defending Google, no matter what. Something isn't right...

How does Google create one of the most carefully guarded TLS connections? Should other sites model their implementation?

By controlling both sides of the connection, and by investing in people like Adam Langley. And yes, other sites should. Not "control both sides of the connection", which is unrealistic, but in modeling their server configurations on Google's so they can take maximal advantage of Chrome's TLS features.

I think it uses perfect forward secrecy, unlike almost any other SSL connection: http://blogs.computerworld.com/encryption/22366/can-nsa-see-...

Prefect forward secrecy is a lot more secure since if google's private key were compromised any traffic -- including traffic captured in the past -- would still be secure (baring some further compromise).

Each connection has 2 possibly transient negotiated public/private key pairs made just for that connection. In theory, google could store all these pairs as well and they could be compromised, but that adds up to a lot more ifs.

As near as I can tell, the extra computation required to do perfect forward secrecy is a large part of why its not more frequently implemented.

When Google.com's certificate was faked, it was discovered because Chrome restricts what CAs are allowed to sign Google's certificates, if I recall correctly.

Google does that for a number of other non-Google sites, too.

Pretty sure its just google sites, because otherwise you might get false positives as other sites change servers/ips/certificates/etc

Be less sure. Google provides certificate pinning as a service to other sites, who request it specifically.

Interesting. Kind of an eclectic small list: Google, Twitter, Tor, CryptoCat.

Google works for the NSA. Avoid.

If you think you can do as robust a job at securing your mail as Google does with Gmail, by all means. But I'd feel awfully dumb if I migrated from Gmail to some other web mail provider only to lose my mail to a 17 year old with a Perl script.

I'm paying hushmail. But I suppose it's no better, they still honour warrants, and I haven't actually used the encryption provided, other than notes to self. I left google, when they changed the privacy policy last year, all google services build one personal profile etc. This is a ramble, but hushmail works, thus far.

I know I can select a webmail provider that is not beholden to the United States of America's government.

If you think Google is the only company that can secure webmail, I bet you are an employee.

If you really bet that, it says more about you than me.

But anyways: what does it matter if your webmail provider isn't beholden to the government, if a suitably motivated teenager can read your mail because of software vulnerabilities?

Google Mail isn't likely to be more secure just because Google is inherently better at building software than anyone else. Rather, it's because they allocate more resources to the problem of keeping Google Mail secure than any other mail provider does (or even can) allocate to their security.

False equivocation. A script kiddie is not the same as a three letter agency funded by a first world government.

First, I don't think "equivocation" means what you think it means.

Second, the equivalence isn't false. The Venn diagram of sites that can be compromised by script kiddies is entirely contained by that of sites that can be compromised by NSA.

You are equivocating the NSA and script kiddies.


Has anybody considered compiling and using Zimbra for himself ;) ?

I know I can select a webmail provider that is not beholden to the United States of America's government.

Please do tell which one? And why you are sure they are not beholden to a government?

> If you're going to continue using Google Mail, it's a dumb idea to deliberately switch away from Chrome.

Only if that single feature outweighs your other reasons for switching away from Chrome.

It doesn't matter. Google can read your emails on the other end of the pipe, and the NSA can fetch the plaintext from them.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact