So how does this work when the CA's are less than reputable, Google has to comply with various homeland security acts, they didn't notice people tapping their fibre, have had numerous problems with their own staff and they have done evil before?
They have addressed and/or solved some of those issues:
>So how does this work when the CA's are less than reputable
Chrome has been using certificate pinning for Gmail for quite some time. Not sure what has been implemented in other browsers yet.
>Google has to comply with various homeland security acts
That's a legislative issue, and not something Google can fix. I would argue their track record on pushing for new legislation in that area is quite okay.
>they didn't notice people tapping their fibre
Traffic passing between their DCs is now being encrypted (well, it's been confirmed for Gmail.)
>have had numerous problems with their own staff
I can think of two cases from the top of my head. There's always going to be a small group of people who need full access to production data to do their job. All they can do is keep that group as small as possible and audit everything.
> Traffic passing between their DCs is now being encrypted (well, it's been confirmed for Gmail.)
Encrypted how? With what keys? There's still a single point of failure to capture a huge amount of GMail traffic and an aggressive adversary who has penetrated Google's networks before. Google could be saying this and still handling over the keys to the gov't. The key is increasing the cost of bulk surveillance. This doesn't help. The only acceptable solution is one where I encrypt my data with my own keys.
> That's a legislative issue, and not something Google can fix.
Yes, but technical architecture changes what it means for Google to comply. If all they have is my encrypted data, that's all they can hand over.
Sure, that's a valid point. That's something that is true for any email provider though. Google isn't stopping you from encrypting your mail, and you can't really expect them to force their users to do that, because sadly, the majority doesn't care and would switch to other providers who wouldn't annoy them with that whole encryption stuff.
That's the point: Google has their own interests, and they're not aligned with my privacy or security, except to not be embarrassed. There is a lot they could do besides forcing encryption on everyone, but I honestly think they have other priorities.
I guess the new changes are meant to guard against some external actors, while internal actors will continue to have unencrypted access like this fiasco from a while ago.
Google does not, nor have they ever, as far as I'm aware, sell personal user information to third parties. Google sells ads targeted at keywords and other interests, and while in an indirect way, this is profiting from user behavior, it is not the same as claiming they give out your personal info.
Using third party hosted mail is a trade off, especially webmail. Unless you are using end-to-end encryption, intermediary servers will need plaintext access, not only to route the email, but to present it, to permit search, filtering, and other operations users value in the webmail client.
Google is taking steps to ensure all data is encrypted-at-rest and encrypted-in-flight. That's not a perfect defense, but it is an improvement. What is to be gained by bashing them for taking positive steps that everyone in the industry, we hope, are also taking?
For money, one could have Google provide ads to users who vote for specific party. After a few days, you look at the logs and create a database of people and their voting habits. Thus you will now have a database of personal information, created by the action of giving money to Google. When you pay money for a product, its called bought.
So I will call it bought personal user information, regardless if it has been laundered by advertisement clicks.
How is Google going to know what party you voted for, when votes are by secret ballot? Voter registration databases, which are public information available for a small fee from state governments, are far more likely to yield a profile of your voting behavior than your gmail contents.
You have the choice of not seeing targeted and relevant ads, or of not using gmail at all. Try Fastmail for instance. I don't see the need to bash Google for doing the right thing on security.
Or to avoid going to jail (assuming that they give out the info to the US government in the first place).
The word "price hints money, but I guess you don't mean that; it would need a lot of money for that company to risk jeopardize it's reputation.
Probably the best pressure the US government could do is to actually threaten important people in the company some jail time if they cooperate. So here "price" means personal freedom. Nobody would like to go to jail just because his job right?
In any case, yes there is no guarantee that nobody would treat your data with no interference. If you use another mail provider, the government could grab their https certificate, or with cooperation of a cert authority perform a man in the middle attack. (Which ironically google can to some extent be protected from because of cert pinning in chrome).
Still, in your comment you are hinting that it's easier to just "buy" it from Google because Google is just fine with selling your data to anybody for a "price". I find it hard to believe. Not saying anybody should trust Google more than any other service, but I don't see neither any proof that we should trust them less.
I'd like to see Google evangelize and hand out to their competitors, no strings as with SPDY, any technology they develop or contribute to that helps people communicate securely, and their competitors doing that as well.
It is incredible that gmail even had HTTP enabled. It was an option in the gmail account settings. Honestly I am ashamed it took this long.
Their documentation stated that by default HTTPS was enabled, but this wasn't the case for me. Mine was set to HTTP and all my emails were disclosed whenever I accessed them from firefox (which I guess doesn't have the pins for auto https in gmail like I'm assuming chrome does).
Clearly I did notice otherwise I wouldn't have a personal story about how I noticed.
Also, there isn't much you can do. You type in gmail.com, and on one browser I would be automatically taken to https for years. I switch to a different browser (I only use burp with firefox) and it is suddenly http. Easy OpSec failure to make.
Gmail has defaulted to an encrypted connection for over four years years now, including redirecting if you attempt to access over http (yes, even in Firefox). Really the only way that setting could have been made is if you made it at some point. Everyone else was opted in to https access.
"We are currently rolling out default https for everyone. If you've previously set your own https preference from Gmail Settings, nothing will change for your account. If you trust the security of your network and don't want default https turned on for performance reasons, you can turn it off at any time by choosing "Don't always use https" from the Settings menu."
And seriously, you accessed your email for years over an http connection and never even searched to find out why that was happening?
You clearly did not understand what I said. I wrote that I used chrome, which I assume has a pin for google sites because even when you allow HTTP in your Gmail account, you would be taken to the HTTPS site.
Then, when going to firefox, It would take me to gmail over http. This is because my account was set to http (by default) and chrome doesn't allow connections to gmail over anything but https.
I accessed gmail one time over http in firefox (when I was connected to burp) before I realized there was a problem. My account had been set to "Allow Connection of HTTP" for years, but chrome will only connect with https.
Despite what they say was default, a few of my friends and I experienced a bug where ours was set to "Allow HTTPS" but we didn't realize it since we were using chrome.
Am I the only one that's not that impressed by 2 hours of downtime a year? I've worked at other companies where I was responsible for running a service and 2 hours of downtime a year was considered a failure.
Nice to hear they're reacting to the revelations by Snowden. I guess the government will have a harder time eavesdropping mails at Google without them noticing.
I'm inclined to think they're doing this for public perception and they're not actually making it significantlly harder for the government to eavesdrop.
Sounds like marketing fluff to me.