Google cloud told to encrypt itself

R in RSA wants s in https


Updated A small army of security and privacy researchers has called on Google to automatically encrypt all data transmitted via its Gmail, Google Docs, and Google Calendar services.

Google already uses Hypertext Transfer Protocol Secure (https) encryption to mask login information on this trio of cloud-based web-based applications. And netizens have the option of turning on https for all transmissions. But full-fledged https protection isn't flipped on by default.

"Google’s default settings put customers at risk unnecessarily," reads a letter lobbed to Google CEO Eric Schmidt by 37 academics and researchers. "Google’s services protect customers’ usernames and passwords from interception and theft. However, when a user composes email, documents, spreadsheets, presentations and calendar plans, this potentially sensitive content is transferred to Google’s servers in the clear, allowing anyone with the right tools to steal that information."

Signatories includes Harvard-based Google watcher Benjamin Edelman; Chris Hoofnagle, the director of Information Privacy Programs at Berkeley Center for Law & Technology; and Ronald L. Rivest, the R in RSA.

In the past, Google has said it doesn't automatically enable https for performance reasons. "https can make your mail slower," the company explained in a July 2008 blog post announcing Gmail's https-session option. "Your computer has to do extra work to decrypt all that data, and encrypted data doesn't travel across the internet as efficiently as unencrypted data. That's why we leave the choice up to you."

But 37 researchers see things a differently. "Once a user has loaded Google Mail or Docs in their browser, performance does not depend upon a low latency Internet connection," they write. "The user’s interactions with Google’s applications typically do not depend on an immediate response from Google’s servers. This separation of the application from the Internet connection enables Google to offer ‘offline’ versions of its most popular Web applications."

Even where low latency matters, they say, outfits such as Bank of America, American Express, and Adobe have protected their via https without a heavy performance hit. Adobe automatically encrypts Photo Express sessions.

Of course, another good example is...Google itself. The company does automatic encryption with Google Health, Google Voice, AdSense, and Adwords. "Google’s engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense – we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs, and Calendar work equally well in order to enable encryption by default," the researchers write.

The problem, they say, is that everyday netizens don't realize the importance of encryption - and that Google fails to properly protect them from their own ignorance. Gmail now includes a setting that lets you "always use https." But the researchers complain that most users don't know it's there. And with Docs and Calendar, they point out, users can't use session encryption unless they remember to type https into their browser address bar every time they use the services.

If Google refuses to turn on https by default, the researchers say, the company should at least make sure that users understand the risks of encryption-less transmissions. There are four things they suggest:

  • Place a link or checkbox on the login page for Gmail, Docs, and Calendar that causes that session to be conducted entirely over https. This is similar to the "remember me on this computer" option already listed on various Google login pages. As an example, the text next to the option could read "protect all my data using encryption.'
  • Increase visibility of the "always use https" configuration option in Gmail. It should not be the last option on the Settings page, and users should not need to scroll down to see it.
  • Rename this option to increase clarity, and expand the accompanying description so that its importance and functionality is understandable to the average user.
  • Make the "always use https" option universal, so that it applies to all of Google’s products. Gmail users who set this option should have their Docs and Calendar sessions equally protected.

We have asked Google for a response to the letter, and once it arrives, we'll toss it your way. Odd are, it will be completely non-committal.

In defense of Google, the company does go farther than many other big-name web outfits. As the researchers point out in their letter, Microsoft Hotmail, Yahoo Mail, Facebook, and MySpace don't even offer an https option. But the 37 hold Google to a higher standard. "Google has made important privacy promises to users, and users naturally and reasonably expect Google to follow through on those promises." ®

Update

Google has responded with a blog post. "Free, always-on HTTPS is pretty unusual in the email business, particularly for a free email service, but we see it as an another way to make the web safer and more useful. It's something we'd like to see all major webmail services provide," the company says. "In fact, we're currently looking into whether it would make sense to turn on HTTPS as the default for all Gmail user."

Google is planning a trial with a small number of Gmail users to test the affect of https all-the-time. "Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS?" the blog continues. "Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users."

The company is also considering how best to make automatic https work with docs and spreadsheets.

Correction

Google has also said that the researchers were in error in saying that a cookie from Docs or Calendar also gives access to Gmail without https. We have removed this error from our story as well.

Similar topics

Broader topics


Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022