back to article Google flips default switch for always-on Gmail crypto

Just hours after Google disclosed it and at least 20 other large companies were the targets of highly sophisticated cyberattacks, the online giant said it would enhance the security of its email service by automatically encrypting entire web sessions. The change, which Google is in the process of rolling out now, means Gmail …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Up

    Silver lining.

    A modest thumb's-up to Google for having belatedly done the right thing. CPUs and networks are fast these days, I think I'd be willing to put up with the overhead pretty much everywhere.

  2. Anonymous Coward
    FAIL

    Engineering Director FAIL

    "encrypted data doesn't travel across the web as quickly as unencrypted data"

    Nothing to do with the load on our servers, honest guv.

    1. Lou Gosselin

      @Engineering Director FAIL

      "https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data," Gmail Engineering Director Sam Schillace wrote

      I noticed this as well. Especially as director of engineering, his words were poorly chosen. Though in his defense, maybe he was thinking that deep packet inspection at the ISPs would throttle the traffic because it was encrypted?

      As for end to end HTTPS, that's a big duh. Plain HTTP has always been vulnerable to man in the middle, even if HTTPS is used to authenticate the HTTP session. Frankly we all should have know that well before the China incident.

      1. Jamie Jones Silver badge

        Mr.

        In some cases he's correct, due to compression.

        Sure, if the webserver does gzip compression on the document before encryption, then the compression holds out, but many places use compresssion on a link, vpns, etc. and some networks, so therefore it would take longer in those cases.

        Also, local caching of objects doesn't exist with https, and he might simply be describing this in a less technical way.

        Both of these situations, in layman terms does mean "https is slower than http"

  3. (AMPC) Anonymous and mostly paranoid coward
    Big Brother

    There is no such thing as bad publicity

    I like, I like.... could we finally return back to the era of sealed envelopes? Only Google knows for sure.

  4. Anonymous Coward
    WTF?

    Fastmail

    Have been doing this for years

  5. Anonymous 16

    Google's spin

    Could someone please explain how end to end encryption would prevent phishing attacks. Isn't it like putting two locks on door to stop thieves, when the thieves already have keys to both locks?

    1. Anonymous Coward
      Linux

      @Anonymous 16

      Theyre talking about Packet Injection phising.

      Where fields are added to web forms

  6. Anonymous Coward
    Thumb Up

    Cool

    On my moderately used GMail account I of course had ssl always on enabled, so no big deal for me, but Mr. Average user probably didn't, so a good move.

  7. Anonymous Coward
    Anonymous Coward

    Email melts down after china attack

    The China Syndrome 2.0 ?

  8. Anonymous Coward
    FAIL

    iPhone

    What do the millions of iPhone users do, the mail client transport does not appear to be encrypted for gmail...

    <cue iPhone user abuse comments>

    1. John 62
      Happy

      GMail on iPhone works fine

      I've had https enabled for ages and it GMail works fine with Mail.ipa

  9. heyrick Silver badge

    You what?

    "encrypted data doesn't travel across the web as quickly as unencrypted data"

    Data is data, it's just packets right, only really making sense to the machines at either end of the link... ?

    1. Cliff

      Compression?

      I'm guessing randomised binary data is harder to compress than ASCII where on-the-fly compression is used, and maybe there are checksum overheads and stuff too?

      Purely guessing, but I could imagine how that could easily be the case, y'know?

  10. raving angry loony

    translation

    translation: "China based hackers" == "Chinese government". But I guess one has to be polite to the new 500lb gorilla on the playing field.

    Now to get email vendors to implement "always on" encryption of ALL email. Have people setup a public key as part of the email setup or something.

    Someday, I personally hope to see the death of http:// (replaced by https://) and of unsecured, unencrypted pop/imap/smtp/etc. sessions. I won't hold my breath though.

  11. Andrew Witham
    Thumb Up

    SSL for Search Next?

    It wouldn't stop access from being blocked altogether.... but it would prevent the possibility of selective blocking of search terms which would other wise manipulate results.

    1. Anonymous Coward
      Anonymous Coward

      SSL for Search Next?

      https://ssl.scroogle.org/

  12. Long Fei

    Ads

    I wonder how this will affect their targeted ads.

  13. RobE

    HAHAHahahahaha

    about time some one did something sensible like this. Although it wont stop attacks it will make them far less successful.

  14. Patrick O'Reilly

    Gmail is one thing.

    It's all well and good having your gmail session encrypted, but what about when you move to another part of the Google domain?

  15. Anonymous Coward
    WTF?

    great but why is the announcement going to an unencrypted HTTP page

    Was most bemused to see that although I was in a httpS secure session on my gmail account, that clicking on the Announcement message took me to a http page.

  16. floweracre
    Pint

    Mobile Phones

    We use Nokia N71's. The GMail client is great but if the "use SSL" is turned on on the account, you cant get at it on the mobile. The only way is to, unfortunatly, uncheck this option.

    Or is there a way to use SSL on the Nokia?

    Open to idea

    Tony

    1. ph3d
      FAIL

      uh..

      login on a pc and change the settings then login via mobile?

  17. Anonymous Coward
    Big Brother

    Next Week...

    Next week, Google will announce their "selected partner" program that (for a fee, of course) will allow "inspection" of the encrypted data going in/out of Google's servers. Their first customer? A small nation sitting roughly between Russia and India....

    ^

    this is the ... step in Google's "South Park" plan:

    1. Get people to use your e-mail service

    2. Tell your customers the service cannot be hacked

    3. ...

    4. Profit

  18. Anonymous Coward
    Anonymous Coward

    Gmail Notifier

    I wonder if they'll update the default behaviour in GMail Notifier to use https now, rather than making those using "Always use https" install a registry hack to get it to work (http://mail.google.com/support/bin/answer.py?hl=en&answer=9429)

    No sign of it yet.

  19. Mr Templedene

    Well they broke it for me

    I can no longer login in to ANY google service using my browser of choice Opera. I've not been able to login to my blogger account for nearly 2 weeks.

    It works in fine firefox but I don't want to have to have two browsers open just to access google services.

    I have used Opera for years and all my bookmarks, special site settings, customised options and "muscle memory" of the various keyboard shortcuts are just too much effort to move over. Plus Opera has just too many features firefox cannot match.

    I'd rather not use google services than change browser.

    They just lost a user, but as I never had to pay for any of it I guess I can't complain.

This topic is closed for new posts.

Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • UK competition watchdog seeks to make mobile browsers, cloud gaming and payments more competitive
    Investigation could help end WebKit monoculture on iOS devices

    The United Kingdom's Competition and Markets Authority (CMA) on Friday said it intends to launch an investigation of Apple's and Google's market power with respect to mobile browsers and cloud gaming, and to take enforcement action against Google for its app store payment practices.

    "When it comes to how people use mobile phones, Apple and Google hold all the cards," said Andrea Coscelli, Chief Executive of the CMA, in a statement. "As good as many of their services and products are, their strong grip on mobile ecosystems allows them to shut out competitors, holding back the British tech sector and limiting choice."

    The decision to open a formal investigation follows the CMA's year-long study of the mobile ecosystem. The competition watchdog's findings have been published in a report that concludes Apple and Google have a duopoly that limits competition.

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Updated Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • Google recasts Anthos with hitch to AWS Outposts
    If at first you don't succeed, change names and try again

    Google Cloud's Anthos on-prem platform is getting a new home under the search giant’s recently announced Google Distributed Cloud (GDC) portfolio, where it will live on as a software-based competitor to AWS Outposts and Microsoft Azure Stack.

    Introduced last fall, GDC enables customers to deploy managed servers and software in private datacenters and at communication service provider or on the edge.

    Its latest update sees Google reposition Anthos on-prem, introduced back in 2020, as the bring-your-own-server edition of GDC. Using the service, customers can extend Google Cloud-style management and services to applications running on-prem.

    Continue reading
  • Xi Jinping himself weighs in on how Big Tech should deploy FinTech
    Beijing also outlines its GovTech vision and gets very excited about data

    China's government has outlined its vision for digital services, expected behavior standards at China's big tech companies, and how China will put data to work everywhere – with president Xi Jinping putting his imprimatur to some of the policies.

    Xi's remarks were made in his role as director of China’s Central Comprehensively Deepening Reforms Commission, which met earlier this week. The subsequent communiqué states that at the meeting Xi called for "financial technology platform enterprises to return to their core business" and "support platform enterprises in playing a bigger role in serving the real economy and smoothing positive interplay between domestic and international economic flows."

    The remarks outline an attempt to balance Big Tech's desire to create disruptive financial products that challenge monopolies, against efforts to ensure that only licensed and regulated entities offer financial services.

    Continue reading
  • Google offers $118m to settle gender discrimination lawsuit
    Don't even think about putting LaMDA on the compensation committee

    Google has promised to cough up $118 million to settle a years-long gender-discrimination class-action lawsuit that alleged the internet giant unfairly pays men more than women.

    The case, launched in 2017, was led by three women, Kelly Ellis, Holly Pease, and Kelli Wisuri, who filed a complaint alleging the search giant hires women in lower-paying positions compared to men despite them having the same qualifications. Female staff are also less likely to get promoted, it was claimed.

    Gender discrimination also exists within the same job tier, too, the complaint stated. Google was accused of paying women less than their male counterparts despite them doing the same work. The lawsuit was later upgraded to a class-action status when a fourth woman, Heidi Lamar, joined as a plaintiff. The class is said to cover more than 15,000 people.

    Continue reading
  • Always read the comments: Beijing requires oversight of all reader-generated chat
    'Editing and review' teams will be required to read everything and report dissent

    The Cyberspace Administration of China has announced a policy requiring all comments made to websites to be approved before publication.

    Outlined in a document published last Friday and titled "Provisions on the Administration of Internet Thread Commenting Services", the policy is aimed at making China's internet safer, and better represent citizens' interests. The Administration believes this can only happen if comments are reviewed so that only posts that promote socialist values and do not stir dissent make it online.

    To stop the nasties being published, the policy outlines requirements for publishers to hire "a review and editing team suitable for the scale of services".

    Continue reading

Biting the hand that feeds IT © 1998–2022