Gmail goes HTTPS-only, inside and out!

Graham Cluley

GmailIn a move that will no doubt upset the NSA, Google has announced that it has strengthened security for its many millions of Gmail users.

Computer users have been advised many times to use encrypted HTTPS connections when accessing their online accounts, particularly if using public WiFi hotspots, and back in 2010 Google enabled HTTPS by default for Gmail accounts.

That means no-one can snoop on your messages as they travel through the air, and down wires, between your computer and Google’s servers. Nice one.

Well, now Google has gone one better than even HTTPS by default. Now you cannot turn off HTTPS. It’s always on, all of the time. Which means better security for all of us.

But there’s more.

Remember how last year it was revealed that the NSA was intercepting private communications and hoovering up information as it travelled between Google’s data centers? This wasn’t on the public internet, this was your data moving inside Google.

By tapping into fibre-optic cables connecting the server farms owned by the likes of Google and Yahoo, the NSA was able to see information as it was sent between them. And, alarmingly, found it easy to intercept the unencrypted information mid-transit.

Here was how the NSA depicted the secret interception in a helpful Post-It note, complete with smiley face, that got leaked by whistleblower Edward Snowden.

Google cloud exploitation

In short, millions of data records were being gathered each day from Yahoo and Google’s internal networks and sent to the NSA’s headquarters.

Well, now Google says it has addressed that issue – ensuring that all messages are encrypted when moving internally as well:

In addition, every single email message you send or receive – 100% of them – is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail’s servers, but also as they move between Google’s data centers—something we made a top priority after last summer’s revelations.

Will it be enough to stop the NSA and others intent on spying on private communications as they travel between Gmail users?

Let’s hope so.

Although one has to fear that it may take years for us to know for sure, dependent on when the next whistleblower decides to reveal what’s being going on in the name of law enforcement and national security.

If you are concerned about people snooping on your email – whether it be the NSA or malicious hackers – maybe it’s about time you considered securely encrypting your messages?

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Gmail goes HTTPS-only, inside and out!”

  1. How can Google be protected by only re-enforcing HTTPS?

    NSA can compromise the RSA algorithm itself.
    In that case, how does encryption help?

    1. I seem to remember reading that they were going to implement Perfect Forward Secrecy internally, which makes large scale key cracking rather tougher.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.