Gmail goes HTTPS-only, inside and out!

GmailIn a move that will no doubt upset the NSA, Google has announced that it has strengthened security for its many millions of Gmail users.

Computer users have been advised many times to use encrypted HTTPS connections when accessing their online accounts, particularly if using public WiFi hotspots, and back in 2010 Google enabled HTTPS by default for Gmail accounts.

That means no-one can snoop on your messages as they travel through the air, and down wires, between your computer and Google's servers. Nice one.

Well, now Google has gone one better than even HTTPS by default. Now you cannot turn off HTTPS. It's always on, all of the time. Which means better security for all of us.

But there's more.

Remember how last year it was revealed that the NSA was intercepting private communications and hoovering up information as it travelled between Google's data centers? This wasn't on the public internet, this was your data moving inside Google.

By tapping into fibre-optic cables connecting the server farms owned by the likes of Google and Yahoo, the NSA was able to see information as it was sent between them. And, alarmingly, found it easy to intercept the unencrypted information mid-transit.

Here was how the NSA depicted the secret interception in a helpful Post-It note, complete with smiley face, that got leaked by whistleblower Edward Snowden.

Google cloud exploitation

In short, millions of data records were being gathered each day from Yahoo and Google's internal networks and sent to the NSA's headquarters.

Well, now Google says it has addressed that issue - ensuring that all messages are encrypted when moving internally as well:

In addition, every single email message you send or receive - 100% of them - is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers—something we made a top priority after last summer’s revelations.

Will it be enough to stop the NSA and others intent on spying on private communications as they travel between Gmail users?

Let's hope so.

Although one has to fear that it may take years for us to know for sure, dependent on when the next whistleblower decides to reveal what's being going on in the name of law enforcement and national security.

If you are concerned about people snooping on your email - whether it be the NSA or malicious hackers - maybe it's about time you considered securely encrypting your messages?

(Visited 115 times, 1 visits today)

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

2 Responses

  1. Arkadeep Kundu

    March 26, 2014 at 8:04 am #

    How can Google be protected by only re-enforcing HTTPS?

    NSA can compromise the RSA algorithm itself.
    In that case, how does encryption help?

    • Phil in reply to Arkadeep Kundu.

      March 26, 2014 at 10:26 am #

      I seem to remember reading that they were going to implement Perfect Forward Secrecy internally, which makes large scale key cracking rather tougher.

Leave a Reply