gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
76793 Posts in 13502 Topics by 1651 Members - Latest Member: Arnold99 November 26, 2024, 02:40:36 pm
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Google tackled on e-mail security
gfx
gfxgfx
 

Author Topic: Google tackled on e-mail security  (Read 830 times)

0 Members and 2 Guests are viewing this topic.

Offline DaBees-Knees

  • WMW Team
  • *****
Google tackled on e-mail security
« on: June 23, 2009, 05:23:19 pm »
http://news.bbc.co.uk/1/hi/technology/8107556.stm

Not strictly a p2p subject, but as most people use some form of email, and a lot use Gmail, I thought you might find this interesting.

Quote
Google has been asked to explain why it is not making its Gmail e-mail service more secure. In an open letter to Google boss Eric Schmidt, security experts, lawyers, and privacy advocates ask why Gmail users are "needlessly" being put at risk. The 38 signatories want Google to start using the secure version of the HTTP protocol to protect Gmail users.

In response, Google said it was considering trials of the secure system with a select group of users.

Secure session
"As more of us end up using insecure internet access - such as wi-fi in coffee shops, libraries, and so forth - there's a real risk of session hijacking," said Ben Edelman, a signatory of the letter and assistant professor at Harvard Business School. When users sign on to Gmail, their login name and password are encrypted as the data passes back and forth using the secure version of HTTP known as HTTPS. However, said Mr Edelman, this is turned off once sign-on is completed. A similar system works for Google Docs and Calendar. The risk, he said, was from hi-tech criminals who snoop on the unencrypted data passing back and forth to steal ID files called "session cookies" generated when these applications start being used. Mr Edelman said that using the cookies could let a criminal pose as a user. In Gmail's case, this could mean they might send e-mails in the owner's name, abuse their identity, change a password, or hijack an account. As data moves to the cloud more people will be at risk. "It's a frightening prospect," said Mr Edelman.

The open letter pointed out that Google used HTTPS to protect the data of users of its Health and Voice applications. While Google does make it possible to use HTTPS all the time when signed on to Gmail, Docs, or Calendar the option was so hard to find that few would use it, suggested the letter. It pointed out that most users retain default options and were likely to be leaving themselves at risk. "...unless the security issue is well known and salient to consumers, they will not take steps to protect themselves by enabling HTTPS," said the letter. If Google took the step to turn on HTTPS all the time, the risks would be removed.

In response, Google said it was looking into whether it made sense to use HTTPS all the time in Gmail. But, it said, before it did so it wanted to be sure that the average user experience of Gmail was not markedly changed by turning it on. It feared that enabling the encryption would slow down response times as data was scrambled and unscrambled on a PC and Google's mail servers. "We're planning a trial in which we'll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their e-mail," said Google.

Mr Edelman said it was not just Google that was putting users at risk. Every webmail company faced the same problem and should do more to protect its users. He said it was a problem that would get more acute as services move towards so called "cloud computing".
"Many of the systems we have built for authentication and session maintenance assume no man-in-the-middle attack," he said.

I suspect that just one of the many problems that will arrive with cloud computing is being highlighted here.  8)

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Google tackled on e-mail security
« Reply #1 on: June 24, 2009, 02:10:49 pm »
you can and could (for quite a while now) set the whole thing as encrypted manually by going to https://mail.google.com/mail (note the https as apposed to just http) instead of just going to 'gmail.com'....

IIRC it sticks this way as well till you manually switch it back using 'http'.... its a pain to use like this over dial tho since SSL traffic cant be compressed... but broadband of course shouldnt have a problem....

another trick is to use mail.google.com/mail?ui=1 to switch back to the old/original 'red' look... (if gmail tries to switch you back to the 'new' ui you can add &disablechatbrowsercheck=1 to the url to make it ignore the browser you are using or &ov=0 to make it think you were redirected...)

Offline Forested665

  • Forum Member
  • Linux:2003 FreeBSD:2004 Debian/BSD developer:2006
Re: Google tackled on e-mail security
« Reply #2 on: June 24, 2009, 02:43:40 pm »
i believe you posted this story before knees.
Google has been in trouble for a good while now.
BSD -  The Daemons Are No Longer Just Inside My Head.

Offline DaBees-Knees

  • WMW Team
  • *****
Re: Google tackled on e-mail security
« Reply #3 on: June 24, 2009, 04:22:39 pm »
Sorry, I didn't think it had been posted in this format before. I don't try to duplicate story lines. What attracted me to this particular article was the general reference to all email, not just Gmail, and the additional comment about cloud ware.

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Google tackled on e-mail security
 

gfxgfx
gfx
©2005-2024 WinMXWorld.com. All Rights Reserved.
SMF 2.0.19 | SMF © 2021, Simple Machines | Terms and Policies
Page created in 0.014 seconds with 23 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!