Google tries to NSA-proof Gmail

From http://money.cnn.com/2014/03/20/technology/security/gmail-nsa/:

 

Cool, but what about NSA's taps on their datacenter-datacenter links?

 

From first post:

 

To put it in other words, Uncle Google is trying to look like a hero because people are avoiding it, thinking that this will get them back.

It's not the NSA, or CIA, or FBI, or any governments' pseudo-evil organizations that I'm worrying about. Besides, nobody is going to use GMail to discuss about world domination plans. Instead, fix your ~Phrase Removed~ YouTube because I keep getting lags, and standardize HTML5 already!

 

Great, now why would I believe that they won't offer direct access to NSA when they ask for it?

 

http://securitywatch.pcmag.com/hack...ll-encrypted-now-but-you-re-not-nsa-proof-yet

 

I don't think that HTTPS would make any sense for DC-DC links.

You'd want VPNs for that, no?

 

Trust Google/Gmail? I just can't imagine being able to go there! I hope they prove themselves. I want to be wrong.

For me this has nothing to do with their technology. I am fully confident that Google could secure their system beyond approach. I just think at the blink of an eye (from the Gov) they will hand it all over no questions asked.

 

HTTPS makes sense between servers internally, that's not the issue. The issue is that the servers themselves can still decrypt.

It it's:

Google server <--> NSA box <--> Google server

HTTPS defeats their box.

But if the Google server itself *is* the box... there's nothing to do. Google *must* view unencrypted emails in order to do basic functions like spam filtering and malware detection.

 

Well, I don't even pretend to know how Google moves mail around between servers in different data centers.

But I was thinking in terms of synching databases, bulk transfers, etc.

To me, HTTPS makes sense between a browser and the server it's connected to. But maybe they do a lot of proxying, from one server to another, until they either hit the recipient's Gmail account, or exit Google via SMTP. Is that more or less what you're saying?

Also, many people use clients with their Gmail accounts, and I don't see how HTTPS would be involved in that. But hey, what do I know?

 

This is a trick question, right?

 

From http://gmailblog.blogspot.com/2014/03/staying-at-forefront-of-email-security.html:

 

Think I'll stick with my current practices. Complete lack of trust for server-side encryption/security.

 

A lot of good HTTPS will do when it's broken at the certificate authority level. This is strictly PR for those who don't understand how HTTPS works.

 

From How does the NSA break SSL?:

Regarding passive surveillance, Google uses Perfect Forward Secrecy.

 

By using the information that's been available I tried to put together a schematic that addresses problems in email security. It's not perfect and fully consistent with the leaks (there's too much to digest)

-http://www.cs.helsinki.fi/u/oottela/emailsec.pdf-

 

With a splitter and stolen certificates, there's no need to decode or MITM the original. They can decode the copies and allow the originals to pass through. Regarding being detectable, that's what NSLs are for. We already know that they do both. What reason is there to think that they don't use both abilities together?

 

Despite all the naysayers in this thread this is great news for Gmail users. More companies should follow suit.

 

People still use Gmail? Much less any google product?

Dang!

 

I think we're seeing a lot more snake-oil sort of moves regarding privacy/security since the NSA crap. In other cases, just making good public image (like Facebook).

Hotmail ain't much better though:
https://www.eff.org/deeplinks/2014/03/microsoft-says-come-back-warrant-unless-youre-microsoft

That's all I ever see people use- Yahoo, Google or Hotmail and they all suck, with Gmail being still the better of the bunch. People really don't care as long as it's free and works.

edit

There are so many issues with Youtube that now would be the perfect time for an alternative to compete with them.