Open letter to Google

June 16th, 2009 at 16:05 UTC by Richard Clayton

I am one of 38 researchers and academics (almost all of whom are far more important and famous than I will ever be!), who has signed an Open Letter to Google’s CEO, Eric Schmidt.

The letter, whose text is released today, calls upon Google to honour the important privacy promises it has made to its customers and protect users’ communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.

Google already uses HTTPS for sign-in, but the options to make the whole of the session secure are hidden away where few people will ever find them.

Hence, at the moment pretty much everyone who uses a public WiFi connection to read their Gmail or edit a shared doc has no protection at all if any passing stranger decides to peek and see what they’re doing.

However, getting everyone to change their behaviour will take lots of explaining. Much simpler to have Google edit a couple of configuration files and flip a default the other way.

The letter goes into the issues in considerable detail (it’s eleven pages long with all the footnotes)… Eric Schmidt can hardly complain that we’ve failed to explain the issues to him !

Entry filed under: Privacy technology

8 comments Add your own

  • 1. RichB  |  June 16th, 2009 at 16:41 UTC

    GMail has an option to enable HTTPS in it’s settings.

    However, when you use iGoogle (google.com/ig) and add the GMail gadget, you have to turn off the GMail HTTPS setting for the gadget to work. This is true even if you access iGoogle over HTTPS – it requires the GMail gadget to be accessed over HTTP!

  • 2. Charles Jennings  |  June 16th, 2009 at 21:32 UTC

    I question putting the whole blame on Google. I am in no sense defending Google, but wish to educate the – ultimately responsible – end user. With the relatively recent PoC showing how SSL sessions can be hijacked (http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1348473,00.html), it really is up to the end user to know 100% what he/she is doing / looking at. If I wanted to, I could set up a wireless AP on my laptop and act as a wireless relay to a real AP – all the while capturing the “apparent” encrypted traffic as clear-text. – In other words – stay away from public wifi networks. Me – I build ssh tunnel back to my home network and use it as a SOCK5 proxy – that way I have total control over my sessions and their security.

  • 3. anonymous coward  |  June 17th, 2009 at 01:46 UTC

    It warms my heart that people are working to make things better out there, thank you.

    Just another anonymous coward showing there text support for your work.

  • 4. Richard Clayton  |  June 17th, 2009 at 11:22 UTC

    Google (in the person of Alma Whitten) has responded to the open letter — in a fairly positive way.

    http://googleonlinesecurity.blogspot.com/2009/06/https-security-for-web-applications.html

  • 5. Clive Robinson  |  June 18th, 2009 at 15:00 UTC

    Just one minor problem,

    What sort of load will using HTTPS for all trafic put on Googles servers?

    CPU Cycles are not free even on a free service.

  • 6. ab  |  June 24th, 2009 at 10:55 UTC

    Addtional attack vectors should be also considered, in order to correctly grasp the threat level.
    Even connections on mobile phones may be at risk, according to what is explained and demonstrated in the post “Gmail Hijacking on mobiles” here:
    http://www.mseclab.com/?p=160

  • 7. Bill Dennis  |  June 26th, 2009 at 10:51 UTC

    It’s not just Google – what about Apple’s MobileMe service – http://www.me.com. It has the same issue, but worse – there is no HTTPS option when using the service! So mail, contacts, calendars etc are all coming down over HTTP. Google are streets ahead of Apple here.

  • 8. John  |  July 5th, 2009 at 21:51 UTC

    You would think those googlers would have thought about this, since they claim to be at the “blleeding edge” of technology. I’ve noticed a lot of websites that have login features still don’t use HTTPS for logins, resulting in “real” email addresses being harvested by spammers. Yahoo used to offer a secure login option a few years back, though I think they moved it to HTTPS permanently. However, if you use chat clients, they may still go over HTTP. I’m using my real email address for this site and am curious to know if this goes over HTTP or HTTPS too…

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

June 2009
M T W T F S S
« May   Jul »
1234567
891011121314
15161718192021
22232425262728
2930