Google reportedly looking into stronger encryption for Gmail

The most sensitive part of your online Google existence is almost without question Gmail, and Google's working to make that more secure than ever. In response to revelations about the mass surveillance performed by the NSA, Google is reportedly looking at implementing more complex encryption tools, possibly including the very secure Pretty Good Privacy (PGP) encryption, in Gmail.

According to Venture Beat, Google has "research underway to improve the usability of PGP with Gmail." Their source notes that end-to-end encryption is best from a security standpoint and is currently compatible with Gmail, but implementing it on the user side requires substantial effort that most users aren't capable of, or at least willing to approach.

Gmail currently relies on SSL/TLS for data transmission through Gmail, though the encryption is nowhere near as strong as that of PGP. There's also the matter of advertising — if your email on Google servers is encrypted, that means that Google's efforts to run matching ads against it would be thwarted (as much as that might upset Microsoft's ad men).

It's worth noting that this is still in the exploratory phase, but given the outcry over the NSA's reported tapping of internet traffic for mass monitoring we wouldn't be surprised to see it implemented in short order.

Source: Venture Beat

 

Reader comments

Google reportedly looking into stronger encryption for Gmail

32 Comments

Your not referring to the same company who made the "healthcare.gov" website are you?!?!?!? Lol....

Posted via Android Central App

Google makes it seem like they have no control over the NSA snooping. Do they, or don't they?

Posted via Android Central App

The way that the NSA was spying on them they had no control over.. The NSA basically hacked the line between their servers physically.

Posted via Android Central App

Fuck the NSA & Government

They use this all as a means of control to keep citizens obeying their rules

Orbot & the Top network is the only way to hide your online footprint

Posted via Android Central App

Check out Mailvelope, it's an extension for Chrome and Firefox that can add PGP encryption to Gmail (or other webmail services). It has its drawbacks, but so far it's the best option I've found.

None of this means much. A simple court order has google handing over whatever the NSA wants.

See, that's what I'm talking about. Why would Google flaunt implementation of encryption to their services if a court order shatters all sense of privacy?
Posted via Android Central App

If it's encrypted they will hand over data that would take a super computer a long time to crack. That's the point. End-to-end encryption with large keys is the only secure solution.

The technology has existed for a long time. I've worked for companies in the past that were neck-deep in the secure mail space. The problem we found was how to drive adoption. End-to-end encryption requires exchanging public keys with people you want to email. This is something people have repeatedly shown they won't bother to do. Unless people decide that privacy is worth a little inconvenience they will continue to put themselves at a disadvantage against forces that want to read their Internet communications.

^^^this^^^

for all the talk over privacy, people want convenience above all else. if you tell them what true privacy entails, the majority will take convenience and ease of use citing they have nothing to hide therefore nothing to worry about.

Court orders are not the easiest thing to get compared to just taking the data without anyone's say... This is mostly to prevent non court order handing over of emails
Posted via Android Central App

Right, and in the event that they do get a hold on your encrypted data, they can't make you decrypt it. There are multiple precedents where such requests have been denied due to the fifth amendment here in the US, and in other countries with other similar non-incrimination laws.

So Google should just open the gates since those snooping, tyrannical fucks will get what they want anyway? I appreciate the steps Google is taking here. Wish they'd help fund some aggressive systems to not only block unauthorized attempts at our info but to disable and ruin the thieves' systems.

Actually I have not seen any ads in my Gmail since 2008, but then this is also when I started using Google Apps Premium. And I many times wondered why they did not enable PGP for paying customers.

In the Gmail screenshot:

*you're

Lol sorry. Not a grammar Nazi but your vs you're bugs me

Posted via Android Central App

I would LOVE to see PGP in Gmail, However it's completely useless unless people can hold their own keys which I can't see happening as Google scans email content to use for advertising.

Yeah, kind of the whole point of PGP is your keys not sitting on some server waiting to be compromised. It's the catch-22 of PGP... lose your keys and that's that, but at the same time nobody else is going to be able to compromise it.

Support for such hardware would be nice if it was baked into operating systems. Maybe add NFC support for phones as well? I'd get one.

One side-effect of all the NSA crap is that I think these things will happen, and there will be a demand for it.

Actually the yubikey acts as a USB keyboard for its OTP functionality, so it is almost universally cross-platform, and I do believe the Java Smartcard applet (not that I condone the use of Java EVER) is pretty universal as well. The NEO they refer to in that article does include NFC, I use mine to unlock my note app on my GalNexus.

EDIT: Seriously, I picked one up a few weeks ago and I LOVE it. you can use it to 2 factor authenticate Last-Pass, SSH, and a whole bunch of other stuff. That and the Libraries and personalization applications are all Open-Source.

K9 and APG.

Not sure if it will keep out the NSA, but its nice to know they'll have to work for it.

Posted via Android Central App using an LG G2.

Of course NSA can break PGP, but is it enough you have all my emails but if you break the encryption then it's clearly broken the law?

It should be noted that nobody has broken the RSA crypto that PGP typically uses, provided one doesn't use the flawed NIST ECC algorithm, and makes keys of sufficient length. At minimum make a key 2048 bits. Many prominent security researchers and I both use 4096 bit keys, which I'd recommend. But as Bruce Schneier says, trust the math.
Now when I say that nobody has broken RSA, I mean through brute force attacks. There are obviously multiple side-channel attacks one could deploy to get a private key ( e.g. Social-Engineering, memory-harvesting, and this particularly interesting one: http://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-t... )

Good stuff guys. Any protection is better than none. And with the right kind of keys you can make it very difficult to do.

My point was more on the legal side. I'm imagining (trouble) that if an email is picked up by the NSA, just looking at a plain text file you read it. But if they have our email/etc.., but can't just look at the content without breaking some encryption, is that (finally) enough to say "you've without a doubt broken the law" as far as eavesdropping.