You're weakening your argument. You first stated that NOTHING on Google's servers are encrypted which means that anyone with access to the server could access your data, usernames, passwords and CC info. So why would the NSA be involved, especially if previously between mail servers it was already sent unencrypted. It sounds like they already were getting what they want.
You are right Google's servers are heavily encrypted (it's even encrypted during transit between servers why wouldn't it be on the server itself). The data between web browser and web server on Google websites is encrypted with an 2048 bit key. And Gmail has a good encryption record both between Gmail accounts and in-transit. BTW Google also launched an interesting Chrome extension earlier this month (in alpha at this moment in time) to allow for local end-to-end encryption for emails. https://code.google.com/p/end-to-end/
This will also have the effect of undermining Google's ability to scan e-mails and integrate targeted ads. Go Apple!
No it won't. The encryption in question is between servers. Google has access to the unencrypted copy of gmail, obviously. On its own gmail servers it can scan and insert ads all it wants to.
There's a difference between end to end encryption and point to point encryption.
You and your recipient(list) need to work to get end to end encryption.
No provider can do that, unless you're on the same platform.
point to point encryption... just makes it harder to read in transit... therefore the attack must occur on/in/behind one or both of the 'points.'
There is no reason to believe that encryption at rest means google can't read data.
It may make it hard[er] for the standard admin to access your mail, but google is able to decrypt and read all your mail whenever they want through the keys their servers have - unless _you_ encrypted it before it's stored on their machines (which is about every 3 seconds in gmail draft mode).
If Google can respond to a subpoena providing them your email, you're email is not encrypted so Google can't read it.
Same for them doing postini spam/anti-malware checks on your email
(it's even encrypted during transit between servers why wouldn't it be on the server itself).
Google also launched an interesting Chrome extension earlier this month (in alpha at this moment in time) to allow for local end-to-end encryption for emails.
because on the server it has to do what servers do: provide services. Even between MTAs, it decrypts the message from the sender, and 'routes' it. It knows sender and reciever, it sees all the headers. It has to know if it has to put it in your mail store. If it does, and you're using default settings, it will 'scan' your message for it's postini rules for spam, malware, etc. It can't do that unless it decrypts.
Open PGP takes work by the end users to implement. the 1% of the internet that cares about this, already does this, without the Chrome Extension. The 99% who can't or don't, won't. At best, it makes google's internal mail harder to intercept, and better, harder to respond to in Subpoena [Emails between Eric and Sergey and Larry are encrypted and we don't have the keys... sorry - Google Legal].
Postini is an e-mail, Web security, and archiving service owned by Google since 2007. It provides cloud computing services for filtering e-mail spam and malware (before it is delivered to a client's mail server), offers optional e-mail archiving, and protects client networks from web-borne malware.
Google encrypts traffic between your browser and their servers. They also encrypt traffic between their servers. But Google DOES NOT encrypt anything they store on their servers! NOTHING!
Fun fact #1–
Email is typically only encrypted in transit, where it is considered "more vulnerable" to 3rd party eavesdropping.
Fun fact #2–
Typically, mail on the server is not encrypted by ANY service. Or by companies, schools, or otherwise. That is the norm. It is generally too computationally expensive to encrypt the entire mail server database, and expect performance from said mail server. (Witness, for example, reports of even security firms getting hacked, and all their internal emails are leaked to the Internet). The fact Google is offering encryption for business subscribers is actually impressive. *If* a company or organization IS encrypting the entire mail database (which can often be measured in terabytes), they probably have a very good reason to do so.
Fun fact #3–
Even if the database was encrypted, it may not matter depending on how the hacker managed to hack into the server. i.e. if they hack the process that has access to the DB, they can still read its mail, regardless of if it was encrypted or not.
Fun fact #4–
Mail on you own personal computer (Mac or Windows, Mac Mail or Outlook or what have you), is ALSO not encrypted. (Unless you enabled FileVault on your Mac, or BitLocker on Windows). Even if you did enable full-drive encryption in your operating system– depending on how the hacker hacked into your system (say, for example, he implanted a Remote Access Tool), he might have access to all your files anyway (including mail).
Fact is, there's plenty of ways for your mail to be intercepted. And as others have pointed out– if it's truly sensitive data, you don't want to send it via email. For example, our corporate policy is that you cannot send credit card information over email, when purchasing something.
Open PGP takes work by the end users to implement. the 1% of the internet that cares about this, already does this, without the Chrome Extension. The 99% who can't or don't, won't. At best, it makes google's internal mail harder to intercept, and better, harder to respond to in Subpoena [Emails between Eric and Sergey and Larry are encrypted and we don't have the keys... sorry - Google Legal].
Google is going to make OpenPGP a whole lot easier and more widely available. http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html
"Today, we’re adding to that list the alpha version of a new tool. It’s called End-to-End and it’s a Chrome extension intended for users who need additional security beyond what we already provide.
“End-to-end” encryption means data leaving your browser will be encrypted until the message’s intended recipient decrypts it, and that similarly encrypted messages sent to you will remain that way until you decrypt them in your browser.
While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools."
I presume a Chrome Extension is designed for the Chrome Browser. If so, I don't think many people here use that.
AI members may not, but they wouldn't be representative of the average user. In fact in the overall market Chrome may be the leading browser.
In spite of IE most likely being the default on corporate PC's, I'm not surprised to see such a high percentage from Chrome. Especially how crappy FF has become.
Comments
https://code.google.com/p/end-to-end/
This will also have the effect of undermining Google's ability to scan e-mails and integrate targeted ads. Go Apple!
No it won't. The encryption in question is between servers. Google has access to the unencrypted copy of gmail, obviously. On its own gmail servers it can scan and insert ads all it wants to.
Unfortunately they still have a long ways to go to catch up with Gmail.
There's a difference between end to end encryption and point to point encryption.
You and your recipient(list) need to work to get end to end encryption.
No provider can do that, unless you're on the same platform.
point to point encryption... just makes it harder to read in transit... therefore the attack must occur on/in/behind one or both of the 'points.'
There is no reason to believe that encryption at rest means google can't read data.
It may make it hard[er] for the standard admin to access your mail, but google is able to decrypt and read all your mail whenever they want through the keys their servers have - unless _you_ encrypted it before it's stored on their machines (which is about every 3 seconds in gmail draft mode).
If Google can respond to a subpoena providing them your email, you're email is not encrypted so Google can't read it.
Same for them doing postini spam/anti-malware checks on your email
Or scanning for adwords.
Unfortunately they still have a long ways to go to catch up with Gmail.
Gmail sucks...end of story! I switched away from them a couple years ago. I wouldn't trust Google any further than I can throw them.
(it's even encrypted during transit between servers why wouldn't it be on the server itself).
https://code.google.com/p/end-to-end/
because on the server it has to do what servers do: provide services. Even between MTAs, it decrypts the message from the sender, and 'routes' it. It knows sender and reciever, it sees all the headers. It has to know if it has to put it in your mail store. If it does, and you're using default settings, it will 'scan' your message for it's postini rules for spam, malware, etc. It can't do that unless it decrypts.
Open PGP takes work by the end users to implement. the 1% of the internet that cares about this, already does this, without the Chrome Extension. The 99% who can't or don't, won't. At best, it makes google's internal mail harder to intercept, and better, harder to respond to in Subpoena [Emails between Eric and Sergey and Larry are encrypted and we don't have the keys... sorry - Google Legal].
Wiki
Learn something everyday; thanks.
Google encrypts traffic between your browser and their servers. They also encrypt traffic between their servers. But Google DOES NOT encrypt anything they store on their servers! NOTHING!
Fun fact #1–
Email is typically only encrypted in transit, where it is considered "more vulnerable" to 3rd party eavesdropping.
Fun fact #2–
Typically, mail on the server is not encrypted by ANY service. Or by companies, schools, or otherwise. That is the norm. It is generally too computationally expensive to encrypt the entire mail server database, and expect performance from said mail server. (Witness, for example, reports of even security firms getting hacked, and all their internal emails are leaked to the Internet). The fact Google is offering encryption for business subscribers is actually impressive. *If* a company or organization IS encrypting the entire mail database (which can often be measured in terabytes), they probably have a very good reason to do so.
Fun fact #3–
Even if the database was encrypted, it may not matter depending on how the hacker managed to hack into the server. i.e. if they hack the process that has access to the DB, they can still read its mail, regardless of if it was encrypted or not.
Fun fact #4–
Mail on you own personal computer (Mac or Windows, Mac Mail or Outlook or what have you), is ALSO not encrypted. (Unless you enabled FileVault on your Mac, or BitLocker on Windows). Even if you did enable full-drive encryption in your operating system– depending on how the hacker hacked into your system (say, for example, he implanted a Remote Access Tool), he might have access to all your files anyway (including mail).
Fact is, there's plenty of ways for your mail to be intercepted. And as others have pointed out– if it's truly sensitive data, you don't want to send it via email. For example, our corporate policy is that you cannot send credit card information over email, when purchasing something.
-Rick
http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html
"Today, we’re adding to that list the alpha version of a new tool. It’s called End-to-End and it’s a Chrome extension intended for users who need additional security beyond what we already provide.
“End-to-end” encryption means data leaving your browser will be encrypted until the message’s intended recipient decrypts it, and that similarly encrypted messages sent to you will remain that way until you decrypt them in your browser.
While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools."
AI members may not, but they wouldn't be representative of the average user.
http://www.sitepoint.com/browser-trends-may-2014-chrome-exceeds-expectations/
What about iOS users? "...but Chrome looks set to overtake Safari on iOS shortly."
In spite of IE most likely being the default on corporate PC's, I'm not surprised to see such a high percentage from Chrome. Especially how crappy FF has become.
1) strange that Safari on iPad has an even bigger share than Safari on the desktop
2) strange that they don't have any number on Safari for the iPhone nor for the iPod touch
3) funny that there are still people on IE6