In a 6 page letter, signed by 36 experts in computer science, information security
, and privacy law, Google was asked to toughen their security practices on behalf of the user. The letter says that the best way to protect the user and their communications from theft and snooping while using GMail, Calendar, and Docs, was to enforce HTTPS and enable it by default.
In the letter the experts point out that it isn't enough to offer HTTPS, as Google does, but that it needs to be enabled by default, something that at this time isn't offered to users inside GMail, Calendar, or Docs. However, the letter points out that services such as Voice, Adwords, Health and AdSense each use HTTPS and use it as a default practice.
“Rather than forcing users of Gmail, Calendar, and Docs to “opt-in” to adequate security, Google should make security and privacy the default,” the letter suggests.
In addition, “…[if] Google believes that encryption and protection from hackers is a choice that should be left up to users, the company must do a better job of informing them of the risks so that they are equipped to make this choice. The company currently does very little to educate its users, and the sparse information describing encryption options is hidden, and presented in terms that few members of the general public will understand,” the recommendation adds.
Google’s official response to the letter, as posted by Alma Whitten on the Google Security Blog, pointed out what is already known. Namely that, “Last summer we made it even easier by letting Gmail users opt in to always use HTTPS every time they log in (no need to type or bookmark the ‘https’).”
Whitten’s response also pointed to the fact that Google has always advocated for and demonstrated a “focus on strong security in Web applications.” Adding that “We know that tens of millions of Gmail users rely on it to manage their lives every day, and we have offered HTTPS access as an option in Gmail from the day we launched.”
However, the fact that HTTPS is there, but opt-in only, was the central focus of the open letter. Whitten hints that this might change, “….we are currently looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.”
When it comes to why this is not already happening, the open letter explains it as, “Google has long argued that the reason it doesn't enable HTTPS encryption by default is because of latency-related issues – that is, encrypted data may load more slowly, causing noticeable delays for the user.”
This statement is somewhat mirrored by Google in their response, “…we want to more completely understand the impact on people's experience, analyze the data, and make sure there are no negative effects. Ideally we'd like this to be on by default for all connections, and we are investigating the trade-offs, since there are some downsides to HTTPS — in some cases it makes certain actions slower.”
Google says there are plans to start testing small samples of Gmail users on a HTTPS by default setting. “…to see what their experience is, and whether it affects the performance of their email. Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS?”
As a trade off, the experts say that once HTTPS is enabled by default, the opt-in option could be replaced by an opt-out option. Once again, placing the control in the user’s hands as Google originally intended.
The question is, what will Google do? Their official response, while offering some general thoughts on the matter and letting the public know their thinking about the issue is positive, they have not stated one way or another what their plans are. While testing solutions is a great start, how hard is it to reverse the opt-in and replace it with an opt-out solution, and enforcing HTTPS across their application network?
There is also the fact that those who opt-in to HTTPS now lose that functionality in some gadgets, namely the GMail gadget on iGoogle. Minor issues like this will need to be addressed and fixed as well if Google takes the letters advice.
, and privacy law, Google was asked to toughen their security practices on behalf of the user. The letter says that the best way to protect the user and their communications from theft and snooping while using GMail, Calendar, and Docs, was to enforce HTTPS and enable it by default.
In the letter the experts point out that it isn't enough to offer HTTPS, as Google does, but that it needs to be enabled by default, something that at this time isn't offered to users inside GMail, Calendar, or Docs. However, the letter points out that services such as Voice, Adwords, Health and AdSense each use HTTPS and use it as a default practice.
“Rather than forcing users of Gmail, Calendar, and Docs to “opt-in” to adequate security, Google should make security and privacy the default,” the letter suggests.
In addition, “…[if] Google believes that encryption and protection from hackers is a choice that should be left up to users, the company must do a better job of informing them of the risks so that they are equipped to make this choice. The company currently does very little to educate its users, and the sparse information describing encryption options is hidden, and presented in terms that few members of the general public will understand,” the recommendation adds.
Google’s official response to the letter, as posted by Alma Whitten on the Google Security Blog, pointed out what is already known. Namely that, “Last summer we made it even easier by letting Gmail users opt in to always use HTTPS every time they log in (no need to type or bookmark the ‘https’).”
Whitten’s response also pointed to the fact that Google has always advocated for and demonstrated a “focus on strong security in Web applications.” Adding that “We know that tens of millions of Gmail users rely on it to manage their lives every day, and we have offered HTTPS access as an option in Gmail from the day we launched.”
However, the fact that HTTPS is there, but opt-in only, was the central focus of the open letter. Whitten hints that this might change, “….we are currently looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.”
When it comes to why this is not already happening, the open letter explains it as, “Google has long argued that the reason it doesn't enable HTTPS encryption by default is because of latency-related issues – that is, encrypted data may load more slowly, causing noticeable delays for the user.”
This statement is somewhat mirrored by Google in their response, “…we want to more completely understand the impact on people's experience, analyze the data, and make sure there are no negative effects. Ideally we'd like this to be on by default for all connections, and we are investigating the trade-offs, since there are some downsides to HTTPS — in some cases it makes certain actions slower.”
Google says there are plans to start testing small samples of Gmail users on a HTTPS by default setting. “…to see what their experience is, and whether it affects the performance of their email. Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS?”
As a trade off, the experts say that once HTTPS is enabled by default, the opt-in option could be replaced by an opt-out option. Once again, placing the control in the user’s hands as Google originally intended.
The question is, what will Google do? Their official response, while offering some general thoughts on the matter and letting the public know their thinking about the issue is positive, they have not stated one way or another what their plans are. While testing solutions is a great start, how hard is it to reverse the opt-in and replace it with an opt-out solution, and enforcing HTTPS across their application network?
There is also the fact that those who opt-in to HTTPS now lose that functionality in some gadgets, namely the GMail gadget on iGoogle. Minor issues like this will need to be addressed and fixed as well if Google takes the letters advice.
source: http://www.thetechherald.com/article.php/200925/3882/Experts-send-letter-to-Google-asking-for-more-security
No comments:
Post a Comment