Editor's Desk: Hey Google: Do the Right Thing

Security's leading thinkers ask Google to turn on HTTPS by default for Gmail, Docs and Calendar.

Information Security
magazine, July-August issue


Download the entire July-August issue of Information Security magazine here in PDF format.

By MICHAEL S. MIMOSO
Google's credo is "Do no evil." Some of the best security minds in the industry are imploring Google to do the right thing when it comes to the security and privacy of its free email and productivity application offerings.

In case you missed it, 38 security thinkers and researchers wrote an 11-page letter to CEO Eric Schmidt asking him to enable HTTPS encryption on Gmail, Google Docs and Google calendar by default. That list of 38 is a roll call of security pioneers and current thought-leaders, everyone from Gene Spafford, Steve Bellovin, Bill Cheswick and Bruce Schneier to white hats RSnake, Joe Grand and Jeff Moss. They point out that Google's current insecure default settings put the privacy of its cloud-based services users at risk.

"Anyone who uses these Google services from a public connection (such as open wireless networks in coffee shops, libraries, and schools) faces a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet," the letter says.

Information Security July-Aug
Table of Contents

Controlling Privileged Accounts: Regulatory requirements and economic realities are pressuring enterprises to secure their privileged accounts. Applied correctly, technology can help offset the risks.
DNSSEC: Has the Time Come? DNSSEC brings PKI to the Domain Name System and prevents dangerous cache poisoning attacks. Implementation difficulties and political battles, however, keep it from going mainstream.
UTM Should Not Equal Unnecessary Threat Management: Buying the right unified threat management appliance means knowing what--if anything--you actually need beyond a firewall.
ISP shutdown latest cat-and-mouse game with hackers: While the 3FN.Net shutdown had limited impact on cybercriminals, it signaled that the private sector and the government are serious about illegal activity.
Editor's Desk: Hey Google: Do the Right Thing: Security's leading thinkers ask Google to turn on HTTPS by default for Gmail, Docs and Calendar.
Perspectives: Wrestling Match: Data protection and compliance teams battle for resources but need each other to succeed.

Already, researchers have successfully developed tools to steal authentication data stored in cookies that are by default sent without encryption to and from Google's servers. Researcher Mike Perry's Cookiemonster debuted at DefCon two years ago as did Robert Graham's Hamster Wi-Fi cookie stealer. Both tools swipe unencrypted authentication data found in cookies and allow the attacker to pose as the victim.

Google has known about these flaws for close to two years now and has released a configuration option that, should a user choose, turn on HTTPS. The group of 38, however, dares you to try to find it in the Settings option of Gmail, for instance (Hint: there are 13 settings on the General screen; HTTPS is the last one and it's under browser connection). Furthermore, there are no encryption options for Docs and Calendar, and the letter intimates that users may think the Gmail protection extends to the other services. Encryption has to be on by default across the board.

"A large body of scientific research shows that users overwhelmingly retain default options; thus, unless the security issue is well known and salient to consumers, they will not take steps to protect themselves by enabling HTTPS. To deliver on Google's promises about privacy and security, the company should shift the default option to the more protective HTTPS setting," the letter says.

The letter also slams Google for not better informing its users the risks of sending their docs and cookies in the clear, and also points out that the performance hit from turning on encryption is negligible. Oh by the way, did you know that Google has turned HTTPS on by default in its Google Health, Voice and AdWords and AdSense offerings?

Four Things Google Needs to Do
The 38 security experts who co-signed a letter to Google CEO Eric Schmidt made four recommendations:

  1. Place a link or checkbox on the login page for Gmail, Docs, and Calendar, that causes that session to be conducted entirely over HTTPS. This is similar to the "remember me on this computer" option already listed on various Google login pages. As an example, the text next to the option could read "protect all my data using encryption."
  2. Increase visibility of the "always use https" configuration option in Gmail. It should not be the last option on the Settings page, and users should not need to scroll down to see it.
  3. Rename this option to increase clarity, and expand the accompanying description so that its importance and functionality is understandable to the average user.
  4. Make the "always use https" option universal, so that it applies to all of Google's products. Gmail users who set this option should have their Docs and Calendar sessions equally protected.

That's what makes their decision not to do so for Docs, Gmail and Calendar so baffling. Web 2.0 apps are supposed to be business enablers, but if individuals and-or businesses start losing personal or corporate information via this avenue, the value proposition of Web 2.0 starts looking pretty thin. Two articles in this issue of Information Security take a deeper dive into Web security: "Controlling Privileged Accounts," looks at the need for privileged access control; and "DNSSEC: Has the Time Come?" looks at some of the advantages and hang-ups around adding security to DNS. Check them out.

In the meantime, do the right thing Google; turn on HTTPS by default, listen to the best minds security has to offer and follow their recommendations (see Four Things Google Needs to Do, above). They know their stuff.

Michael S. Mimoso is Editor of Information Security. Send comments on this column to feedback@infosecuritymag.com.

This was first published in July 2009

Dig deeper on Security Industry Market Trends, Predictions and Forecasts

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close