Google's credo is "Do no evil." Some of the best security minds in the industry are imploring Google to do the right thing when it comes to the security and privacy of its free email and productivity application offerings.
In case you missed it, 38 security thinkers and researchers wrote an 11-page letter to CEO Eric Schmidt asking him to enable HTTPS encryption on Gmail, Google Docs and Google calendar by default. That list of 38 is a roll call of security pioneers and current thought-leaders, everyone from Gene Spafford, Steve Bellovin, Bill Cheswick and Bruce Schneier to white hats RSnake, Joe Grand and Jeff Moss. They point out that Google's current insecure default settings put the privacy of its cloud-based services users at risk.
"Anyone who uses these Google services from a public connection (such as open wireless networks in coffee shops, libraries, and schools) faces a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet," the letter says.
Already, researchers have successfully developed tools to steal authentication data stored in cookies that are by default sent without encryption to and from Google's servers. Researcher Mike Perry's Cookiemonster debuted at DefCon two years ago as did Robert Graham's Hamster Wi-Fi cookie stealer. Both tools swipe unencrypted authentication data found in cookies and allow the attacker to pose as the victim.
Google has known about these flaws for close to two years now and has released a configuration option that, should a user choose, turn on HTTPS. The group of 38, however, dares you to try to find it in the Settings option of Gmail, for instance (Hint: there are 13 settings on the General screen; HTTPS is the last one and it's under browser connection). Furthermore, there are no encryption options for Docs and Calendar, and the letter intimates that users may think the Gmail protection extends to the other services. Encryption has to be on by default across the board.
"A large body of scientific research shows that users overwhelmingly retain default options; thus, unless the security issue is well known and salient to consumers, they will not take steps to protect themselves by enabling HTTPS. To deliver on Google's promises about privacy and security, the company should shift the default option to the more protective HTTPS setting," the letter says.
The letter also slams Google for not better informing its users the risks of sending their docs and cookies in the clear, and also points out that the performance hit from turning on encryption is negligible. Oh by the way, did you know that Google has turned HTTPS on by default in its Google Health, Voice and AdWords and AdSense offerings?
|Four Things Google Needs to Do|
The 38 security experts who co-signed a letter to Google CEO Eric Schmidt made four recommendations:
That's what makes their decision not to do so for Docs, Gmail and Calendar so baffling. Web 2.0 apps are supposed to be business enablers, but if individuals and-or businesses start losing personal or corporate information via this avenue, the value proposition of Web 2.0 starts looking pretty thin. Two articles in this issue of Information Security take a deeper dive into Web security: "Controlling Privileged Accounts," looks at the need for privileged access control; and "DNSSEC: Has the Time Come?" looks at some of the advantages and hang-ups around adding security to DNS. Check them out.
In the meantime, do the right thing Google; turn on HTTPS by default, listen to the best minds security has to offer and follow their recommendations (see Four Things Google Needs to Do, above). They know their stuff.
Michael S. Mimoso is Editor of Information Security. Send comments on this column to firstname.lastname@example.org.
This was first published in July 2009