Gmail and SSL

Damian Menscher damian at google.com
Thu Jan 3 03:59:35 UTC 2013


On Wed, Jan 2, 2013 at 7:31 PM, <Valdis.Kletnieks at vt.edu> wrote:

> On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
>
> > Google is setting a higher bar here, which may be sufficient to deter
> > a lot of bots and script kiddies for the next few years, but it's not
> > enough against nation-state or serious professional level attacks.
>
> To be fair though - if I was sitting on information of sufficient value
> that I
> was a legitimate target for nation-state TLAs and similarly well funded
> criminal organizations, I'd have to think long and hard whether I wanted to
> vector my e-mails through Google. It isn't even the certificate management
> issue - it's because if I was in fact the target of such attention, my
> threat
> model had better well include "adversary attempts to use legal and
> extralegal
> means to get at my data from within Google's infrastructure".
>
> "Operation Aurora".
>

[Full disclosure: I work at Google, though the opinions stated below are
mine alone.]

Aurora compromised at least 20 other companies, failed at its assumed
objective of seeing user data, and Google was the only organization to
notice, let alone have the guts to expose the attack [0].  And you're going
to hold that against them?

If you're the target of a state-sponsored attacker, Google is by far the
best place to host your mail.  Good luck finding another provider that
enables SSL by default [1], offers 2-factor authentication [2], warns you
when you're being targeted by state-sponsored attackers [3], and actually
fights overly-broad subpoenas from governments [4].

While I'm writing, I'll also point out that the Diginotar hack which came
up in this discussion as an example of why CAs can't be trusted was
discovered due to a feature of Google's Chrome browser when a cert was
being used to spy on users in Iran [5].  Note that it also provides a good
example of the difficulty of getting away with such attacks.

[0] http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
[1]
http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html
[2] http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744
[3]
http://googleonlinesecurity.blogspot.com/2012/06/security-warnings-for-suspected-state.html
[4] http://www.google.com/transparencyreport/userdatarequests/
[5]
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html

Damian



More information about the NANOG mailing list