Tuesday, November 18, 2008

Comment on "Google and Your Privacy"

This was originally a comment response to Jeff KE9V's post Google and Your Privacy, but grew a little too large for me to be comfortable just dropping into someone else's comment box like that. The post links to a video about privacy issues in Gmail, which doesn't present any solutions to the problems other than contacting Google, which comes off as more just bagging on Google while wearing tin foil hats than being productive. Watching the video first maybe help the est of this make sense.

Email is inherently insecure. Anyone between Alice and Google's servers can read the "secret" message, never mind Google, who at least Bob trusts. It's sent in plain text all the way. Anyone can write a message and represent it as coming from Alice as well; that's also an inherent flaw in SMTP.

Setting SSL as the default in Gmail is trivial. Every time I go to Gmail.com, I get redirected to https for the entirety of the session. Before that option was available, I was careful to login to https://gmail.com instead of http://gmail.com, since that keeps the entire session in SSL throughout the session. With this enabled, sniffers between the Gmail user and Google are defeated.

The fact that Google is reading my email with a profit motive is perfectly justified. I'm using Google's *free* offering of an inherently insecure protocol, of course they can read my email. There isn't anything keeping Microsoft or Yahoo from reading the emails either. Microsoft and Yahoo may not visibly do anything with it (except inserting ads into the out going emails, thanks Yahoo), but they have full access to your messages. If Alice didn't agree with Google's policy on reading email, she should refuse to send the email. Blindly sending a secret email in plaintext to some domain not directly controlled by Bob is not secreat, but just moronic.

What Google does do is enable the overly paranoid to solve all of these issues. Setting up Thunderbird (or Outlook) with PGP encryption and generating a key is free (Enigmail + GnuPG). This lets Alice and Bob generate pairs of keys to trade and encrypt emails with. Since the email is encrypted, Google can't read it, anyone between the Gmail user and Google can't read it (although they shouldn't anyways, since the paranoid Gmail user is using SSL, right?), anyone between Google and Alice's email provider can't read it, and neither can Alice's provider. Only Alice can because only she has her private key matching the public key Bob used (unless he used the wrong one). At the same time, the signature feature of PGP lets Alice verify that the email truly came from Bob in the first place (or who she thinks Bob is), and not someone else perporting to be Bob.

Try sending an encrypted message with Yahoo. Last time I tried, it didn't work. Yahoo is nice enough to insert ads and do other funky formatting stuff to messages for free accounts, which garbles the encryption and makes it unreadable (this may be fixed).

So all of the secrets not really being secret problems have been eliminated, except for the original authentication between Alice and Bob, which requires that at some point the two exchange these keys over a authenticated (though not necessarily secure) channel. The telephone would be rather authenticated, if they already knew each other rather well. If not, then meeting in person would solve the problem. If that's not possible, they can use a third person to verify both of them and then they can exchange these verified keys (See Web of Trust).

So all of the privacy issues have been solved, but at what cost? Quite simply, convenience. Bob and Alice can't (or at least shouldn't) just get on any random computer and sent private messages. They have to use their own computer. But if they're using someone else's computer, the client side isn't even guarantees to be secure, so none of the rest of it really matters anyways. Security isn't convenient. Security is the complete opposite of convenient. That's just inherent to everything.

The other issue raised, about the guarantees of security removed by Google Chrome direct links, doesn't really hold any water. There is no visual indication of SSL, but I don't believe the certificate would fail silently. Distrusting Google to keep the connection confined to SSL (which you've already set as the default) implies an inherent distrust in the Chrome browser, which transcends everything, and simply means you shouldn't be using that browser in the first place, browser bar or not.
Note: This is ignoring all the failures of SSL acctually solving authentication problems due to user ignorance (ie accepting self-signed signatures in place of those for Google), since anyone who expects any kind of privacy online cannot do so without the education needed to be able to identify these risks in the first place.

No comments:

Post a Comment