Top Security Minds Urge Google to Encrypt All Services

A who's-who of more than three dozen high-tech and security experts from industry and academia is urging Google to beef up the privacy and security settings of its Gmail, Google Docs and Calendar online services.

At issue is whether Google is doing enough to block hackers from hijacking a user's Webmail account or intercepting information from online documents. An increasing number of free, publicly available tools may make it simple for even novice hackers to launch such attacks.

"Google's default settings put customers at risk unnecessarily. Google's services protect customers' usernames and passwords from interception and theft," said the experts, including luminaries from AT&T, PGP Corp. and top researchers from Berkeley, Harvard, MIT, Oxford and Purdue. "However, when a user composes email, documents, spreadsheets, presentations and calendar plans, this potentially sensitive content is transferred to Google's servers in the clear, allowing anyone with the right tools to steal that information."

Google uses encryption technology to block would-be cyber snoops from eavesdropping on information transmitted between users and Google online services such as Adsense, Adwords or Google Health. Users of these services will note that from the time they submit their username and password to the moment they log out, the Web address in their browser begins with an "https://" , indicating a persistent, encrypted connection.

But signatories to the letter to Google chief executive Eric Schmidt note that Google employs those same protections only sporadically or not at all on services like Gmail, Google Docs and Google Calendar.

For example, while Gmail has a setting that allows users to remain in an encrypted connection with Google indefinitely, that setting is somewhat buried and is not the default.

What's more, this setting does not affect whether Google Docs or Calendar data is encrypted. In fact, the letter points out, "there is no encryption setting available for Docs or Calendar. The only way for users of these other Google services to protect themselves is to remember to type https://docs.google.com and https://www.google.com/calendar into their browser's location bar every time they employ those applications. Google does not explain this difference between applications, and users may incorrectly believe that setting the Gmail preference will protect all of their Google sessions."

Google executives have stated publicly that the company lets users decide whether to enable encryption all of the time for Gmail and other services, in part because encrypting everything can slow these services down. But Eugene H. Spafford, a professor of computer science at Purdue University and one of the letter signatories, said most Google users are not in a position to make an informed decision about that that trade-off.

"What we're saying in this letter is that as an iconic service, and one that professes to be concerned about user safety, Google could set a good example and set the right defaults, and if users want to switch back to something less secure, then they can," Spafford said. "We have many things in society where users aren't well enough educated about the dangers to pick the best choice, and so we depend on professionals to select what the best defaults are. We're simply asking Google to do that."

The letter acknowledges that in offering users an option to always encrypt Gmail, Google already has gone beyond the default setting of Webmail services offered by its peers, including Microsoft Hotmail and Yahoo!. But another contributor to the letter -- Markus Jakobsson, principal scientist at the Palo Alto Research Center -- said Google could further differentiate itself from its competitors by allowing users to encrypt sessions across all Google services.

Jakobsson said Google's decision to enable encryption by default on its lesser used services but not on its most-used service (Gmail) comes down to a decision about saving money, as enabling encryption across the board would undoubtedly place a higher computational load on Google's servers.

"A savings of money is the only reason not to turn encryption on if you already have it implemented," Jakobsson said. "This letter says that even if they don't have to, they ought to. They'd be investing in people's confidence by doing that."

In a post to its Online Security blog today, Google said it is currently looking into whether it would make sense to turn on HTTPS as a default for all Gmail users. From that blog post, by Alma Whitten, software engineer for Google's security and privacy teams:

We know HTTPS is a good experience for many power users who've already turned it on as their default setting. And in this case, the additional cost of offering HTTPS isn't holding us back. But we want to more completely understand the impact on people's experience, analyze the data, and make sure there are no negative effects. Ideally we'd like this to be on by default for all connections, and we're investigating the trade-offs, since there are some downsides to HTTPS -- in some cases it makes certain actions slower. We're planning a trial in which we'll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their email. Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS? Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users. We're also considering how to make this work best for other apps including Google Docs and Google Calendar (we offer free HTTPS for those apps as well).



A copy of the letter sent to Google is available here (PDF).