Google considers always-on SSL encryption for all of its services

Google is thinking about setting SSL encryption by default for all of its services. This has been prompted by a six page letter to Google CEO Eric Schmidt from a group of respected researchers and security specialists that includes Eugene H. Spafford, Bruce Schneier, Jeff Moss, Jacob Appelbaum, Steven M. Bellovin, William R. Cheswick and Ronald L. Rivest.

According to the group, Google is exposing its users to a needless risk of snooping attacks because it doesn't encrypt communications for services like Google Apps by default. When, for example, public Wi-Fi networks are used, the lack of encryption can allow attackers to read users' documents and emails.

The letter says that although password and user name encryption is usually enabled by default, Google Apps and Google Docs services are not set by default to encrypt transmitted documents and tables. In addition, the specialist said, these services don't offer the option to set up default encryption, which is possible in Google Mail. They go on to say that even in Google Mail users must manually enable the feature. According to their letter, Google does not give a conclusive explanation for the inconsistent way it offers SSL.

Particularly in view of the increasing amount of sensitive content on Google Docs, the specialists urge Google to provide more security for this service. So far, the only workaround for users is to manually change URLs like http://docs.google.com to https://docs.google.com after logging in.

Google now plans an always-on encryption trial for Google Mail with a small group of selected users. Google's security blog says that unless performance is affected negatively by the additional computing required for encryption, Google intends to turn on HTTPS by default for all Gmail users and is also considering how to make this work best for the Google Docs services.

See also:

• Spied on despite encryption, a report from The H.

(crve)