Google: Do What You Say
First, let me start stating that this is NOT a security issue with Google, even though it might be presented this way.
Unless you were hiding in a cave in the past hours you know that Google is taking some serious steps to protect its customers (you, me, all of us) after it was attacked one more time (see ”Google on the defensive, vulnerable; China risks international and U.S. response“). Among other things, “Google Finally Improves Security of Gmail Connections as Consumer Watchdog Urged” which is great:
Consumer Watchdog said Google should use encryption for connections to all its Internet-based services, not just Gmail.The new security measures would not have prevented the sort of cyber attack that targeted Google from China. It does increase security to prevent third parties from snooping as information moves from a computer over a network to Google’s servers. Google has offered SSL encryption using the https protocol as an option since 2008
But if you look on the the screenshot you can see that NOT all the traffic is encrypted… While this might be OK for static pages, who knows what other pages are not protected with SSL? Why can’t you turn it on for the entire site? It will add more credibility and assurance…
HTTPS by default - not so sure
Google does what’s right for privacy and for performance by encrypting the application and not the help pages. Most users don’t care, those who do can use NoScript and its Force HTTPS option.
http://noscript.net/faq#qa6_3
Sylvain
14 Jan 10 at 5:31 am
Hi Sharon
1. Nobody. Absolutely nobody. No not a single soul, not Google in their official announcement, not the article you linked and nobody else I’ve read (and I read quite a few of those). Nobody claimed Google will encrypt all of their services or even all of the pages in the gmail.com domain. They only claimed to encrypt the gmail service.
That is what they say and that is what they did. The only comment contradicting that is the vague sentence from Newswire saying “Consumer Watchdog said Google should use encryption for connections to all its Internet-based services, not just Gmail”. I don’t understand the title of your post, because outside of the wishful thinking of Consumer Watchdog, Google have done precisely what they have said they will.
If you want to say that they SHOULD have invested more of their money to make the public help pages go over SSL for some reason, then please state that clearly; saying they promised to do something and didn’t is a case of failing at reading comprehension.
2. Browsers usually don’t display TIFF files, I suggest PNG instead.
– Arik
Arik
14 Jan 10 at 8:08 am
[...] This post was mentioned on Twitter by Sharon Besser, Security Pie. Security Pie said: SecurityPie Blog Post: Do What You Say http://securitypie.com/do-what-you-say/ [...]
Tweets that mention Google: Do What You Say at Security Pie -- Topsy.com
14 Jan 10 at 9:18 am
Hi Arik,
Thanks for the detailed answer, I hope to see you in person soon and explain in depth why it is important to act in a smart way, not just ‘right’ (sounds better in Hebrew…)
sharon
20 Jan 10 at 1:15 am
@Sylvain
In my opinion it’s not just the issue of selectively not encrypting specific pages. I believe that a company like Google should act differently and send a clear message stating that it encrypts all pages for this sensitive service (even if it carry no data). In addition I believe that it will prevent future issues: when you apply selective rules and start to exclude pages, you will miss something. If it will not happen today, it might happen tomorrow.
sharon
20 Jan 10 at 1:22 am