Comments on: Google: Do What You Say http://securitypie.com/do-what-you-say/ The ramblings of three security curmudgeons Mon, 05 Jul 2010 02:16:52 +0000 hourly 1 http://wordpress.org/?v=3.0 By: sharon http://securitypie.com/do-what-you-say/comment-page-1/#comment-660 sharon Wed, 20 Jan 2010 09:22:42 +0000 http://securitypie.com/?p=711#comment-660 @Sylvain In my opinion it's not just the issue of selectively not encrypting specific pages. I believe that a company like Google should act differently and send a clear message stating that it encrypts all pages for this sensitive service (even if it carry no data). In addition I believe that it will prevent future issues: when you apply selective rules and start to exclude pages, you will miss something. If it will not happen today, it might happen tomorrow. @Sylvain
In my opinion it’s not just the issue of selectively not encrypting specific pages. I believe that a company like Google should act differently and send a clear message stating that it encrypts all pages for this sensitive service (even if it carry no data). In addition I believe that it will prevent future issues: when you apply selective rules and start to exclude pages, you will miss something. If it will not happen today, it might happen tomorrow.

]]> By: sharon http://securitypie.com/do-what-you-say/comment-page-1/#comment-659 sharon Wed, 20 Jan 2010 09:15:03 +0000 http://securitypie.com/?p=711#comment-659 Hi Arik, Thanks for the detailed answer, I hope to see you in person soon and explain in depth why it is important to act in a smart way, not just 'right' (sounds better in Hebrew...) Hi Arik,

Thanks for the detailed answer, I hope to see you in person soon and explain in depth why it is important to act in a smart way, not just ‘right’ (sounds better in Hebrew…)

]]> By: Tweets that mention Google: Do What You Say at Security Pie -- Topsy.com http://securitypie.com/do-what-you-say/comment-page-1/#comment-615 Tweets that mention Google: Do What You Say at Security Pie -- Topsy.com Thu, 14 Jan 2010 17:18:36 +0000 http://securitypie.com/?p=711#comment-615 [...] This post was mentioned on Twitter by Sharon Besser, Security Pie. Security Pie said: SecurityPie Blog Post: Do What You Say http://securitypie.com/do-what-you-say/ [...] [...] This post was mentioned on Twitter by Sharon Besser, Security Pie. Security Pie said: SecurityPie Blog Post: Do What You Say http://securitypie.com/do-what-you-say/ [...]

]]> By: Arik http://securitypie.com/do-what-you-say/comment-page-1/#comment-614 Arik Thu, 14 Jan 2010 16:08:46 +0000 http://securitypie.com/?p=711#comment-614 Hi Sharon 1. Nobody. Absolutely nobody. No not a single soul, not Google in their <a href="http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html" rel="nofollow">official announcement</a>, not the article you linked and nobody else I've read (and I read quite a few of those). Nobody claimed Google will encrypt all of their services or even all of the pages in the gmail.com domain. They only claimed to encrypt the gmail service. That is what they say and that is what they did. The only comment contradicting that is the vague sentence from Newswire saying "Consumer Watchdog said Google should use encryption for connections to all its Internet-based services, not just Gmail". I don't understand the title of your post, because outside of the wishful thinking of Consumer Watchdog, Google have done precisely what they have said they will. If you want to say that they SHOULD have invested more of their money to make the public help pages go over SSL for some reason, then please state that clearly; saying they promised to do something and didn't is a case of failing at reading comprehension. 2. Browsers usually don't display TIFF files, I suggest PNG instead. -- Arik Hi Sharon

1. Nobody. Absolutely nobody. No not a single soul, not Google in their official announcement, not the article you linked and nobody else I’ve read (and I read quite a few of those). Nobody claimed Google will encrypt all of their services or even all of the pages in the gmail.com domain. They only claimed to encrypt the gmail service.

That is what they say and that is what they did. The only comment contradicting that is the vague sentence from Newswire saying “Consumer Watchdog said Google should use encryption for connections to all its Internet-based services, not just Gmail”. I don’t understand the title of your post, because outside of the wishful thinking of Consumer Watchdog, Google have done precisely what they have said they will.

If you want to say that they SHOULD have invested more of their money to make the public help pages go over SSL for some reason, then please state that clearly; saying they promised to do something and didn’t is a case of failing at reading comprehension.

2. Browsers usually don’t display TIFF files, I suggest PNG instead.

– Arik

]]> By: Sylvain http://securitypie.com/do-what-you-say/comment-page-1/#comment-611 Sylvain Thu, 14 Jan 2010 13:31:37 +0000 http://securitypie.com/?p=711#comment-611 Google does what's right for privacy and for performance by encrypting the application and not the help pages. Most users don't care, those who do can use NoScript and its Force HTTPS option. http://noscript.net/faq#qa6_3 Google does what’s right for privacy and for performance by encrypting the application and not the help pages. Most users don’t care, those who do can use NoScript and its Force HTTPS option.

http://noscript.net/faq#qa6_3

]]>