Google switches Gmail to HTTPS only

library
crime | hacking | security

The miasma of an ever-widening NSA/GCHQ/FBI/et al surveillance state has caused indignant companies such as Microsoft and Google to pledge end-to-end data encryption.

On Thursday, Google made good on the pledge, announcing that it is now, in fact, using an always-on HTTPS connection and encrypting all Gmail messages moving internally on its servers.

Google has supported HTTPS since it was launched, it pointed out.

The company made HTTPS the default with its Gmail service back in 2010 and then, later, did the same with many web queries using its own search engine.

Now, says Gmail Security Engineering Lead Nicolas Lidzborski, it’s all encrypted between us and Gmail’s servers, whether we’re surfing oh-so-scary public WiFi or logging in from our gizmos, be they computer, phone or tablet.

Not only that, but once they get into Google’s digestive system, Gmail messages will be encrypted internally, too, he says:

Every single email message you send or receive – 100 percent of them – is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail’s servers, but also as they move between Google’s data centers – something we made a top priority after last summer’s revelations.

Google’s protection has hitherto stopped when data got to the company’s data centers: those treasure troves of information such as our web searches, emails, and browsing histories, for example.

The changes announced Thursday will make it tougher for snoops – be they the NSA or hackers – to pry open Gmail sessions.

But as the Washington Post points out, Google’s new encryption only protects email if both the sending and receiving email providers are using it.

It doesn’t cover data traveling between services – from one email provider to another, for instance.

The Post points to this LifeHacker tutorial on how to use encryption on email.

Of course, bear in mind that, encryption or no encryption, Google, like any email service provider, is compelled to hand over data whenever the government (legally) tells it to jump.