On the confusingly named Google Blog – the one not run by Google – Aaron Schwartz opines that gmail’s security isn’t strong enough:

…[Gmail] should use public-key encryption. (This part will be a bit technical.) When you create a Gmail account, your computer creates a keypair. The public key is sent to Google. The private key is encrypted with a password you choose, and the encrypted version is sent to Google. (Important: Google never gets your password.) When an email is received for your account, the server encrypts it with your public key before saving it. When you log into read it, you download your encrypted key, decrypt it with your password, and then your computer decrypts your mail with the resulting key as it’s downloaded. (Already, all your mail goes through Gmail’s JavaScript client to get processed and turned into HTML, so this won’t be too hard to add on the client-side.) In this way, your mail is never stored in a way Google has access to.

This is a really bad idea. SSL – which gmail provides – is a no-brainer, but this is a bad idea.

Really, you’re saying “You will need your private key on your computer in order to read mail,” (since you can’t public-key authenticate without your private key) which is a shorter way of saying “you’ll need to carry your private key around with you, either on a disk or a smartcard or some similar device,” which is a shorter way of saying “since no one wants to do this, really, I want an implementation of gmail that makes it a pain in the ass to access my account from more than one computer” which is a longer way of saying “I want a version of gmail that no one will want to use.”

Second, the whole point of gmail is that Google has access to your mail. I say this not as an ominous “I hate Google” statement – I actually have a gmail account – but as a statement of fact. Apart from Google’s desire to sell you ads, one of the things that makes gmail useful is that you get to have Google index your mail to make things easily searchable. If what you’re storing on gmail is encrypted, it’s not searchable anymore. So encrypting the mail on Google would destroy another aspect of the product.

Thirdly, I think you’re missing the bigger issue, which is that even if we did everything you suggested – PKI, SSL, super-hyper-secret encryption from the NSA – random people on the internet would still be able to read your mail, because eventually it would have to be transferred to or from the recipient on the other end, which would be going over SMTP in the clear. Of course, you can talk about using public key encryption end-to-end, a la PGP, but basically the market has spoken: normal people hate the public key encryption alternatives they’ve been given, because they make email effectively unusable.

So in summary, I think Google did exactly the right thing by punting on this problem for now. In today’s internet, email between two untrusted parties who aren’t both willing to use the same pain in the ass public key software ain’t secure. That’s the reality.

The real solution, in my opinion, is for PKI to be deployed in the core (pretend for a moment that (a) there is a such a thing as “the core” and (b) that changing SMTP to support PKI and then getting it deployed there was actually reasonably possible, which it isn’t) and then for mail clients (web mail, IMAP, or others) to use SSL to access their mail stores. This would reduce the window of vulnerability from “anyone with access to a machine on any network my packets go through” to “untrustworthy administrators and/or compromised machines that my mail is actually stored on.” That’s a pretty significant reduction in threat. Since I now work on filesystems and don’t go to IETF anymore, for all I know there’s a working group on this topic that has already decided that my strawman idea is unworkable and stupid. I’ll look into this and try to circle back to the topic soon.

Additional Resources