On the confusingly named Google Blog — the one not run by Google — Aaron Schwartz opines that gmail’s security isn’t strong enough:
…[Gmail] should use public-key encryption. (This part will be a
bit technical.) When you create a Gmail account, your computer creates
a keypair. The public key is sent to Google. The private key is
encrypted with a password you choose, and the encrypted version is sent
to Google. (Important: Google never gets your password.) When an email
is received for your account, the server encrypts it with your public
key before saving it. When you log into read it, you download your
encrypted key, decrypt it with your password, and then your computer
decrypts your mail with the resulting key as it’s downloaded. (Already,
all your mail goes through Gmail’s JavaScript client to get processed
and turned into HTML, so this won’t be too hard to add on the
client-side.) In this way, your mail is never stored in a way Google
has access to.
This is a really bad idea. SSL — which gmail provides — is a no-brainer, but this is a bad idea.
Really, you’re saying “You will need your private key on your computer
in order to read mail,” (since you can’t public-key authenticate
without your private key) which is a shorter way of saying “you’ll need
to carry your private key around with you, either on a disk or a
smartcard or some similar device,” which is a shorter way of saying
“since no one wants to do this, really, I want an implementation of
gmail that makes it a pain in the ass to access my account from more
than one computer” which is a longer way of saying “I want a version of
gmail that no one will want to use.”
Second, the whole point of gmail is that Google has access to your
mail. I say this not as an ominous “I hate Google” statement — I
actually have a gmail account — but as a statement of fact. Apart
from Google’s desire to sell you ads, one of the things that makes
gmail useful is that you get to have Google index your mail to make
things easily searchable. If what you’re storing on gmail is
encrypted, it’s not searchable anymore. So encrypting the mail on
Google would destroy another aspect of the product.
Thirdly, I think you’re missing the bigger issue, which is that even if
we did everything you suggested — PKI, SSL, super-hyper-secret
encryption from the NSA — random people on the internet would still be
able to read your mail, because eventually it would have to be
transferred to or from the recipient on the other end, which would be
going over SMTP in the clear. Of course, you can talk about using
public key encryption end-to-end, a la PGP, but basically the market
has spoken: normal people hate the public key encryption alternatives
they’ve been given, because they make email effectively unusable.
So in summary, I think Google did exactly the right thing by punting on
this problem for now. In today’s internet, email between two untrusted
parties who aren’t both willing to use the same pain in the ass public
key software ain’t secure. That’s the reality.
The real solution, in my opinion, is for PKI to be deployed in the core (pretend for a
moment that (a) there is a such a thing as “the core” and (b) that
changing SMTP to support PKI and then getting it deployed there was
actually reasonably possible, which it isn’t) and then for mail clients
(web mail, IMAP, or others) to use SSL to access their mail stores.
This would reduce the window of vulnerability from “anyone with access
to a machine on any network my packets go through” to “untrustworthy
administrators and/or compromised machines that my mail is actually
stored on.” That’s a pretty significant reduction in threat. Since I now work on filesystems and don’t go to IETF anymore, for all I know there’s a working group on this topic that has already decided that my strawman idea is unworkable and stupid. I’ll look into this and try to circle back to the topic soon.
Additional Resources
- Aaron’s original article
- There’s an official Google weblog, also
In my opinion, you underestimate the power of end-to-end public key encryption. It is true that most people hate using PGP and would rather choose to leave their emails in the clear than try learning it. But that is a ëinterfaceà problem and not a public key encryption problem. In other words, people would readily try using end-to-end encryption if only it were made easier.
Take for example Keygloo. While this is a new product and yet to gain popularity, it is in general used by normal people to encrypt emails be it from email clients or web mails like Gmail, Yahoo, Hotmail and others. Keygloo simply associates the public key with a 10 digit number called the ëKeygloo Numberà which is all that is needed to exchange keys. Thus the key exchange can happen by word of mouth, business cards, or simply a phone call. The emails get encrypted end-to-end in the truest sense since the email is encrypted from the moment it is composed through the rest of its lifetime( both in transmission and storage).
This model offers more flexibility in the sense that once the product is installed and a key pair generated (or a Keygloo number obtained), the same number can be used for encryption in multiple mail systems. This reduces the complexity involved in PKI deployed in the core and also brings to zero any intrusion arising from untrustworthy administrators.
Well, peterb, I think you didn’t really understand what Aaron Schwartz was saying…
He said that you would ONLY need your password (just like you need it now), and you would DOWNLOAD you private key from GMail (or rather the encrypted version of you private key, and the client would decrypt it using your password as a key), so you wouldn’t need anything else with you.
I agree with you in the second part (the part about advertising and searching), however, I consider Aaron’s idea great in case of non-public webmail.
Tom