Google and the email encryption
Google is aware of the importance of security in communications for Google as an organization, for its users.
Therefore, since Google and through your email services provider, Gmail, has begun to bet on the encryption of e-mails as a synonym for trust and security.
In addition, Google plans to increase privacy and security options for its Chrome browser, which encrypts data from the browser to the recipient’s email messages.
And on this, REALSEC, through Sebastian Munoz, CEO of REALSEC USA subsidiary, has participated, through its opinions, in different publications of the sector in the USA.
Here we leave the summary of his statements:
As the post literally mentions: “Google on Tuesday touted its use of encryption on email messages, which turns the messages into garble that can only be read with a key.”
This last highlighted word “key” is the key to the whole encryption system and to my statement. Where are those keys that will grant access to the content of the encrypted emails stored? How can Google guarantee that nobody will have access to those keys and therefore, to the encrypted content?
From the perspective of Google, the keys should be safely stored on certified HSMs. From the end user’s point of view, a certified token or smart card should be used to store the private keys of each person.
The protocol being used, TLS or Transport Layer Security, which is an evolution of previous SSL or Secure Sockets Layers, use standard X.509 certificates to authenticate the counterparty with whom they are communicating. This is a good system, but not 100% reliable. While X.509 are better than other verification systems, still can be subject to Man in the Middle attacks.
However, the use of TLS is becoming widely adopted and it would be desirable that other email providers would include such support as well, so that the whole system could be more effective.
You can read the articles published in USA’s media, which includes these statements:
– Google transparency report outs providers lacking email encryption (SC Magazine) http://goo.gl/4oGaZ1
– Google Adds Chrome Encryption Option For Webmail (InformationWeek/Dark Reading) http://goo.gl/CcMDtU
– Google Plots End-to-End Messaging Encryption (Infosecurity Magazine) http://goo.gl/acVTm8