Secure Googling...? (1)
These are a few security-related tidbits about Google and its services. They took my attention during the last few weeks/months and I researched a little bit about them:
1. Google Services and Encryption
Gmail is very attractive to end users due to its big storage capacity and its user-friendly interface (once you get used to it :) . As most of you probably know, Google allows the user to select the level of security it requires. When you access Gmail, no matter the protocol you use (http or https), the authentication process is encrypted through SSL/TLS, so your credentials (username and password) are protected. However, if you use http, that is, you access http://mail.google.com, once you have been authenticated, your whole mail session is unencrypted, so the subjects for the mails in your inbox (and in other "labels") as well as all the mails you sent and read travel in cleartext. When using https, https://mail.google.com, the whole session is encrypted.
The chat service (Google Talk) follows the Gmail rules. If you pointed your Web browser to the https Gmail version, your chat session from your computer to the Google servers uses TLS/SSL; the session from the Google servers to the other end follows the security level selected by the other end user (http or https).
However, even when you are connected through https, some services, such as the Calendar, don't provide a secure access method. If you click on the "Calendar" link (see picture above) , you access the http version of the calendar, so your event information and settings (that could contain sensitive information - see item 2) travel in the clear. Perhaps Google thinks that the information about your meetings and reminders is less sensitive that the data in your e-mails ;) . To force the usage of the https Calendar version, you need to manually enter the https://www.google.com/calendar/ URL in your Web browser.
If you are interested in running a sniffer and checking the details above, don't get confused by the fact that Google uses compression by default, as specified in the HTTP headers with the "Accept-Encoding: gzip,deflate" option.
2. Google Calendar (bridging virtual and real world)
By the way, do you know that you can enable Google calendar SMS notifications for free as in free beer? You can register your cell number in your Google Calendar account by going to "Settings -> Notifications", so that when a meeting is going to take place you will receive an SMS message with the details. In order to avoid someone from entering your cell number on its Google account and DoS (SMS flooding) your mobile, Google implements a secure registration process. When a new cell number is registered, you get a verification code in your cell (via SMS) that must be entered in your Google account to validate and activate the SMS service.
Once more, the weakest link in this process is the human factor. I've seen several offices where people enjoy talking through the cell in the most uncomfortable places, such as the restrooms ;) . If you don't like to practice restroom phoning ;), what if you left your cell unattended for a few seconds, or you are a victim of social engineering tricks and give it to someone momentarily? Someone could validate your cell with his own Google account!! Call me paranoid, but this could be done as a joke or with malicious intent. I'm afraid that at this point the only option would be to put in place your personal incident response procedures and work with Google to identify the account where your mobile was registered and remove your cell number.
1. Google Services and Encryption
Gmail is very attractive to end users due to its big storage capacity and its user-friendly interface (once you get used to it :) . As most of you probably know, Google allows the user to select the level of security it requires. When you access Gmail, no matter the protocol you use (http or https), the authentication process is encrypted through SSL/TLS, so your credentials (username and password) are protected. However, if you use http, that is, you access http://mail.google.com, once you have been authenticated, your whole mail session is unencrypted, so the subjects for the mails in your inbox (and in other "labels") as well as all the mails you sent and read travel in cleartext. When using https, https://mail.google.com, the whole session is encrypted.
The chat service (Google Talk) follows the Gmail rules. If you pointed your Web browser to the https Gmail version, your chat session from your computer to the Google servers uses TLS/SSL; the session from the Google servers to the other end follows the security level selected by the other end user (http or https).
However, even when you are connected through https, some services, such as the Calendar, don't provide a secure access method. If you click on the "Calendar" link (see picture above) , you access the http version of the calendar, so your event information and settings (that could contain sensitive information - see item 2) travel in the clear. Perhaps Google thinks that the information about your meetings and reminders is less sensitive that the data in your e-mails ;) . To force the usage of the https Calendar version, you need to manually enter the https://www.google.com/calendar/ URL in your Web browser.If you are interested in running a sniffer and checking the details above, don't get confused by the fact that Google uses compression by default, as specified in the HTTP headers with the "Accept-Encoding: gzip,deflate" option.
2. Google Calendar (bridging virtual and real world)
By the way, do you know that you can enable Google calendar SMS notifications for free as in free beer? You can register your cell number in your Google Calendar account by going to "Settings -> Notifications", so that when a meeting is going to take place you will receive an SMS message with the details. In order to avoid someone from entering your cell number on its Google account and DoS (SMS flooding) your mobile, Google implements a secure registration process. When a new cell number is registered, you get a verification code in your cell (via SMS) that must be entered in your Google account to validate and activate the SMS service.
Labels: Google
posted by Raul Siles at 10:59 PM
3 Comments:
It is interesting to see how Google has encrypted the Calendar by default when you're inside an HTTPS Gmail session. Just a couple of weeks after our post! ;)
What a coincidence!;)
Just a comment on using the https interface.
If you use https, and have the check on internet explorer advanced options, that makes to not save encrypted pages on cache, gmail thinks your cache is full!!!!!!
And gives you a warning..."Es posible que la caché del navegador esté llena e interfiera en el funcionamiento.." (spanish copy-paste)...
Maybe someone from google reads this too.... ;-D
Saludos
Jesús
Unfortunately, the Calendar is again unencrypted, even when it's launched from an HTTPS Gmail session :(
Post a Comment
<< Home