Why You Should Encrypt *All* of Your Google Activities [POC]

By Daniel Miessler on August 9th, 2007: Tagged as Encryption | Google | Privacy | Security

google

Everyone loves Google. They want to be everything to everyone, and they’re getting pretty damn good at it. Once you start using their services it gets easier and easier to migrate more of your life to them. But there’s a slight problem.

Google, like most other similar services, encrypts login traffic but not your content. So the moment you’re signed in they switch to plain-text communications and send everything to you in the open.

This means your mail, the news sources you read, your calendar events — are all able to be read by someone with access to any part of the network between you and Google. This could be your employer at work, the wireless network at your local coffee shop, whatever. This isn’t good.

Here’s an email I just sent myself over the default (unencrypted) connection:

googleemail
And here’s what I captured via tcpdump.

googlesubject
thisisasecret
That’s the whole email there for anyone to see. Luckily it’s easy to fix…

  1. Use Bookmarks for Your Google Services Create bookmarks (or modify them if you already have them) for Gmail, Google Calendar, Google Reader, and iGoogle (your Google homepage) using https instead of http, like so: https://mail.google.com/mail/. Do this for every service that you use at Google.
  2. Don’t Click on Links Within Google to Take You to Your Services If you use their links Google will often take you to the unencrypted version because it’s easier on their servers. Use your links instead to ensure that your sessions are encrypted

The more we depend on Google (or any other monolithic service) the more we need to safeguard the information they have of ours. One way we can help is by demanding (via secure bookmarks and other methods) that they send us our mail, news feeds, calendars, and other information over a secure connection.:

[ Note: This is not a Google-specific problem. Most other services work in exactly the same way. The difference is that Google is so prolific and is becoming very successfully at getting people to use not only their email service but also their calendaring, news reader, instant messaging, their search (with history), etc. It's the all-in-one dynamic that makes it especially important to protect Google traffic. ]

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

Comments

  • Uh-oh
    Kenny the IT guy knows my secrets...
  • Tim
    When I log in to https://mail.google.com/mail, the links at the top to other Google services are https links. So Step 2 *might* not be necessary.
  • Tim
    Okay, the Calendar and Docs links are https, the others are http. Maybe they're working oni t.
  • me
    You should take a look at Customize Google Firefox Add-On. It allows you to force the use of https for all google services.
  • Also handy for google privacy is g-zapper
    http://www.dummysoftware.com/gzapper.html
  • Allah
    don't forget the GmailSecure userscript for GreaseMonkey that forces https connections on mail.
  • Kint
    Please, if you are using Firefox, install the Greasemonkey extension and then use the script below. Everytime you access the http://mail.google.com/* url, you'll automagically get redirected to the https:// version.

    http://userscripts.org/scripts/show/1404
  • Scott
    "Everyone loves Google."

    No, I don't. Anyone who's ever been in any sort of serious litigation will tell you that Google's potentially a terrible trap. Who needs their past coming back to haunt them in that way?
  • rabidsnail
    In the case of gmail, if you go to https://gmail.com instead of http://gmail.com, it does encrypt everything.
  • It's also useful to use Firefox extensions "CustomizeGoogle," "Better gCal," "Better gReader," and "Better GMail," all of which you can use to force secure connections, even when clicking within google. It's what I do. Also, with the NoScript extension, forbid scripts from googleadservices.com, adwords.google.com, google-analytics.com and googlesyndication.com.
  • All online services are potentially a trap. From simple e-mail to new online applications, only a fool would believe that he has an expectation of privacy. Privacy disclaimers mean nothing when a law can be changed to gain access to any data, encrypted or not.

    Using anything online is like shouting "Fire" at a friend while you're both alone in a bathroom in a theater. Even if you don't expect anyone else to hear, it is possible someone will. Same thing with emaiail or online apps...someone may just be listening.

    Never do anything online anywhere, encrypted or not unless you are damn sure it won't come back to haunt you...
  • Captain Anonymous
    I used to use this to snoop on instant messenger traffic at work. You'd be surprised who is sleeping with who in the office, and regularly cheating on their wife during lunch breaks.
  • ron
    whats the point when congress nonchalantly gives away our rights to bush and alberto gonzalASS? and the telecoms like at&t happily hand info over to the feds? and nothing is done, and no one is punished.
  • To be fair, that "highly-sensitive" email will travel over the rest of the net in plaintext - so what if it makes the final jump in plaintext too? If it was that private, you'd encrypt it with PGP/GPG so that it's encrypted all the way from sender to recipient.

    Any sensitive data shouldn't be published online. If you're going to carry out some highly secret or illegal activity, you *don't* put a note in your Google Calendar about it.
  • You might want to check out Google Secure Pro.

    http://userscripts.org/scripts/show/5951
  • Matt
    Were you logged in via ssl?

    If not, how is this different than any other email client not using ssl?
  • Just use this. Encryption done client side so no private data is transferred.
    http://www.xice.net/sdksamples/webdesktop.html
  • Jeff
    Whenever I use encrypted for gmail I always got this

    Your browser's cache is full and may interfere with your experience. "Fix This"

    However, I have cleared the cache and cookies and it still says this.

    Also, when I use encrypted gmail, it will not show the graphics within an html email.
  • josh
    "like any other legitimate service provider"

    It's not just Google.
  • kwl
    Since AJAX is used, the information might still be sent unencrypted even if the webpage was delivered via https. Do the XML requests get sent thru SSL as well if Gmail is accessed via https?
  • Roy
    Use greasemonkey scripts!
  • lofi
    > Using anything online is like shouting “Fire” at a friend while you’re both alone in a bathroom in a theater.

    is this an american thing?
  • jackson
    >>is this an american thing?

    This American doesn't know what it means. Maybe he is mixing his metaphors. Sounds like a completely non sequtuir to me.
  • If you're on a private computer (your own) there really isn't anything to worry about, except for the ISP.
  • Rijnzael
    I don't know why there's even an article on this. Anything that's not encrypted when communicating over the internet is at risk of being intercepted. We all know that. It just takes using a name like Google, or Microsoft, or Yahoo to attach to the article for increased attention. If you want to stay secure, use a VPN, an SSH tunnel, SSL, or any combination thereof for all your communications. Or just stay off of networks that are beyond your control.
  • Or, just use MailSaurus...it's a free, open source, fully encrypted Ajax-based webmail system. Not only is your entire session encrypted, but all of your email messages are stored encrypted on the server using a unique key for each user. That means even if the server is compromised (or subpoenaed) your messages cannot be read!

    http://www.mailsaurus.com
  • ben
    don't use google.
  • Thanks for the tip, I never stopped to think about whether or not Google supported https.
    And I have to agree with Rijnzael.
  • Laurent
    This applies to every website out there not using https. Even this website. All the data I type in here will also be sent unencrypted. ;)
  • em22
    Hi Guys,

    Just download a plugin for Firefox (you should all be using FF by now!) called Customize Google (http://www.customizegoogle.com/).

    This has an option in to secure all google connections, plus a host of other great features (removing ads etc)

    em22
  • em22
    Hi Guys,

    Just download a plugin for Firefox (you should all be using FF by now!) called Customize Google (http://www.customizegoogle.com/).

    This has an option in to secure all google connections, plus a host of other great features (removing ads etc)

    oh, i love people who just blurt out stupid things like "dont use google" - i bet they're a yohoo'er...

    em22
  • Google just loves to spy doesn't it......say a big bye bye to big brother tactics

    Use encryption for email, PGP is pretty good http://www.pgpi.org/ and there are several others available.
  • Peter
    cool, now only Google can read all your mail and searches ?
  • Good trick to explain the problem! With GMAIL we have a possible solution using HTTPS, but what shall we do with other mail providers? That secure protocol isn't always available...
  • Jonas
    >> Using anything online is like shouting “Fire” at a friend while you’re both alone in a bathroom in a theater.

    >is this an american thing?

    Yes. It is an American thing. It's a funny turn of phrase if you know the background. There was a major freedom of speech case that was decided by the U.S. Supreme Court years ago in which a very learned justice said that freedom of speech doesn't mean you can yell "fire" in a crowded theater.

    So, I assume lofi means: using encryption for communication about illegal things on line ("shouting 'Fire'") is still illegal, but one step removed from public speech ("in the bathroom in a theater.")
  • fcukbeat
    how can i download this tool tcdump? what is its system requirements? please reply thanks...
  • Jim
    In Windows XP I keep a shortcut in my quick launch folder, for easy clickin'. I use this because the gmail notifier launches in unsecured http:// mode and there's no way I've found to change it.

    Target:
    "C:\Program Files\Mozilla Firefox\firefox.exe" "https://mail.google.com"

    Start in:
    "C:\program files\mozilla firefox"

    Icon:
    http://mail.google.com/favicon.ico
  • It isn't fair that you make it sound like google doesn't willingly permit this use of their services. You assume they revert to non-https because it is easier on their servers. I think your off there, and your off on making it sound like this a hack, rather than a published alternate method.
  • I thank you for alerting me to this.
  • Good advice, as far as it goes. Encrypting our data on its way to Google then decrypting it at Google mostly ensures that they get it safely, but at what point do people start getting concerned that Google has all their data? At what point do we worry that they monitor, mine, and market our data and online behavior? The same people freaking out about the government or Microsoft collecting some of our data are usually the ones who happily give it all to Google.

    If Google cares about our privacy or security, they'll provide a way for us to encrypt our data when it leaves our system, to be decrypted only when we get it back on our system.

    But, yes, if you really care about your privacy, encrypt your email yourself before using any email system. And do not use Google Docs or any online service for anything sensitive. Onerous task when G and Y! and MS and others make it so easy to hand everything over to them. Hard drives are cheap.
  • X
    Awesome! Now we need to figure out how to safeguard Google from our data!
  • Angus S-F
    Also, if you want to keep your search history with Google anonymous, make sure you're not logged in to your Google account (gmail, gcal, etc.) AND use either the BlackBox or Scroogle search redirectors, which anonymize your Google searches by making them from a different IP address than yours.
  • If someone is ON your network and wants your data, you're going to need a lot more than https. There are tools that will let you view that traffic just as easily as everything else. Fortunately, most people are not that important. No one really cares about your e-mails or IMs as much as you think they do.
  • A very handy article, thanks!
  • Anonny Mouse
    What about fetching gmail content via POP? I believe it is unencrypted too...
  • Woody
    I use https for gmail, calendar, and picasa, but there's *no* way to do it for notebook! grrrrr...
  • Matt
    No the POP access is crypted. It uses POP over a secure SSL connection, as https do. You can see it on the help center of Gmail.
  • Loren
    I don't think gmail does encrypt your activities if you use a standalone client requiring SSL.
  • Oh, this certainly scares me. I had better consider on other alternatives if such privacy issue is going to be persist.
  • http://googlonymous.com/

    Google Anonymously..
  • Thank the heavens Firefox has a way to avoid this.
  • Thanks for this powerful tips!
  • Arick
    I agree totally with your article if you use Firefox "hopefully if you use a pc" I recommend a extension that covers most of these issues plus Google analytics: http://www.customizegoogle.com/ I'm more concerned about that side of it check this out http://en.wikipedia.org/wiki/Google_Analytics thanks for the heads up though if I have to use IE I'll remember to take your advice.
  • Tim
    I want to echo the comments that email without encryption is insecure, even if you use https to get it to the mail server. Once it leaves Google/Yahoo!/MSN/your ISP, it's not encrypted unless you do it yourself. Look into PGP/GPG as another comment said.
  • The fact that email on the Internet is insecure is well known. The point is that when you're on a network that allows one to easily read network traffic, it presents an especially high risk of being intercepted by those who could take interest in you and/or cause you harm.

    In other words, some trashy network admin (or fellow coffee drinker) having all your email, wherabouts, agendas, news sources, etc. is much more dangerous than having it floating randomly on the Internet.
  • don't forget to grab your FREE Digital Cert from comodo. (they're a trusted root CA)

  • Hello, very nice site, keep up good job!
    Admin good, very good.

  • Free Razr plus free shipping with activated service plan.Choose from AT&T, Nextel, T-Mobile, Verizon, and more.


    Click here

  • Sake

    Do not visit: http://www.mailsaurus.com IT IS A TROJAN Downloader website. Reported by Kaspersky.

blog comments powered by Disqus

Twitter Microblog

twitter_icon      facebook_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives