DISQUS

dmiessler.com | grep understanding: Why You Should Encrypt *All* of Your Google Activities [POC]

  • Uh-oh · 2 years ago
    Kenny the IT guy knows my secrets...
  • Tim · 2 years ago
    When I log in to https://mail.google.com/mail, the links at the top to other Google services are https links. So Step 2 *might* not be necessary.
  • Tim · 2 years ago
    Okay, the Calendar and Docs links are https, the others are http. Maybe they're working oni t.
  • me · 2 years ago
    You should take a look at Customize Google Firefox Add-On. It allows you to force the use of https for all google services.
  • barry · 2 years ago
    Also handy for google privacy is g-zapper
    http://www.dummysoftware.com/gzapper.html
  • Allah · 2 years ago
    don't forget the GmailSecure userscript for GreaseMonkey that forces https connections on mail.
  • Kint · 2 years ago
    Please, if you are using Firefox, install the Greasemonkey extension and then use the script below. Everytime you access the http://mail.google.com/* url, you'll automagically get redirected to the https:// version.

    http://userscripts.org/scripts/show/1404
  • Scott · 2 years ago
    "Everyone loves Google."

    No, I don't. Anyone who's ever been in any sort of serious litigation will tell you that Google's potentially a terrible trap. Who needs their past coming back to haunt them in that way?
  • rabidsnail · 2 years ago
    In the case of gmail, if you go to https://gmail.com instead of http://gmail.com, it does encrypt everything.
  • Aerik · 2 years ago
    It's also useful to use Firefox extensions "CustomizeGoogle," "Better gCal," "Better gReader," and "Better GMail," all of which you can use to force secure connections, even when clicking within google. It's what I do. Also, with the NoScript extension, forbid scripts from googleadservices.com, adwords.google.com, google-analytics.com and googlesyndication.com.
  • The Dog · 2 years ago
    All online services are potentially a trap. From simple e-mail to new online applications, only a fool would believe that he has an expectation of privacy. Privacy disclaimers mean nothing when a law can be changed to gain access to any data, encrypted or not.

    Using anything online is like shouting "Fire" at a friend while you're both alone in a bathroom in a theater. Even if you don't expect anyone else to hear, it is possible someone will. Same thing with emaiail or online apps...someone may just be listening.

    Never do anything online anywhere, encrypted or not unless you are damn sure it won't come back to haunt you...
  • Captain Anonymous · 2 years ago
    I used to use this to snoop on instant messenger traffic at work. You'd be surprised who is sleeping with who in the office, and regularly cheating on their wife during lunch breaks.
  • ron · 2 years ago
    whats the point when congress nonchalantly gives away our rights to bush and alberto gonzalASS? and the telecoms like at&t happily hand info over to the feds? and nothing is done, and no one is punished.
  • David Precious · 2 years ago
    To be fair, that "highly-sensitive" email will travel over the rest of the net in plaintext - so what if it makes the final jump in plaintext too? If it was that private, you'd encrypt it with PGP/GPG so that it's encrypted all the way from sender to recipient.

    Any sensitive data shouldn't be published online. If you're going to carry out some highly secret or illegal activity, you *don't* put a note in your Google Calendar about it.
  • Kara Sherman · 2 years ago
    You might want to check out Google Secure Pro.

    http://userscripts.org/scripts/show/5951
  • Matt · 2 years ago
    Were you logged in via ssl?

    If not, how is this different than any other email client not using ssl?
  • Nick · 2 years ago
    Just use this. Encryption done client side so no private data is transferred.
    http://www.xice.net/sdksamples/webdesktop.html
  • Jeff · 2 years ago
    Whenever I use encrypted for gmail I always got this

    Your browser's cache is full and may interfere with your experience. "Fix This"

    However, I have cleared the cache and cookies and it still says this.

    Also, when I use encrypted gmail, it will not show the graphics within an html email.
  • josh · 2 years ago
    "like any other legitimate service provider"

    It's not just Google.
  • kwl · 2 years ago
    Since AJAX is used, the information might still be sent unencrypted even if the webpage was delivered via https. Do the XML requests get sent thru SSL as well if Gmail is accessed via https?
  • Roy · 2 years ago
    Use greasemonkey scripts!
  • lofi · 2 years ago
    > Using anything online is like shouting “Fire” at a friend while you’re both alone in a bathroom in a theater.

    is this an american thing?
  • jackson · 2 years ago
    >>is this an american thing?

    This American doesn't know what it means. Maybe he is mixing his metaphors. Sounds like a completely non sequtuir to me.
  • Rijnzael · 2 years ago
    I don't know why there's even an article on this. Anything that's not encrypted when communicating over the internet is at risk of being intercepted. We all know that. It just takes using a name like Google, or Microsoft, or Yahoo to attach to the article for increased attention. If you want to stay secure, use a VPN, an SSH tunnel, SSL, or any combination thereof for all your communications. Or just stay off of networks that are beyond your control.
  • Jim Ryan · 2 years ago
    Or, just use MailSaurus...it's a free, open source, fully encrypted Ajax-based webmail system. Not only is your entire session encrypted, but all of your email messages are stored encrypted on the server using a unique key for each user. That means even if the server is compromised (or subpoenaed) your messages cannot be read!

    http://www.mailsaurus.com
  • ben · 2 years ago
    don't use google.
  • TimothyP · 2 years ago
    Thanks for the tip, I never stopped to think about whether or not Google supported https.
    And I have to agree with Rijnzael.
  • Laurent · 2 years ago
    This applies to every website out there not using https. Even this website. All the data I type in here will also be sent unencrypted. ;)
  • em22 · 2 years ago
    Hi Guys,

    Just download a plugin for Firefox (you should all be using FF by now!) called Customize Google (http://www.customizegoogle.com/).

    This has an option in to secure all google connections, plus a host of other great features (removing ads etc)

    em22
  • em22 · 2 years ago
    Hi Guys,

    Just download a plugin for Firefox (you should all be using FF by now!) called Customize Google (http://www.customizegoogle.com/).

    This has an option in to secure all google connections, plus a host of other great features (removing ads etc)

    oh, i love people who just blurt out stupid things like "dont use google" - i bet they're a yohoo'er...

    em22
  • Colin · 2 years ago
    Google just loves to spy doesn't it......say a big bye bye to big brother tactics

    Use encryption for email, PGP is pretty good http://www.pgpi.org/ and there are several others available.
  • Peter · 2 years ago
    cool, now only Google can read all your mail and searches ?
  • Maurizio Colleluori · 2 years ago
    Good trick to explain the problem! With GMAIL we have a possible solution using HTTPS, but what shall we do with other mail providers? That secure protocol isn't always available...
  • Jonas · 2 years ago
    >> Using anything online is like shouting “Fire” at a friend while you’re both alone in a bathroom in a theater.

    >is this an american thing?

    Yes. It is an American thing. It's a funny turn of phrase if you know the background. There was a major freedom of speech case that was decided by the U.S. Supreme Court years ago in which a very learned justice said that freedom of speech doesn't mean you can yell "fire" in a crowded theater.

    So, I assume lofi means: using encryption for communication about illegal things on line ("shouting 'Fire'") is still illegal, but one step removed from public speech ("in the bathroom in a theater.")
  • fcukbeat · 2 years ago
    how can i download this tool tcdump? what is its system requirements? please reply thanks...
  • Jim · 2 years ago
    In Windows XP I keep a shortcut in my quick launch folder, for easy clickin'. I use this because the gmail notifier launches in unsecured http:// mode and there's no way I've found to change it.

    Target:
    "C:\Program Files\Mozilla Firefox\firefox.exe" "https://mail.google.com"

    Start in:
    "C:\program files\mozilla firefox"

    Icon:
    http://mail.google.com/favicon.ico
  • Evan Carroll · 2 years ago
    It isn't fair that you make it sound like google doesn't willingly permit this use of their services. You assume they revert to non-https because it is easier on their servers. I think your off there, and your off on making it sound like this a hack, rather than a published alternate method.
  • 10668844 · 2 years ago
    I thank you for alerting me to this.
  • bill weaver · 2 years ago
    Good advice, as far as it goes. Encrypting our data on its way to Google then decrypting it at Google mostly ensures that they get it safely, but at what point do people start getting concerned that Google has all their data? At what point do we worry that they monitor, mine, and market our data and online behavior? The same people freaking out about the government or Microsoft collecting some of our data are usually the ones who happily give it all to Google.

    If Google cares about our privacy or security, they'll provide a way for us to encrypt our data when it leaves our system, to be decrypted only when we get it back on our system.

    But, yes, if you really care about your privacy, encrypt your email yourself before using any email system. And do not use Google Docs or any online service for anything sensitive. Onerous task when G and Y! and MS and others make it so easy to hand everything over to them. Hard drives are cheap.
  • X · 2 years ago
    Awesome! Now we need to figure out how to safeguard Google from our data!
  • Angus S-F · 2 years ago
    Also, if you want to keep your search history with Google anonymous, make sure you're not logged in to your Google account (gmail, gcal, etc.) AND use either the BlackBox or Scroogle search redirectors, which anonymize your Google searches by making them from a different IP address than yours.
  • PENIX · 2 years ago
    If someone is ON your network and wants your data, you're going to need a lot more than https. There are tools that will let you view that traffic just as easily as everything else. Fortunately, most people are not that important. No one really cares about your e-mails or IMs as much as you think they do.
  • Phil Dufault · 2 years ago
    A very handy article, thanks!
  • Anonny Mouse · 2 years ago
    What about fetching gmail content via POP? I believe it is unencrypted too...
  • Woody · 2 years ago
    I use https for gmail, calendar, and picasa, but there's *no* way to do it for notebook! grrrrr...
  • Matt · 2 years ago
    No the POP access is crypted. It uses POP over a secure SSL connection, as https do. You can see it on the help center of Gmail.
  • Loren · 2 years ago
    I don't think gmail does encrypt your activities if you use a standalone client requiring SSL.
  • Keith · 2 years ago
    Oh, this certainly scares me. I had better consider on other alternatives if such privacy issue is going to be persist.
  • Fred Durst · 2 years ago
    http://googlonymous.com/

    Google Anonymously..
  • Doug Woodall · 2 years ago
    Thank the heavens Firefox has a way to avoid this.
  • fropert · 2 years ago
    Thanks for this powerful tips!
  • Arick · 2 years ago
    I agree totally with your article if you use Firefox "hopefully if you use a pc" I recommend a extension that covers most of these issues plus Google analytics: http://www.customizegoogle.com/ I'm more concerned about that side of it check this out http://en.wikipedia.org/wiki/Google_Analytics thanks for the heads up though if I have to use IE I'll remember to take your advice.
  • Tim · 2 years ago
    I want to echo the comments that email without encryption is insecure, even if you use https to get it to the mail server. Once it leaves Google/Yahoo!/MSN/your ISP, it's not encrypted unless you do it yourself. Look into PGP/GPG as another comment said.
  • Daniel Miessler · 2 years ago
    The fact that email on the Internet is insecure is well known. The point is that when you're on a network that allows one to easily read network traffic, it presents an especially high risk of being intercepted by those who could take interest in you and/or cause you harm.

    In other words, some trashy network admin (or fellow coffee drinker) having all your email, wherabouts, agendas, news sources, etc. is much more dangerous than having it floating randomly on the Internet.
  • cryptoman · 2 years ago
    don't forget to grab your FREE Digital Cert from comodo. (they're a trusted root CA)
  • Sake · 1 year ago

    Do not visit: http://www.mailsaurus.com IT IS A TROJAN Downloader website. Reported by Kaspersky.

  • TomB · 9 months ago
    Good-day,

    There is an easier way: In your google account
    click on setting
    click on the general tab
    Under Browser connection: click on "Always use https"

    TomB