Google has been name-checked on security. A letter sent on 16-Jun-09 to Google CEO Eric Schmidt strongly urges the company to make a secure connection the default method for Web applications. Among the 38 signatories to the letter are a host of well-known security experts, researchers, and advocates, including Ronald Rivest (the R of RSA), Bruce Schneier, Jon Callas, Eugene Spafford, Peter G. Neumann, William Cheswick, and Steven Bellovin.
Two years ago, Google’s use of unsecured connections came to the fore with the discovery of sidejacking, a technique for grabbing the authentication cookies that Google uses to identify users during an unsecured session and inserting them into a browser under the sidejacker’s control. Sidejacking can be performed anywhere there’s an open Wi-Fi hotspot or an untrusted Ethernet network in which traffic is mingled and sniffable. (See “Sidejack Attack Jimmies Open Gmail, Other Services,” 2007-08-27.)
Google has taken some steps to derail sidejacking, including marking the Gmail authentication cookie with a secure flag that should keep it from being sent without encryption even if https isn’t used. Google also added an option to require https (SSL/TLS secured) connections for Gmail. (See “Google Gmail Adds Secure Session Option,” 2008-07-28.) The researchers noted that other services, like Google Docs and Google Calendar, support https as well, although there’s no way to set that level of security as a default.
The letter sent to Google claims that acquiring a Google authentication cookie from Docs or Calendar would allow access to Gmail, but one of Google’s security team members, Alma Whitten, said in a blog entry that it wouldn’t be possible for such a cookie to be intercepted.
The security experts urge that https sessions become the default for all Web-based services. The letter acknowledges that this lack is a widespread problem, and is even worse at Microsoft Hotmail, Yahoo Mail, Facebook, and MySpace because those services don’t offer a secure option. We expect that the security experts are starting with Google because of Google’s existing optional support for secure connections, and if they can convince Google to make the switch, they’ll move on to these other companies.
They note that because Google apps are designed to work asynchronously, queuing and performing tasks at the server and then updating the browser without a page reload, any latency introduced by the additional user or server computational load for encryption won’t make the experience of using these applications worse.
Google’s response, in Whitten’s blog entry, is that Google remains concerned that there’s not enough known about whether specific computer configurations, networks, or parts of the world would suffer far worse performance in an all-https world. Whitten also said that Google is planning a trial that moves small sets of Gmail customers who haven’t explicitly requested https-only sessions to that option.