Google has made HTTPS encryption mandatory for all Gmail; hooray! In truth, this isn’t quite the milestone it sounds like. Encryption has always been an option, and it’s been the default for over four years. Your Gmail traffic is also now encrypted as it moves between Google’s servers internally. Does that mean the NSA can’t intercept and read your mail? Well, not quite.
What’s This HTTPS, Again?
First, a refresher. The “HTTP” that you see at the start of every URL stands for Hypertext Transfer Protocol, with an emphasis on “text.” HTTP traffic bounces between servers as plain text, with text-based tags to indicate how the content should be handled. A Gmail message traveling via HTTP will pass through several servers, and a “sniffer” installed on any of those servers could intercept the text.
The S in HTTPS stands for Secure. When you connect with an HTTPS site, requests from your browser are encrypted on the way to the server, and the data returned by the server is encrypted on the way back to your browser. An HTTPS connection is totally necessary when conducting sensitive online transactions. As of now, all your Gmail traffic travels the same way…up to a point.
Insecure Recipients
If you’re sharing an email conversation with another Gmail user, everything should be copacetic. From your PC to Google’s servers and from Google to the recipient, everything is encrypted. But not everyone uses Gmail.
POP3 (Post Office Protocol 3) for receiving email has been around for ages, and it’s still widely used. Encryption is an option, but many (most?) POP3 servers don’t use it. The same is true of SMTP (Simple Mail Transfer Protocol), used for sending email.
If you send a message to a person with a POP3/SMTP email account, it will be transmitted in plain text between that person’s PC and the server. I’m not sure about the traffic between that server and Google’s Gmail servers, but the final connection is definitely open to network sniffing.
Yahoo made HTTPS the default earlier this year, though its implementation has come under fire. It’s not clear whether communication between Google’s servers and Yahoo’s servers is encrypted; I would hope it is.
Other Avenues
Google’s encryption simply serves to prevent bulk capture of email messages for Big Data analysis, and that’s a good thing, but if the NSA is really interested in you specifically, they’ve got other ways to see what you’re doing. These include accessing your PC through a wireless exploit and intercepting delivery of the computer you ordered to install spyware, among many other options. If they want your data in particular, they’ll get it.
There’s also the possibility that HTTPS isn’t as secure as we think. The NSA paid $10 million to RSA security, and many believe that in return for that payment RSA installed a backdoor in their widely-used encryption protocol. At the recent RSA Conference, the chairman of RSA denied any secret contract with the NSA, but left open the possibility that the government had a hand in vetting the flawed algorithm.
Encrypt, Encrypt, Encrypt
Also at the RSA Conference, security rock star Bruce Schneier laid out a simple plan for protecting your online life: encrypt everything. “Cryptography works,” he said. “The NSA can’t break it and it pisses them off.”
Your best bet may be an encrypted communication solution that works outside the standard email system. VaporStream is an example. Messages you send using this service vanish once they’ve been read. If you want to stay closer to the normal email experience, a product like Send. Pro can integrate with Outlook to automatically encrypt and decrypt messages. Of course, your recipients need the program too.
You could also simply write your message as a document, save it in an encrypted ZIP file using a pre-arranged password, and send the file as an attachment. That would be awkward, though. A tool like HP Trust Circles lets you share files that are totally and transparently visible to you and your recipient, but encrypted for everyone else. Another option would be to drop encrypted files into cloud storage. Products like DataLocker SkyCrypt can make encrypting shared files simple and automatic.
Email has been around in some form for over fifty years. Maybe it’s not the way you should be communicating at all. There are plenty of options for secure text messaging. In fact, iPhone to iPhone calls that use iMessage are intrinsically secure
Kudos to Google for going all-in on encryption. It really is a good thing, and it will help minimize the ability of the NSA (or any other group) to harvest email data in bulk. But for completely secure communication, you need to get proactive.