'Google Just Made Gmail the Most Secure Email Provider on the Planet' (vice.com) 46
Google announced on Tuesday that it would offer stronger online security for "high risk" users who may be frequent targets of online attacks. The company said anyone with a personal Google account can enroll in the new "advanced protection," while noting that it will require users to "trade off a bit of convenience" for extra security. Motherboard reports: The main advantage in terms of security is the need for a key or token to log in as the second factor, instead of a code sent via SMS or via app. This is much better because there's no way for hackers to steal or phish this key from afar (there have been isolated incidents of hackers using social engineering to gain access to someone's cell phone number by getting the provider to issue a new SIM card, for instance). Thanks to these new features, Gmail is now the most secure email provider available on the internet if you are worried about hackers breaking into your private correspondence. "This is a major step in the right direction in offering the same kind of protection available to high-profile figures to everyday people," Kenneth White, a Washington D.C. based security consultant to federal agencies, told Motherboard. "They have really thought this through, and while it may not make sense for everyone, for those that need it, it's a much needed option."
It's the same tool my identity theft plan uses (Score:2)
I specify that Congress should make broad legislation allowing a regulatory agency to select the most-appropriate, affordable, and effective technology of today; and today, that is the FIDO U2F Security key with RSA or ECC encryption. That's how I'm going to defeat identity theft once and for all [johnmoserforcongress.com].
Re: It's the same tool my identity theft plan uses (Score:1)
Doesnâ(TM)t matter. Their keys are used by other providers already. A friend of mine uses Auth-Anvil as a two-factor for his service which includes email access.
The most secure system is to host it yourself, and encrypt the contents with a key you only have access to.
Re: (Score:2)
How about FIDO U2F and the Google Authenticator ( RFC 6238 and RFC 4226)? The six digit TOTP code has been proven across many, many sites (I use it on Microsoft's, Amazon's, gmail's, and many others.)
What would be nice would be a dedicated PDA-like device with a camera for reading QR codes, a touch screen for inputting codes by hand, a charge-only USB interface, and a SD card interface for backing up the OTP seeds. The device never sees, nor cares about the Internet, and is only connected to a USB cable t
I want even less security (Score:1)
somehow I wish the reverse, I hate it google block me access to their web site everytime I change my location, I would like to somehow turn off whatever they had till now. As a user want to have the choice to access my email account as it fits to me, from whenever I want to, is missing with Google.
Re: (Score:2)
Use IMAP or POP and a real mail client. Don't use the web interface.
Or use a 3rd party web interface that backends via IMAP or POP.
Also the least secure (Score:1)
As opposed to GPG (or S/MIME) (Score:2)
Yup, indeed.
My reaction too was "Nope, not the most secure. Just slightly more secure than before, and never as secure as any random provider as long as you use PGP implementation such as GPG" (or eventually if you use S/MIME, as long as you trust enough the authority that certified the keys).
Again people, in terms of privacy and security, it's hard to beat full end-to-end encryption.
For the webmail-using crowd : Mailvelope [mailvelope.com] is an extension that allows you to use openPGP in the "TextArea" field used by webma
Identity vs. content and identity (Score:2)
To elaborate more
:
- 2 factor identification (like the suggested bluetooth and usb dongles) only solve 1 single problem : identity.
Making sure that when Alice receives an e-mail from "bob@gmail.com" it's indeed written by Bob, and not by Eve trying to steal bob's gmail credential by hacking the SMS 2 factors.
But any exchange between Alice and Bob can still be read on Google servers 100% for sure (that's how GMail's Ads work), and maybe by any goverment agency that has agreements (or plain just did an inside
Uh.... (Score:1)
My job already requires smartcardauthentication for email.
And no Google spying & building a shadow profile for advertising.
For a given value of secure (Score:1)
Is it secure from Google?
Re: (Score:2)
Hi sir! please enter your gmail password here: ____________
Oh i see, google doesn't protect against this. This seems super secure.
I think you missed the point. It's two factor authentication. If I know your password I still need to know the key to log in.
Re: (Score:1)
Hi sir! Please enter your password: ___________
Hi sir! Please also enter your key _________
....?
Profit!
good for some, not for others (Score:2)
Some things just need "good enough" security and the likelihood that anyone cares enough to hack them is a risk you accept for the practical real-world usability of the thing.
Chrome only... (Score:3, Insightful)
I skimmed Google's write-up of their new offering, and was seriously considering looking into this. I bear no delusions of self-grandeur, or that anyone would have any reason to be interested in sorting through all the confirmation e-mails for the coffee I buy off Amazon; but I do have some key data tied up in the Googleverse, and the cost of an extra keyfob would not exactly break the bank. However, then I came to this:
Google services on the web
You will only be able to use the Chrome browser to access signed-in services like Gmail or Photos.
That breaks the deal for me, since I don't use Chrome, and it would not be convenient for me, for a few reasons. I can't really think of any valid technical reason why this results in any actual security, unless Chrome pins Google's CA; but the same thing can be done in any other browser too.
Re: (Score:2)
No one else supports the FIDO U2F security key standard in their browser. FireFox should be getting around to it anytime now, and I believe that Opera does. But that's probably why: the valid technical reason is that no one else supports the security standard.
They did? (Score:4, Insightful)
So they're now encrypting all the emails being stored on their servers and don't hold the key themselves?
Because if they're not doing that, then they're not anything close to "the most secure email provider on the planet".
Re: (Score:2)
So they're now encrypting all the emails being stored on their servers and don't hold the key themselves?
Because if they're not doing that, then they're not anything close to "the most secure email provider on the planet".
Meh.
"Secure" is a word that is meaningless without a threat model. It's often clear what the threat model is, so we often don't state it (and we often don't state it when it isn't clear). In this case, Google is talking about one threat model (security against unauthorized third parties gaining access to your email) and you're interpreting the statement in the context of another threat model (security against access by Google itself).
Also, it's worth noting that you probably don't actually want the thin
Re: (Score:2)
"Secure" is a word that is meaningless without a threat model.
Not meaningless, but your point is solid. In the absence of specifying a threat model, I take "secure" as meaning "nobody can access the data without my permission".
Also, it's worth noting that you probably don't actually want the thing you're asking for.
Oh yes I do. I go to a fair bit of effort right now to make sure I have it.
Key management is hard.
It's not hard, exactly, but it does take ongoing attention.
You need to use another email client and use S/MIME or PGP mail.
Or, even easier, use a mail provider that offers end-to-end encryption. That doesn't cover email in transit, but it does cover email at rest.
Re: (Score:2)
Oh, and I forgot the most important part:
None of what you say changes the fact that this change in no way makes GMail "the most secure email provider on the planet".
Sorry, not in stock (Score:2)
Don't see point of required bluetooth security key (Score:2)
Good one google... (Score:2)
But your not fooling everyone.
Security is now a buzzword.
Lavabit (Score:2)
Also breaking (Score:2)
In related news, the fox has made the hen house safer from outside predators. Hens everywhere are rejoicing!