On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
Google is setting a higher bar here, which may be sufficient to deter a lot of bots and script kiddies for the next few years, but it's not enough against nation-state or serious professional level attacks.
To be fair though - if I was sitting on information of sufficient value that I was a legitimate target for nation-state TLAs and similarly well funded criminal organizations, I'd have to think long and hard whether I wanted to vector my e-mails through Google. It isn't even the certificate management issue - it's because if I was in fact the target of such attention, my threat model had better well include "adversary attempts to use legal and extralegal means to get at my data from within Google's infrastructure". "Operation Aurora".