On Wed, Jan 2, 2013 at 7:31 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
Google is setting a higher bar here, which may be sufficient to deter a lot of bots and script kiddies for the next few years, but it's not enough against nation-state or serious professional level attacks.
To be fair though - if I was sitting on information of sufficient value that I was a legitimate target for nation-state TLAs and similarly well funded criminal organizations, I'd have to think long and hard whether I wanted to vector my e-mails through Google. It isn't even the certificate management issue - it's because if I was in fact the target of such attention, my threat model had better well include "adversary attempts to use legal and extralegal means to get at my data from within Google's infrastructure".
"Operation Aurora".
[Full disclosure: I work at Google, though the opinions stated below are mine alone.] Aurora compromised at least 20 other companies, failed at its assumed objective of seeing user data, and Google was the only organization to notice, let alone have the guts to expose the attack [0]. And you're going to hold that against them? If you're the target of a state-sponsored attacker, Google is by far the best place to host your mail. Good luck finding another provider that enables SSL by default [1], offers 2-factor authentication [2], warns you when you're being targeted by state-sponsored attackers [3], and actually fights overly-broad subpoenas from governments [4]. While I'm writing, I'll also point out that the Diginotar hack which came up in this discussion as an example of why CAs can't be trusted was discovered due to a feature of Google's Chrome browser when a cert was being used to spy on users in Iran [5]. Note that it also provides a good example of the difficulty of getting away with such attacks. [0] http://googleblog.blogspot.com/2010/01/new-approach-to-china.html [1] http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html [2] http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744 [3] http://googleonlinesecurity.blogspot.com/2012/06/security-warnings-for-suspe... [4] http://www.google.com/transparencyreport/userdatarequests/ [5] http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-... Damian