June 17, 2009

Google responds to call for more security

In response to an open letter from dozens of noted security analysts, Google this week said it intends to more broadly turn on security features in its Gmail application by default.

The internet giant also said it was considering how to extend the protection by default to other applications, including Google Docs and Google Calendar.

The six-page open letter to Google CEO Eric Schmidt was signed by 37 researchers and academics in computer science, information security and privacy law. Specifically, they asked Google to protect users by enabling “industry standard transport encryption technology (HTTPS)” for Google's most popular web applications.

Without a persistent encrypted connection, users can open themselves up to snooping and data theft, even by untrained hackers who can use freely available tools on the internet to perpetrate their attacks, the letter said.

In response, Alma Whitten, a software engineer with Google's Security & Privacy Teams wrote in a blog Tuesday that the internet giant would consider the researchers' recommendations.

“We've long advocated for — and demonstrated — a focus on strong security in web applications," Whitten said. "In fact, we're currently looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.”

 

Google currently allows its Gmail users to opt in for always using HTTPS. Meanwhile, users of Docs and Calendar can login to a protected session by typing HTTPS into their address bars.

But any move to having users automatically protected with the protocol is unlikely to happen immediately.

“We're planning a trial in which we'll move small samples of different types of Gmail users to HTTPS to see what their experience is,” Whitten wrote, “and whether it affects the performance of their email.”

Whitten added that Google is considering how to "make this best work with other apps," such as Docs and Calendar.

Whitten's sentiments echo a section of the open letter to Google pointing out that users of Microsoft's Hotmail, Yahoo Mail, Facebook and MySpace also are vulnerable to data theft and account hijacking.

Google's response seems to be meeting with positive reaction, at least in some sectors.

“Google's rapid response is pretty good,” Christopher Soghoian, student fellow at the Berkman Center for Internet & Society at Harvard University and author of the open letter, told SCMagazineUS.com in an email. “I hope that executives from Yahoo, Microsoft and Facebook follow Google's lead voluntarily, and spare me the effort of coordinating similar letters to their CEOs too.”

 

Related Articles
Related Topics
close

Next Article in News

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.