[LBo] QnA Digest, Vol 12, Issue 16

Steve Hinsley shinsley at cablelynx.com
Sun Aug 19 18:05:27 CEST 2007 

Allen wrote:
> 
> qna-request at linuxbasics.org wrote:
>> Date: Thu, 16 Aug 2007 06:52:00 -0500
>> From: Steve Hinsley <shinsley at cablelynx.com>
>> Subject: Re: [LBo] Encryption for Google Apps
>> To: qna at linuxbasics.org
>> Message-ID: <46C43A60.1010900 at cablelynx.com>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> Anita Lewis wrote:
>>> If you are using Google Apps, maybe you would like to use https instead
>>> of their default.
>>> http://linuxbasics.org/blog/index.php?/archives/38-Encryption-for-Google-Apps.html
>>>
>>> Anita
>>>
>>>
>> You can also use this to encrypt gmail.
>> https://www.gmail.com
> 
> The real problems with this are two-fold. While SSL (the protocol 
> behind HTTPS) does create a secure tunnel between you and some 
> server someplace, you do not really know *what* server this might 
> be as SSL is subject to Man-In-The-Middle attacks. Not a big risk 
> but a real one. This is illustrated by the fact that there is a 
> SSL certificate mismatch. The SSL certificate is not for 
> https://www.gmail.com but rather for mail.google.com. This is a 
> very common error and because it is so common most people either 
> accept without reading the error to check what's up, or what is 
> worse, they turn off the alerts totally, making a 
> Man-In-The-Middle attack even easier

I know that I don't have the credentials you have, so I may be out my 
depth. But the server for Google Mail is mail.google.com. That is where 
the certificate should come from. A quick whois of gmail.com shows a 
contact at Google Inc.

> Trust me, as a person who makes his living off security, it is 
> not a matter of if, but rather when it will happen. You would not 
> believe some of the very real incidents I have to deal with 
> regularly. Most of them don't wind up in the papers, but they do 
> cause significant harm and turmoil. At last report an identity is 
> stolen every 13 seconds in the US. It costs an average of $1500 
> dollars and around 500 hours of your time over two to three 
> years. People have even been arrested multiple times for the 
> actions of the identity thieves!

I guess that depends on how much you trust Google. All email is on a 
server somewhere. No one should sensitive information by email.

The issue here is securing your session. Your login is secure, but 
unless you use the https you session is in plain text. Not important if 
you're at home, but you may want to use it if you're on another network.

Just my .02 cents.

Steve Hinsley

More information about the QnA mailing list