Like Fox Mulder in the “X-Files” Google is fighting the future when it comes to securing email search and other Web services.
The search engine provider, which last month made HTTPS encryption its default security mode for search, said it has added forward secret HTTPS for Google+, Gmail, SSL Search and Docs, paving the way for more secure Web services in the future.
Most major sites that support HTTPS, such as Facebook and Twitter, do so in a non-forward secret fashion. What this means is that encrypted, normally unreadable email could be recorded while being delivered to a computer today and decrypted in the future by knowledgeable attackers, when computers become much faster.
Google said forward secret HTTPS is now live for Gmail and many other Google HTTPS services such as SSL Search, Docs and Google+.
Google’s Chrome and Mozilla’s Firefox Web browsers and Microsoft Internet Explorer (Vista or later) browsers support forward secrecy using elliptic curve Diffie-Hellman (ECDHE), a key agreement protocol that allows two parties possessing an elliptic curve public-private key pair to establish a shared secret over an insecure channel.
Only Chrome and Firefox will initially use it by default with Google services because Microsoft Internet Explorer does not support ECDHE and the RC4 software stream cipher.
Users can check whether they have forward secret connections in Chrome by clicking on the green padlock in the address bar of HTTPS sites. Google’s forward secret connections will have a key exchange mechanism of ECDHE_RSA.
Google Security team member Adam Langley also said Google has released the work that it did on the open-source OpenSSL library that led to forward secrecy HTTPS encryption.
“We would very much like to see forward secrecy become the norm and hope that our deployment serves as a demonstration of the practicality of that vision,” added Langley, who provided more detail of Google’s security move on his personal blog.
Google’s security team has been very active in trying to thwart some of the more mainstream attacks on its Web services.
In April, Google began work on two security projects to improve the public key infrastructure, which was rocked by the Comodo digital certificate spoofing incident in March.
The Google Certificate Catalog is a database of all of the SSL certificates Google’s Web crawlers record in the DNS for the company’s search engine and Web services. The DANE Working Group at the IETF is intended to allow domain operators to publish information about SSL certificates used on their hosts.
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…
Elon Musk firm touts cheaper EV models, as profits slump over 50 percent in the…
Bad news for Tim Cook, as Counterpoint records 19 percent fall in iPhone sales in…
TikTok pledges to challenge 'unconstitutional' US ban in the courts, after President Joe Biden signs…