2009/06/16
TheRegister: Google cloud told to encrypt itself
by Cade Metz
Updated A small army of security and privacy researchers has called on Google to automatically encrypt all data transmitted via its Gmail, Google Docs, and Google Calendar services.
Google already uses Hypertext Transfer Protocol Secure (https) encryption to mask login information on this trio of cloud-based web-based applications. And netizens have the option of turning on https for all transmissions. But full-fledged https protection isn't flipped on by default.
"Google's default settings put customers at risk unnecessarily," reads a letter lobbed to Google CEO Eric Schmidt by 37 academics and researchers. "Google's services protect customers' usernames and passwords from interception and theft. However, when a user composes email, documents, spreadsheets, presentations and calendar plans, this potentially sensitive content is transferred to Google's servers in the clear, allowing anyone with the right tools to steal that information."
Signatories includes Harvard-based Google watcher Benjamin Edelman; Chris Hoofnagle, the director of Information Privacy Programs at Berkeley Center for Law & Technology; and Ronald L. Rivest, the R in RSA.
In the past, Google has said it doesn't automatically enable https for performance reasons. "https can make your mail slower," the company explained in a July 2008 blog post announcing Gmail's https-session option. "Your computer has to do extra work to decrypt all that data, and encrypted data doesn't travel across the internet as efficiently as unencrypted data. That's why we leave the choice up to you."
But 37 researchers see things a differently. "Once a user has loaded Google Mail or Docs in their browser, performance does not depend upon a low latency Internet connection," they write. "The user's interactions with Google's applications typically do not depend on an immediate response from Google's servers. This separation of the application from the Internet connection enables Google to offer 'offline' versions of its most popular Web applications."
Even where low latency matters, they say, outfits such as Bank of America, American Express, and Adobe have protected their via https without a heavy performance hit. Adobe automatically encrypts Photo Express sessions.
Of course, another good example is...Google itself. The company does automatic encryption with Google Health, Google Voice, AdSense, and Adwords. "Google's engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense - we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs, and Calendar work equally well in order to enable encryption by default," the researchers write.
The problem, they say, is that everyday netizens don't realize the importance of encryption - and that Google fails to properly protect them from their own ignorance. Gmail now includes a setting that lets you "always use https." But the researchers complain that most users don't know it's there. And with Docs and Calendar, they point out, users can't use session encryption unless they remember to type https into their browser address bar every time they use the services.
They also take issue with Google's use of a single authentication cookie for all three services. Since users needn't reenter their usernames and passwords when they switch from one service to another, a miscreant who has captured a cookie on Docs can listen into Gmail - even when Gmail's "always use https" switch is flipped on.
"This makes Docs and Calendar sessions the weakest link in the chain of security, and attackers can use this cookie information to steal far more important data that would otherwise have been protected."
If Google refuses to turn on https by default, the researchers say, the company should at least make sure that users understand the risks of encryption-less transmissions. There are four things they suggest:
- Place a link or checkbox on the login page for Gmail, Docs, and Calendar that causes that session to be conducted entirely over https. This is similar to the "remember me on this computer" option already listed on various Google login pages. As an example, the text next to the option could read "protect all my data using encryption.'
- Increase visibility of the "always use https" configuration option in Gmail. It should not be the last option on the Settings page, and users should not need to scroll down to see it.
- Rename this option to increase clarity, and expand the accompanying description so that its importance and functionality is understandable to the average user.
- Make the "always use https" option universal, so that it applies to all of Google's products. Gmail users who set this option should have their Docs and Calendar sessions equally protected.
We have asked Google for a response to the letter, and once it arrives, we'll toss it your way. Odd are, it will be completely non-committal.
In defense of Google, the company does go farther than many other big-name web outfits. As the researchers point out in their letter, Microsoft Hotmail, Yahoo Mail, Facebook, and MySpace don't even offer an https option. But the 37 hold Google to a higher standard. "Google has made important privacy promises to users, and users naturally and reasonably expect Google to follow through on those promises." ®
UpdateGoogle has responded with a blog post. "Free, always-on HTTPS is pretty unusual in the email business, particularly for a free email service, but we see it as an another way to make the web safer and more useful. It's something we'd like to see all major webmail services provide," the company says. "In fact, we're currently looking into whether it would make sense to turn on HTTPS as the default for all Gmail user."
Like we said: non-committal.
InfoWorld: CIA's technology arm taps open source for enterprise search
by Elizabeth Montalbano
The company in charge of providing technology to the U.S. intelligence community has invested in an open source firm to provide enterprise search technology to the CIA and other intelligence agencies.
In-Q-Tel is investing in Lucid Imagination, which provides support, maintenance, training, and add-on software for the Apache Software Foundation's Lucene and Solr search projects. Lucene is an information retrieval library that can be used for full-text indexing and search. Solr is an enterprise-search server based on Lucene.
The companies did not disclose the nature of the investment but said that it is aimed at making Lucid's open source enterprise search software more prevalent in the U.S. intelligence community.
Lucid officially launched in February after securing initial funding in October of last year, said Anil Uberoi, chief marketing officer of the fledgling company.
"You can think of us as the Red Hat of Lucene," he said, providing support and maintenance to customers who want to use Lucene and Solr for enterprise search. In fact, many of the leading developers who commit code to those projects are the founding technical members of the company, he said.
In-Q-Tel handles technology requisitions for about 18 organizations, including the CIA and the U.S. intelligence community at large, Uberoi said. Many of these organizations have wanted to use the Apache Lucene and Solr projects to do enterprise search, but were hesitant to do so without official vendor backing, he said.
"They were very nervous about not having a commercial entity to support this," Uberoi said.
Indeed, search analyst Stephen Arnold in a blog post said that several intelligence organizations already have been using Lucene and Solr for enterprise search, and having Lucid to back their investments gives it the green light for more mission-critical applications.
"With Lucid imagination, a well-funded commercial entity offering certified distributions of Lucene and Solr, SLA-based support subscriptions, training, high-level consulting and value-added software, both new and existing users now have access to enterprise-grade support and services to optimize their enterprise search efforts," he wrote.
According to Lucid, the Lucene/Solr technology is downloaded more than 9,000 times per day, and more than 4,000 organizations are using the software for enterprise search.
CNet: Widgets are dead, long live widgets
by Dave Rosenberg
Widgets, portable pieces of Web code, have become synonymous with interactive Web page components, often Flash-based games and ads can stick out like a sore thumb. Functions are great, but they need to be seamless.
Instead of just offering a page function, the widget technology is turning out native applications that blend seamlessly with newsfeeds and spread virally through friend lists. Accordingly, the w-word had to go and this morning iWidgets became Transpond. Transpond, a word that actually doesn't mean anything, calls to mind words like "translate" and "respond," more positive connotations than the has-been widget.
Widgets have moved to the wrong side of the hype cycle while apps have their own catch phrase ("There's an app for that.") Meanwhile, the underlying trend that powers what Transpond founder Peter Yared calls the "the atomization of the Web" remains strong.
Transpond offers an easy-to-use platform for creating native applications for Facebook, MySpace, and iGoogle and it's been humming along since its launch (as iWidgets) last summer. The company has big-name customers including CBS, CNN, Lifetime Television, and Revision3, all of whom had turned to the platform to get their content onto social networks.
Content publishers, marketers, and businesses can no longer slap up a Web site and expect to have an audience. Content has to find its audience wherever they happen to be, whether it's hanging out on Facebook or fiddling with their iPhone. Be it via widget or app, delivering the right content in the right way (with a bonus for interactivity) is the only thing that really matters.
