Like Fox Mulder in the “X-Files” Google is fighting the future when it comes to securing email search and other Web services.
The search engine provider, which last month made HTTPS encryption its default security mode for search, said it has added forward secret HTTPS for Google+, Gmail, SSL Search and Docs, paving the way for more secure Web services in the future.
Most major sites that support HTTPS, such as Facebook and Twitter, do so in a non-forward secret fashion. What this means is that encrypted, normally unreadable email could be recorded while being delivered to a computer today and decrypted in the future by knowledgeable attackers, when computers become much faster.
Google said forward secret HTTPS is now live for Gmail and many other Google HTTPS services such as SSL Search, Docs and Google+.
Google’s Chrome and Mozilla’s Firefox Web browsers and Microsoft Internet Explorer (Vista or later) browsers support forward secrecy using elliptic curve Diffie-Hellman (ECDHE), a key agreement protocol that allows two parties possessing an elliptic curve public-private key pair to establish a shared secret over an insecure channel.
Only Chrome and Firefox will initially use it by default with Google services because Microsoft Internet Explorer does not support ECDHE and the RC4 software stream cipher.
Users can check whether they have forward secret connections in Chrome by clicking on the green padlock in the address bar of HTTPS sites. Google’s forward secret connections will have a key exchange mechanism of ECDHE_RSA.
Google Security team member Adam Langley also said Google has released the work that it did on the open-source OpenSSL library that led to forward secrecy HTTPS encryption.
“We would very much like to see forward secrecy become the norm and hope that our deployment serves as a demonstration of the practicality of that vision,” added Langley, who provided more detail of Google’s security move on his personal blog.
Google’s security team has been very active in trying to thwart some of the more mainstream attacks on its Web services.
In April, Google began work on two security projects to improve the public key infrastructure, which was rocked by the Comodo digital certificate spoofing incident in March.
The Google Certificate Catalog is a database of all of the SSL certificates Google’s Web crawlers record in the DNS for the company’s search engine and Web services. The DANE Working Group at the IETF is intended to allow domain operators to publish information about SSL certificates used on their hosts.
Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…
Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC
Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…
Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…
Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…
Elon Musk continues to provoke the ire of various leaders around the world with his…