Google Previews Gmail Encryption

Google I/O 2014: 8 Things To Watch

Google on Tuesday introduced software called End-to-End to encrypt Gmail messages in transit and simultaneously published data about encryption usage by email providers, as if to shame companies with indifferent security practices.

In a blog post, Google security product manager Stephan Somogyi characterized the company's effort simply as an attempt to "help make this kind of encryption a bit easier."

But Google's action follows a year of revelations about the extent to which intelligence agencies can access electronics communications. The documents leaked by former NSA contractor Edward Snowden have made businesses and individuals reticent about trusting their information to third-party service providers.

Thus we find Google encouraging other online service providers to do more to protect customer data. By naming names -- last month, less than 1% of email sent from Gmail to comcast.net addresses remained encrypted, for example -- Google may be able to hasten industry adoption of encryption and restore faith in cloud computing, upon which much of its business depends.

[Gartner's annual competitive positioning graphic shows challenges ahead for some vendors. Read Gartner's Magic Quadrant 2014 For Cloud: Winners And Losers.]

But Google cannot unilaterally secure the Internet. In its Transparency Report, the company acknowledges that while encryption makes snooping on messages in transit more difficult, it does not make it impossible. In addition, email messages can be read once they've been delivered, through malware or other means.

According to Google, 69% of messages from Gmail to other providers, and 48% of messages sent to Gmail, support encryption through Transport Layer Security (TLS).

Google's gambit appears to be working already. On Tuesday, Comcast said it is testing encryption for customers' email messages and intends to begin deploying the technology in a matter of weeks.

Google's embrace of encryption will have a downside for the company: Messages encrypted on Google's servers cannot be scanned, eliminating their use as a source of ad-targeting data. However, given how much Google already knows about its users and the fact that it expects only the security-conscious minority to install its encryption software, the company's ability to target ads isn't likely to be much degraded.

Google's encryption software is not yet ready for mainstream use. The company is offering it as alpha code so it can be tested. Those who find bugs in the code can submit them for a possible reward through the company's Vulnerability Reward Program.

When End-to-End is ready to be released, Google plans to offer it through its Chrome Web Store as a Chrome browser extension. End-to-End is based on OpenPGP, an open protocol for encrypting messages through public key cryptography.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant?Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)