72

I have always heard that email is an insecure method of communication; I assume this has something to do with the email protocol itself.

But when sending an email from one Gmail account to another, Google has complete control over how the email is transmitted, and Google seems decently concerned about information security. So it seems that they could, if they wanted, turn Gmail-to-Gmail messages into a secure communication channel and that this would probably be in their best interest.

So have they done this? If not, why not? Is Gmail-to-Gmail communication still insecure (for the purpose of, say, sending a credit card or social security number to a trusted recipient)?

kelalaka
  • 5,409
  • 4
  • 24
  • 47
Kyle Strand
  • 813
  • 1
  • 6
  • 8
  • 53
    Only as much as you trust Google. – Alec Teal Aug 17 '15 at 19:42
  • 2
    Any email that does not use PGP is insecure. Unless you are are sending encrypted stuff in the email in this case you can assume it's safe(e.g sending a encrypted doc on gmail) – Freedo Aug 17 '15 at 22:48
  • 4
    Is the recipient of the email auto-forwarding his messages to a non-gmail account? – Carlos Campderrós Aug 18 '15 at 08:43
  • 6
    Google is unquestionably parsing/reading your e-mail. They say so themselves: https://support.google.com/mail/answer/6603?hl=en – Ogre Psalm33 Aug 18 '15 at 13:30
  • 2
    @CarlosCampderrós By "trusted recipient," I mean (among other things) someone (or some automated system) which you trust *not* to do this. – Kyle Strand Aug 18 '15 at 15:45
  • 9
    Don't forget that [Google employees have been caught spying on users' e-mails, chats, and voice calls](http://www.wired.com/2010/09/google-spy/). For all their encryption and security, if you can read it, an unscrupulous employee can read it. The only ones we have heard about are the ones who were stupid enough to brag about it to their victims. – Steven K Aug 19 '15 at 00:24
  • 1
    +Freedom S/MIME? – bot47 Aug 19 '15 at 04:06
  • If you want email security you have to use PGP. – Elliot Gorokhovsky Aug 20 '15 at 01:50
  • 1
    Even using PGP isn't an email panacea, someone can still see who you're communicating with & know the **metadata**, and *["The U.S. government "kill(s) people based on metadata," but it doesn't do that with the trove of information collected on American communications"](http://abcnews.go.com/blogs/headlines/2014/05/ex-nsa-chief-we-kill-people-based-on-metadata/)* not because they *couldn't*, but because they *don't want to*, (today at least)... and if you're outside "America"... – Xen2050 Jan 18 '16 at 19:01
  • The sad fact is that whilst they can place a targetted ad if they think you want to buy a car, they apparently can't/won't report if they think you want to buy a bomb. – Phil Lello Mar 21 '16 at 19:48

6 Answers6

103

Email is historically considered insecure for two reasons:

  • The SMTP network protocol is unencrypted unless STARTTLS is negotiated, which is effectively optional
  • The mail messages sit unencrypted on the disk of the source, destination, and any intermediate mail servers

Google mail servers all speak STARTTLS if possible, so for gmail-to-gmail the transmission step shouldn't be a concern. However, the sending server stores an unencrypted copy of the email in your Sent folder. The receiving server stores an unencrypted copy in the recipient's Inbox. This leaves them open to various threats:

  • Rogue Google employees reading that email
  • Google choosing to read that email despite their assurances to the contrary
  • Governments forcing Google to hand over that email
  • Hackers breaking into Google and accessing that email

If you can trust everything to go right, then gmail-to-gmail is perfectly secure. But you can't always expect everything to go right.

For these reasons, the security and privacy community long ago reached the stance that only end-to-end email encryption is secure. That means the email remains encrypted on server disks and is decrypted when you're reading it, and never stored decrypted.


There have been an enormous number of comments, so let me expand/clarify a few things.

End-to-end encryption - in the context of email, when I say end-to-end encryption I mean something like PGP, where the message is encrypted until it reaches the recipient's email client, and only decrypted to be read. Yes, this means it can't be searched on the server, and often also means it doesn't remain "backed up" on the server either. This is a case where security and functionality are at odds; pick one.

Security and privacy community - unlike many Information Security topics, email security is one that extends out to other communities. The question of what stateful inspection in a firewall means is not something often extended out to interest others, for example. But email security is of direct, significant interest to

Forget about credit card data, there are people trying to communicate with email whose lives, and the lives of their families, depend upon the security of the email. So as there are phrases in the comments below like "depends upon what your standards are for 'secure'", "sufficiently motivated adversary", "there is an illusion of security at the email-level" - am I being too strong to say the server can't be trusted? Not for people whose lives are at stake. That's why the phrase "email is insecure" has been the mantra of the privacy movement for 20 years.

Trusting the server - In the US, "your cap for liability for unauthorized charges on a credit card is $50" so you may well be happy trusting the server with your credit card. If you're cheating, on the other hand, you might lose a lot more as the result of leaving unencrypted email on the server. And will your service provider shut their doors to protect your privacy? Probably not.

STARTTLS - STARTTLS is SSL for email; it uses the same SSL/TLS cryptographic protocol to encrypt email in transit. However, it is decidedly less secure than HTTPS for several reasons:

  1. STARTTLS is almost always "opportunistic", meaning that if the client asks and the server supports it, they'll encrypt; if either of those things are not true, the email will quietly go through unencrypted.
  2. Self-signed, expired, and otherwise bogus certificates are generally accepted by email senders, so STARTTLS provides confidentiality but almost none of the authentication. It's relatively trivial to Man-In-The-Middle email if you can get in between servers on the network.
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 1
    Thanks! Is there any reason why Google hasn't moved to an end-to-end encryption methodology, since access to the inbox and the 'sent' folder is typically only permitted via the GMail interface anyway? – Kyle Strand Aug 17 '15 at 17:48
  • 13
    @KyleStrand, "end-to-end" in this case means "user-to-user" because if the encryption keys are stored on the server, then all four of the threats to stored email listed above still apply - see also [this answer](http://security.stackexchange.com/questions/96838/encrypt-data-stored-in-a-database/96842#96842). Again, 'historically', the people talking about secure email have been strong privacy advocates - some of them quite legitimately on the paranoid end of the spectrum - leading to an "all-or-nothing" (or perhaps "perfect-isn't-anything-else") worldview. – gowenfawr Aug 17 '15 at 17:59
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/27144/discussion-on-answer-by-gowenfawr-is-gmail-to-gmail-still-insecure-why). – Rory Alsop Aug 19 '15 at 15:24
  • "The mail messages sit unencrypted on the disk of the source, destination, and any intermediate mail servers". Is there something that prevents disk encryption? Or data encryption? I think you are speculating a great deal on that point. – UnhandledExcepSean Aug 19 '15 at 18:11
  • @Ghost disk/data encryption is not adequate in this threat model - if the mail server software can read the email to perform searches and to send to the browser, then lots of other entities can too. If Google has disk encryption in place, it protects against the disk being carried out the door and stolen, but little else. It's not so much speculation - because indeed any one mail mail provider might encrypt different things - as realizing that encryption doesn't help in this case. – gowenfawr Aug 19 '15 at 18:39
17

A lot of this hinges on what you mean by "insecure".

Traditionally e-mail was considered an insecure transport as it was transferred over an unencrypted protocol (SMTP) and typically you had limited control over how the e-mail actually reached it's destination, so you wouldn't necessarily know about the security of the systems that it traversed.

These days most modern large e-mail providers use encrypted transfer protocols (generally SMTP + SSL) which removes the concern about the e-mail being sent over the Internet in the clear, however for generally Internet e-mail the concern about not knowing what systems will process the mail on the way to it's destination remains.

In your case you would seem to know that as it'll be google sending and receiving, so it's not likely to leave their control.

A couple of potential concerns remain.

  1. do you trust Google? Presumably you do as you're using their mail service, but it goes without saying that they could theoretically get access to your mail.
  2. Security of the mail once it reaches it's destination. You may not have control over how the recipient stores/processes the mail and that could result in it being held insecurely (e.g. being downloaded to an unencrypted mobile client, stored on an unencrypted PC etc). Also e-mails tend to get forwarded on, so there's always the risk that someone sends it to another party who's not hosted on google.

If you're satisfied in both those regards then generally yep I'd say there's nothing wrong with using e-mail for general data transfer. The one other point I'd mention is that specifically for things like Credit card data, if you're a business you'll have compliance concerns (e.g. PCI) and they may well preclude the use of e-mail.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
14

In the Snowden revelations it showed that the NSA had tapped into the fibre cables connecting Google's datacenters together. You can refer to the image below and make your own deductions about whether anything on Google's network is actually secure.

SSL added and removed here

They may have improved the situation since then, but it would be hard to prove to customers exactly what they've done to improve security on their network and that the government no longer have full access. You would have to take their word for it. If you want real security you should use open source end-to-end encryption where only the sender and receiver have the private keys and all encryption/decryption is done client side. There are a number of new webmail services around for this or you can always use the classic GnuPG.

NDF1
  • 663
  • 5
  • 7
  • 1
    Is there any way to know when "then" was? I.e., how old is this picture? (It's presumably older than the Guardian article...) Also, what exactly *is* this diagram? Is it some kind of internal NSA memo? – Kyle Strand Aug 19 '15 at 16:30
  • 1
    Google was very public about their efforts to encrypt traffic between their data centers as a result of this revelation. – schroeder Aug 19 '15 at 19:38
  • 1
    @schroeder There comes a point where you have to pick one of honesty, bluff, double bluff, tripple bluff... I'm sure there's at least one organised crime or intelligence agency willing to bribe/blackmail/coerce a suitably placed employee so it become a moot point. – Phil Lello Mar 21 '16 at 19:41
6

In addition to the other excellent answers, there is one more concern: just because the sender and the final destination are both on gmail does not mean that the email remains within Google.

If the recipient uses his own domain name, it is entirely possible that he routes his emails through an external server before feeding it back into Google. Gmail may detect this and directly deliver the email, or it may follow the MX record to the external server before sending the email back into Google.

Kevin Keane
  • 1,009
  • 7
  • 8
4

All the other answers are concerned with someone reading your e-mail. However, that isn't the only concern - you also care about the identity of the sender. And that's another great weakness of e-mail - by default, there is no way to verify the identity. The sender is the one who supplies the "From" address, and I can easily send e-mails "from" bill.gates@microsoft.com. You have no way of knowing if I'm really Bill Gates.

Fortunately, many e-mail providers have already implemented some measures to alleviate this. For example, many will flag the e-mail as spam if the domain involved doesn't have the SMTP server you used for sending the e-mail in its MX records. Faking an internet IP address is much harder than faking the From header, and the same applies to faking the DNS records. Some will not allow you to send an e-mail with From being an address that doesn't belong to you (usually, it's either outright forbidden, or you need some sort of confirmation on the e-mail address) - this includes GMail, so GMail<->GMail e-mails ensure the correct identity. Of course, you need to pay attention - for example, I could still use Bill Gates as the From "name", while keeping the address malicioushacker@gmail.com, or I could try getting a domain that doesn't look too suspicious on first glance (e.g. bill.gates@micorsoft.com). Unicode domain names are probably going to be a lot of fun in this regard :)

Many e-mail clients will also allow you to both sign and encrypt the e-mail, which ensures both the identity and the safety of contents. Of course, you need to know you can trust that given certificate in advance, and you need the proper key to decrypt the e-mail. It's especially useful for e.g. companies, which can have root certificates that are trusted, so any child certificates are implicitly trusted as well. However, even if you only have the e-mail to go on, it's rather easy to ensure the safe exchange of keys - it just requires a few e-mails back and forth (though there's still ways to break this with MITM).

Luaan
  • 217
  • 2
  • 7
-1

The OP asks:

"So it seems that they (Google) could, if they wanted, turn gmail-to-gmail messages into a secure communication channel, and that this would probably be in their best interest."

No doubt Google "could" turn Gmail into one of the most secure email services around. They clearly have the resources. But to answer the OP's question -- No, this would NOT be in their best interest!!!!! Remember, their business model is to provide all sorts of internet services free of charge to the end user. They make their money by collecting the end user's data (email content, GPS location, search queries, etc.) to develop a profile that they can sell to advertisers. This means your business is literally Google's business. Google will ALWAYS be looking through your stuff, they will always store your stuff, and they will always be giving it to 3rd parties. They have to. Its how they pay the bills. Moreover, since Google maintains the key to any encrypted information they can and will turn it over if subpoenaed by the government or even private parties. This is not the case for services that "throw away" the encryption key. If you require security look for companies that don't profit from your personal information.

If you feel the need to distribute your financial information electronically then why not use services that are designed for security (e.g. proton mail) Wickr, or even iMessage (they throw away the encryption key). Also, break up the numbers into separate messages so an unintended reader can not easily recognize it is as a CC number.

If you have a specific interest in credit cards, you will note this article highlighting Google's long history of at least inadvertently distributing credit card numbers: http://www.toptal.com/web/with-a-filter-bypass-credit-card-numbers-are-still-still-google-able

paamachat
  • 1
  • 1
  • 3
    Google AdSense does not sell a "profile" to advertisers--Google attempts to automatically display relevant ads based on *internal* analysis of your data. And they certainly aren't giving "your stuff" *to* third parties! – Kyle Strand Aug 19 '15 at 19:25
  • 2
    Generally a useful answer, but that one fact is so wrong, it's hard to upvote – schroeder Aug 19 '15 at 19:39
  • If that distinction makes you feel secure then so be it. The advertiser knows the demographic they've asked for, and if you click on an ad they know that you fit that demographic. Bottom line: If you use Gmail, especially in combination with the Google/Android ecosystem they know where you are 24/7, what/where you are buying, who you are calling, emailing, & texting, content of the communication, what you are searching/reading, etc. They store that info forever and have a business model that promotes sharing your data. Not to mention their centralized database is a hackers dream. – paamachat Aug 19 '15 at 19:47
  • The overarching point is that Google's commitment to your security is not a function of their technical skills. The level of security is limited by their business model. Up- or down- vote that :) – paamachat Aug 19 '15 at 19:56
  • 1
    The distinction between "someone clicked on this ad" and "here's someone's credit card number" is incomprehensibly vast. I'm not sure why you'd even argue the point. – Kyle Strand Aug 19 '15 at 20:58
  • @Kyle Strand I NEVER stated that Google released credit card information. NOT EVEN CLOSE! You then use this falsehood to devalue my main comments? I trust your statement was an unintended error, one that you will readily correct for the record? If not, you are exposing an agenda, not an interest in honest discussion. – paamachat Aug 20 '15 at 02:05
  • 1
    I mentioned "sending a credit card...number" in my question, and you said in your answer that "Google will ALWAYS... store your stuff, and they will always be giving it [your stuff] to 3rd parties." I don't really see a reasonable interpretation of this statement that *doesn't* mean that Google releases credit card information. So please drop the accusations. – Kyle Strand Aug 20 '15 at 02:51
  • @Kyle Strand I clearly defined the stuff I was referring to as "email content, GPS location, search queries, etc.". So I assume we agree that nobody is accusing Google's business model as one built on credit card fraud….although if you have an interest in credit cards, you will note this article highlighting Google's long history in at least inadvertently distributing credit card numbers: http://www.toptal.com/web/with-a-filter-bypass-credit-card-numbers-are-still-still-google-able – paamachat Aug 20 '15 at 04:07
  • 1
    Doesn't "email content" include credit card numbers, especially in the context of a question that explicitly mentions this possibility? – Kyle Strand Aug 20 '15 at 04:09
  • The point is clear. If google has has your CC number via some sort of purchase, then nobody is accusing them of directly selling your number. If they unknowingly have the digits of your CC embedded in an email then it is no more or less secure then any other email content. If you feel the need to distribute your financial information electronically then why not use services that are designed for security (e.g. proton mail) Wickr, or even iMessage (they throw away the encryption key). Also, break up the # into separate messages so an unintended reader can not recognize it is as a CC number. – paamachat Aug 20 '15 at 04:22
  • Just fix your answer. You do *not* know that giving "your stuff" to third parties is part of Google's business model. – Kyle Strand Aug 20 '15 at 14:50
  • @Kyle Strand As I've said but here's more detail…Advertiser pays Google for ads that are directed SOLELY to people whose personal information fit criteria a 3rd party is interested in. Google directs the ads to just those people. Someone clicks on said ad. Now the 3rd party has your IP, AND thanks to Google they now know your personal information meets the requested criteria. Done. Your data/"stuff" was just provided by Google to a 3rd party in exchange for cash. Case closed. Even worse, when you buy something the 3rd party now knows your name along with your information. – paamachat Aug 20 '15 at 20:27
  • If you think the information Google provides is not sufficiently detailed - read these articles. You will see how statisticians reassemble a picture of you based upon the type of information Google sells. It obviously works or Google wouldn't be taking in $14 billion/year. And Google has more on you that virtually any competitor: http://www.slate.com/blogs/how_not_to_be_wrong/2014/06/09/big_data_what_s_even_creepier_than_target_guessing_that_you_re_pregnant.html?wpsrc=sh_all_dt_em_bot http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?_r=0 – paamachat Aug 20 '15 at 20:45