Comments on: The Costs of SSL Encryption for Webmail & Other Cloud Services

By: The Progress & Freedom Foundation Blog

The Progress & Freedom Foundation Blog — Wed, 12 Aug 2009 15:48:06 +0000

If NCMEC's Going to Regulate the Internet for Child Porn, It Should At Least Be Subject to FOIA...

Last year, my colleague Adam Thierer asked whether State AGs + NCMEC = The Net's New Regulators? Adam noted that NCMEC, the National Center for Missing and Exploited Children, a private non-profit organization, was playing a law enforcement role in......

By: If NCMEC’s Going to Regulate the Internet for Child Porn, It Should At Least Be Subject to FOIA

Sun, 09 Aug 2009 21:10:21 +0000

[...] my differences with Chris, he’s often right and may be here, too. He’s certainly right that Congress is unlikely [...]

By: Facebook v. Google v. the Techno-Aquarians | The Technology Liberation Front

Sat, 27 Jun 2009 19:18:54 +0000

[...] Yes, Virginia, the marijuana-induced socialist-utopian delusions of the Sixties live on in a new generation of Techno-Aquarians, who want to have their digital cake—and eat yours too. Something for nothing, free lunch for everyone! Down with profit, up with privacy! The “vision” (as in “Golden living dreams of”) behind this frenzy of frustration with online capitalism and PETD’s demands for regulation is what Thomas Sowell has called the “Vision of the Anointed,” “the talented few” who consider themselves wiser than everyone else, and therefore seek to impose their preferences on others, as Adam Thierer and I have both discussed. [...]

By: Blayne Sucks » Blog Archive » Using the Tools We Have

Blayne Sucks » Blog Archive » Using the Tools We Have — Sat, 27 Jun 2009 03:25:31 +0000

[...] Google is “looking into whether it would make sense” only recently, perhaps because of a letter organized earlier this month by Chris Soghoian and signed by numerous computer security [...]

By: Berin Szoka

Berin Szoka — Thu, 18 Jun 2009 08:48:34 +0000

I'm just saying we have always have to be careful to avoid casting technological silver-bullets tools, no matter how effective or important, as "Solutions" (to use Sowell's phrase).

Yes, indeed, I'm hating on mandatory seatbelt laws. Yes, I realize that baiting libertarians into trashing things like mandatory seatbelt laws, the Post Office monopoly and government roads is just about the oldest trick in the book, but in this case, I'm quite serious: Fetishizing safety can actually reduce safety.

As for SSL, again, I use it too. I hope it takes off across the industry. I just hope we all realize that it won't be free and that there will be a price.

By: Chris Soghoian

Chris Soghoian — Thu, 18 Jun 2009 08:37:42 +0000

Why should we provide users with SSL protection when their emails are sent in plain text between providers?

1. If Google uses SSL by default, then email messages sent from one Google Mail user to another Google mail user will be secure (except for police requests or insiders) because the mail will not leave Google's servers. Likewise for intra-Yahoo and intra-Facebook.

2. If you use SSL to connect to a webmail provider, you email only flows over unencrypted links to the ISP of the recipient, which is often another major webmail provider. Yes, these mails can be intercepted along the way, but this requires the attacker to be able to sniff the Internet backbone -- i.e. only the NSA, or someone working for a Tier 1 ISP. Whereas, non-SSL protected webmail sessions can be sniffed by anyone with a laptop and a packet sniffer sitting near you in the cafe.

3. Emails can be read as they flow over the network between mail servers. This is true. As a result, an attacker can sniff individual messages as long as he is listening.

However, when users login to webmail providers via HTTP (and not https), the authentication cookies for their accounts also flow over the network. This allows an attacker to login to the victim's email account, and go and view old messages already saved in the user's account. Thus, the amount of a user's private data available to the attacker when he breaks into a webmail account is significantly higher than just sniffing an email or two in transit.

4. Berin -- you are now arguing that SSL will give users a false sense of security? Surely what Google does right now (shouting from the rooftops about its security and the safety of its systems, when it actually doesn't offer much at all by default) is the true source of a false sense of security.

5. Seriously dude, you are hating on seatbelt laws?

By: Berin Szoka

Berin Szoka — Thu, 18 Jun 2009 04:48:34 +0000

By: Chris Soghoian

Chris Soghoian — Thu, 18 Jun 2009 04:37:42 +0000

By: Berin Szoka

Berin Szoka — Thu, 18 Jun 2009 03:48:34 +0000

By: Chris Soghoian

Chris Soghoian — Thu, 18 Jun 2009 03:37:42 +0000

By: Berin Szoka

Berin Szoka — Wed, 17 Jun 2009 19:23:31 +0000

Excellent point! In fact, one might wonder whether lulling webmail users into a false sense of security might actually reduce overall security by encouraging them to send very sensitive information by email. Similarly, the best argument against mandatory seat belt laws is that they encourage drivers to drive less carefully and thereby increase total fatalities—especially since, while the driver now wearing a seatbelt may somewhat safer but less careful, other drivers on the road may still not be wearing seatbelts, but suffer from the first driver's increased carelessness. The same dynamic might exist with email because it is a one-to-many medium (rather like driving on the road with lots of other people): If I think my email is more secure, I might be more likely to send my social security number over email. Even if my webmail provider really is more secure because of the use of SSL, my recipients' may use less secure webmail providers, so my data may still be vulnerable.

By: quanticle

quanticle — Wed, 17 Jun 2009 18:48:59 +0000

What's the point of encrypting the connection from the user's computer to the mail server via SSL, when all mail between mail servers is transmitted unencrypted?

I think a better option would be for users to view e-mail as an insecure communication protocol. As a colleague of mine once said, "Sending something via e-mail is functionally equivalent to sending it via a postcard. Whatever you write is going to be viewable by any mail server admin that comes across the message." Implementing HTTPS on client connections isn't going to patch basic insecurities in a mail transfer protocol that was conceived at a time when all users on the network were trusted.