Google Seems To Have Abandoned End-To-End Encryption For 'Hosted' S/MIME Encryption In Gmail

[Lucian Armasu]

Google adopted S/MIME encryption for the enterprise version of Gmail, but it comes with a compromise: The encryption is no longer end-to-end, and Google can decrypt all S/MIME emails.

Google Seems To Have Abandoned End-To-End Encryption For 'Hosted' S/MIME Encryption In Gmail : Read more

 

[ledhead11]

Lucian

Any idea on how this will affect their HIPPA certification for enterprise clients?

 

[slate33]

This analysis isn't quite right.

First of all, users are more than welcome to use S/MIME with gmail, I know that I have for years. The problem is that the messages then aren't accessible to anyone using the web front end, you need to read them using IMAP and a reader that supports S/MIME, as pretty much all current readers (Mail.app, Outlook, Thunderbird, iOS mail reader, etc...) do.

For those who don't want to bother with any of this, Gmail is essentially saying that they will make their web front-end an S/MIME supporting reader, BUT this requires that they host your keys so that they can do this. So if you are communicating with someone who does S/MIME using something like Mail.app, then your side of the conversation is visible to Google, but their side is not visible to their mail provider.

So this just allows the web front-end users to not automatically force everyone else's communications to be downgraded on their end, which is definitely a huge improvement over the status quo.

 

[schwatzz]

Use protonmail

 

[leoscott]

Also makes it easier for Google to comply with NSAs.

 

[tsnor]

@lucian_armasu Another interesting article. I really like SLATE33 's perspective. Consider re-spinning the article with the input that (1) web browser access to S/MIME is really difficult without the server getting the mail in the clear and (2) stating whether gmail continues to support S/MIME with end to end encryption for people who do not need web access.

 

[alextheblue]

"Back in 2014, and soon after Edward Snowden made public the extent of the NSA’s mass surveillance, Google started working on an end-to-end encryption tool called, appropriately, “End-to-End.” The company seemed furious that the NSA broke into its network and monitoring every packet going through its unencrypted internal network. "

Yeah, more like they were upset that it leaked publically that the NSA was monitoring their internal unencrypted traffic. So they were forced into it. I mean it was a huge weakness, especially in shared facilities.

 

[rantoc]

Yeah google wants to know _Everything_ about you and true end to end encryption would not serve their purpose nor their bed buddies at nsa...

 

[johan65]

Who needs gmail? There are plenty of encrypted email providers such as mailfence.com