[Cryptography] Google "End to End"
Phillip Hallam-Baker
phill at hallambaker.com
Sun Jun 8 07:48:17 EDT 2014
On Fri, Jun 6, 2014 at 1:00 PM, Peter Trei <petertrei at gmail.com> wrote:
> They're very aware of the criticism they'll get for doing crypto in JS. They
> feel they're protecting data in transit, and the sandboxing protects them
> against other Chrome extensions. They explicitly don't claim protection
> against non-browser malware.
>
> Security bugs you find are eligible for the Vulnerability Awards program.
>
> To me, one of the interesting aspects is that this breaks part of Google's
> business model; they wont be able to scan message bodies for keywords on
> which to target advertising.
I did wonder why they were doing PGP when most actual use of
end-to-end email is S/MIME. Turns out the two systems have roughly
equivalent userbases, the number of certs issued by CAs is roughly the
same as the number of PGP keys registered. But we know that there are
government users required to use S/MIME every day.
But given the limits of working in Javascript, maybe it is a good
thing to start with the userbase that is not doing the mission
critical stuff for an employer.
But the main thing is that they are telling people not to worry about
their business model.
I have talked to a lot of Google folk about doing end-to-end secure
email in Webmail and none of them has raised their business model as a
concern.
More information about the cryptography
mailing list