Starting in 2004 with Gmail, look below for everything we know about end-user encryption at Google.
Graphic by VentureBeat’s Eric Blattberg.
Google’s experiments with encryption began early, with a hidden SSL feature in Gmail that debuted in 2004. It required a URL tweak: People needed to add an “s” to the URL bar to trigger a SSL connection.
In 2010, Google made SSL encryption default in Gmail. In 2011, Google began encrypting search for signed-in users. Then in 2012, Google made SSL an automatic feature for those in the U.S. One year later, Google started rolling out SSL encryption globally in search.
By November, Google encrypted its entire internal network. Last month, Google made Gmail HTTPS-only. Most recently, VentureBeat reported that Google is working to make complex encryption tools, such as PGP, easier to use with Gmail.
Meanwhile, the firm clams it has taken numerous additional steps to secure users, according to a person familiar with the matter at Google (we don’t have specific dates for the following initiatives).
- Google doubled the length of its RSA server keys and changes them every few weeks.
- Google has deployed Perfect Forward Secrecy based on elliptic curve cryptography.
- Google started a project, Certificate Transparency, to address structural flaws in the SSL system.
Google has “research underway to improve the usability of PGP with Gmail,” VentureBeat reported this morning. Yet, end-to-end encryption poses incredible usability challenges.
Google is attempting to balance an approachable experience with security. Unsurprisingly, the practical requirements of Google’s mainstream services are holding back the potential level of privacy Google could offer. Cryptographic standards — particularly key-based systems — are historically difficult to use. Standards like PGP have just as good a chance of securing users as they do of confusing users and rendering services like Gmail useless.
This battle is not unique to Google.
As for Google’s challenge, it’s not enviable. It’s clear that the firm is still reacting to the ongoing mass surveillance controversy which came to light last year. For now, this is what we know. As for what else Google should do, it’s worth checking in on the opinions of security experts at firms like Shape Security, OWASP, Ionic Security, and AnchorFree.