The Future Of SSL

Google announced the other day that it will now enable HTTPS by default on Gmail. Previously a user had to either manually type in HTTPS or change a setting to default to it, something most people likely never bothered to do. Google says it’s not related but it seems oddly coincidental that this chance coincides with its China announcement.

However Gmail using HTTPS is not the big story here.

The big story is that HTTPS is now being used in places where it before was considered excessive. Once upon only financial information was generally sent over HTTPS. As time went on, so did most website login pages, though the rest of the sites often were unencrypted. The reason for being so selective is that it’s more costly to scale HTTPS due to it’s CPU usage on the server-side, and it’s performance on the client side. These days CPU is becoming very cheap.

In the next few years I think we’ll see more and more of the web switch to using HTTPS. If things like network neutrality don’t work this trend could accelerate at an even quicker rate just like it did for P2P using MSE/PE to mask traffic.

Like I said, these days the CPU impact is pretty affordable, however the performance impact due to HTTP handshaking can be pretty substantial. Minimizing HTTP requests obviously helps. HTTP Keepalive is a good solution however that generally results in more child processes on the server as they aren’t freed as quickly (read: more memory needed).

Mobile is a whole different ballgame since CPU is still more limited. I’m not aware of any mobile devices that have hardware to specifically handle SSL, which does exist for servers. Add in the extra latency and mobile really suffers. Perhaps it’s time to re-examine how various Crypto libraries are optimized for running on ARM hardware? I think the day will come where performance over SSL will matter as it becomes more ubiquitous.

Google Mail Fail

Found an interesting header when doing some tests with mail filtering:

Received: from qb-out-1314.google.com ([172.21.30.5])
        by mx.google.com with ESMTP id k29si2692710qba.7.2008.09.06.14.48.05;
        Sat, 06 Sep 2008 14:48:06 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning user@example.com does not designate 172.21.30.5 as permitted sender) client-ip=172.21.30.5;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning user@example.com does not designate 172.21.30.5 as permitted sender) smtp.mail=user@domain.tld
Received: by qb-out-1314.google.com with SMTP id d5so1543676qbd.6
        for <destination@example.com>; Sat, 06 Sep 2008 14:48:04 -0700 (PDT)

See the problem? Look closely. In particular look at this line:

Received-SPF: softfail (google.com: domain of transitioning user@example.com does not designate 172.21.30.5 as permitted sender) client-ip=172.21.30.5;

Look at that IP. RFC 1918 states the “20-bit block” (172.16/12) is for private internets. Google is softfailing emails because it’s sent through it’s own mail servers. Google’s own SPF record looks like this:

;; QUESTION SECTION:
;_spf.google.com.               IN      TXT

;; ANSWER SECTION:
_spf.google.com.        292     IN      TXT     "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"

I really don’t understand why Google is doing this. They should have their SPF checker whitelisting mail sent from their own servers. SPF is intended to verify the sender. When sent locally it’s pointless and can only be harmful. They can still do other spam checks.

From what I can tell, this seems to happening about 50% of the time, meaning this is something deployed on some but not all Google clusters.

Gmail’s Remote Signout And Logging

Google has recently upped their profile in regards to security and privacy. Last week Google made the subtle change of adding a privacy link to the homepage. This is common on most sites, but avoided by Google because they are very strict about cluttering their homepage. Privacy groups have wanted this for years, so this is a pretty large win.

Today Google announced it’s rolling out the ability to remotely sign out other computers from your Gmail account. You’ll also be able to view the IP address, interface (web, mobile, IMAP, POP3), and time that anyone has logged into your account. This is a groundbreaking change in regards to email security.

Now it’s possible for email users to review the logs and see if and when anyone else has accessed their personal email.

I suspect Yahoo, and Microsoft will be working to copy this feature, perhaps with their own enhancements (invalid password logging maybe?). I can also see Facebook and MySpace rolling out a similar feature in the near future. It’s an easy enough enhancement that provides a lot more comfort and security to the product.

Employers going through employees personal email has been hostile waters for a long time including a recent high profile case. This is certain to agitate that. I suspect there are a few companies who will be updating their policies in the next few weeks to try and protect themselves. There will even be a few who will sue Google claiming libel or that Google’s privacy policy should cover you when you log into someone else’s account provided you have one of your own. This is guaranteed to happen.

It’s a good move by Google. This feature greatly enhances the security of Gmail and puts it in a class well beyond what Yahoo or Hotmail currently provide. This is likely the biggest threat to email other than viruses which they all scan pretty well, and phishing, which they also do a decent job with.

Gmail Contact Sync

Google released the API for contacts. How long before someone comes up with a Thunderbird plugin to sync up with it? Any takers?

I’d love to know why they decided the API route, rather than use LDAP. It can be secured using TLS, and require a bind DN and bind password. If they did it that way, most email clients would be compatible right out of the gate.

There’s also Google Calendar Sync, but only supports Outlook. Still no CalDAV.

I’m slightly disappointed, but at least with an API thinks are workable. Standards would still be best.

Gmail invites

I’ve got Gmail invites still. Priority goes to Mozilla community members. If I’ve seen your name around, you’ve got a higher chance. So post a comment here with your name and email address (no anti-spam garbage, or I’m skipping it, the blog will do some minor obscuring).

Even higher priority goes for those who join Freeipods.com through my referal link, and complete an offer. 😉 Still trying to find out if it’s the real deal. Try AOL for 30 days (hey, they did give Mozilla Foundation $2 million). There several other easy little offers. Then cancel during the free trial to avoid having to pay for the service if you don’t like it. Use the same address to signup, so I know who you are.

So if you don’t have a Gmail address yet, this is an easy way to get it. Priority offer is as follows:

  • freeipods.com signups who complete an offer (use an ‘instant offer’ for even quicker gratification).
  • Mozilla community members.

Do both and increase your chances.

If I get more invites, I’ll just attack this list for a little bit, before making a new post with a new contest for gmail invites.

So go ahead and get busy.

Make me laugh for a Gmail account

Ok, well I have a few Gmail accounts to give away, but I want to have fun. So here’s your mission:

Make me laugh

Rules (must read before attempting this contest)

  • I decide. Simple as that, 100% up to me. That’s the way it goes.
  • USE THE COMMENTS FORM… unless…
    If your going to say something that may be deemed offensive, use the comment form. Do not try and make a comment with a dirty joke. Violators may be disqualified, and blocked. Use the comment form if your not sure, and if it’s appropriate, I’ll give you the nod to make a comment. Adult jokes by comment form ONLY. No exceptions. Make a mistake, and you will make me mad.
  • Information required: valid email and name. That’s who I will send it to. Use bogus data sflkdsjf@adsfjlksdf.com and you will not get an invite.
  • Multiple entries allowed, but use discretion. If I feel you are to spammy, your not getting one. So send your best 1 or 2.
  • Oh, feel free to invite others to try. And come back to read. Hopefully a few won’t be ‘comment only’

    As for what tickles my funnybone… well that’s half the game. Those who know me, know very well what the sweet spot is. For the rest of you, good luck. Don’t bother asking, I won’t tell, you can scour the blog if you want. Not sure if that will help though.

    There are 2 (maybe 3) accounts to give away this time. Lets see how good you guys are.

    Use the comments form in compliance with the rules above. Violators WILL be prosecuted.

    This contest will run until at least Sunday night (9:00 PM EST). It may be extended at my will if the contest has a lot of entries (and if they are good).

    Gmail Reply

    I asked about getting SMIME support. Here’s the reply I got:

    Hello,

    Thank you for your suggestion regarding SMIME support — we are forwarding it to the appropriate team for review. We certainly appreciate hearing from Gmail users and encourage you to continue to let us know how we can improve the Gmail experience.

    You might be interested to hear that we are working on many upcoming features, including the following:

    – Automatic forwarding of your email to another account
    – Plain HTML version of Gmail
    – Import/export Contacts

    Sincerely,
    The Gmail Team

    Interesting to know. Especially the auto-forwarding. Very cool.

    Gmail Invite

    I’ve got a Gmail invite (or two) to give away!

    Well, the first person (or two if I do end up with a second to give away) who can solve the following question, will get a Gmail Account.

    I’ve asked this question to a few people before, if your one of those (I do know who you are), you can’t enter in this contest… but there shall be more for you guys to be included on.

    Edit: Winner is Mike Haw who correctly answered the question (you can get the answer by hovering your mouse over this text)

    Good luck. Email your answer to me titled “Gmail Giveaway”. Use the form!
    Continue reading