[buro9]

I like this idea though, indeed I like the idea of the web being https by default.

Where I find it funny in relation to email is that email passes over the internet in plain text and without Google adding PGP or something to Gmail the benefits for this aren't great.

Considering the current incident with China, and the hacking in December. https for gmail will prevent snooping of gmail, but wouldn't prevent the email being intercepted if sent to or CC'd anyone on any other domain where the traffic crossed China (ot it could offer low-hanging fruit in other countries as relays may not be as secure).

It does help increase intra-Gmail security (as using the web to author would author it being visible before being sent) but it wouldn't wholly secure the entire transaction end to end which surely should be the goal.

I'd love to see Google take steps to offer a public key encryption system for Gmail that could secure the email even as it passed over other systems and to recipients in potential hot-zones.

[forkqueue]

Actually, not all email passes in plain text - a decent chunk (although doubtless a minority) uses SMTP over TLS.

Many servers have it configured, and if it's available on the destination almost all MTAs will use it to send mail to other servers, even if they don't support receipt of mail in this way.

[AndrewDucker]

Gmail uses TLS to encrypt SMTP if you're using a client app.

[RK]

Ignoring the technical issues, Google doesn't want your free Gmail encrypted end-to-end because they rely on searching your email to serve you targeted ads (and deal with spam).

[mooism2]

Presumably Google would decrypt your mail for you.

[InclinedPlane]

Intercepting email between SMTP servers is a much harder problem than intercepting email to and from the mail client, even if both are unencrypted. The latter requires only that the ISP or the LAN of the user to be compromised. If you ever connect through an insufficiently secured WAP then all of your email could be compromised.

However, using a secure link from the client to the mail server cuts down on the area of vulnerability significantly. Now your personal system needs to be compromised, or the backbone internet links between mail servers used by people who contact you need to be compromised. This is a significantly higher bar. Granted, if you want to maximize email security then public/private key encryption is the way to go, but the simple step of using https between the client and the server is a very significant improvement.

[vdm]

> I like the idea of the web being https by default.

I don't if it means no referers.

[randallsquared]

It only means no referer if you change from one to the other. Different hosts using https pass referer normally.

[xtho]

> I like the idea of the web being https by default.

So that proxies become useless, the connection gets slower, data traffic increases, firefox users are plagued with warnings because people don't have proper certificats etc.

At least 95% of the web-pages people are viewing are pointless bullshit anyway. It's not as if the casual internet user were using the potential freedom of the internet for anything good.

Messaging and similar services should be private of course.

[buro9]

Thse are just problems to solve and not reasons not to proceed.

In fact Google already have a whitepaper published for their SPDY protocol and that uses SSL everywhere: http://www.chromium.org/spdy/spdy-whitepaper

[xtho]

tl;dr :-)

But how should this solve the conflict of encryption/privacy vs caching?