Google Wave More Secure than Traditional Email
Google Wave, the company's new real-time collaboration platform currently in private beta, is more secure than traditional email, claims the company. According to Greg D'alesandre, Google Wave product manager, that's because Google has focused on addressing privacy and security issues as the product was built from the ground up instead of waiting to deal with them later. Speaking to media in Sydney today, he detailed several of Wave's security features which are meant to stop criminals from exploiting the new technology and harming Wave users.
Built In Features to Prevent Spoofing
As reported by Australian news outlet ITNews, Wave has multiple levels of security which are designed to prevent email spoofing. Spoofing, meaning when you receive an email that claims to be from either a person or company you know but is actually from someone else - a hacker in most cases.
D'alesandre says the Wave protocol is more secure because it includes something he jokingly refers to as "crypto fairy dust." That's obviously meant to be a simple and fun way to explain the security complexities built into Wave which involve detailed authentication mechanisms to keep users safe from malicious attacks. In Wave, every bit of info you receive from another Wave user has already been authenticated as to its origin so you can be assured that they are who they say they are.
"You know you are getting the Wave from the person that is sending it to you and it has not changed mid-stream. This is a very big problem in current communication technologies - data can be changed mid stream and you will never know," said D'alesandre.
HTTPS Enabled by Default
For an additional layer of security, all Wave traffic is by default encrypted via HTTPS, a protocol for secure communications. That represents a big change in Google's standard policy regarding use of this protocol. It wasn't until July of 2008 that Gmail users were even given the option to encrypt messages using SSL and to enable it, you had to go into your settings and make a change - something that most mainstream users would never have bothered with. By the end of 2008, Google was only offering SSL as a feature in its other Google Apps programs if users were on either the Premier or Education editions. That meant that for non-paying consumer users, Google Docs, Calendar and other online offerings were only available via unencrypted HTTP sessions.
Today, little has changed. Still, only users of Premier and Education Editions have access to SSL and it's not switched on by default. The protocol is now available for Gmail, Chat, Calendar, Docs and Sites but not the Start page, Google Video or the Google Talk desktop client. Consumers using free Google apps like Docs still don't have SSL unless they type it in the address bar manually.
D'alesandre admitted that switching on encryption in Wave slows down the service a little (which probably explains the company's hesitance to switch it on in other products, too), but they ultimately decided that the security it provides was worth it.
Whitelisting Kills the Noise
A third security feature of sorts coming to Wave in the future is the ability to do "whitelisting." Wave users will be able to select which people they want to collaborate with and place them on a whitelist of approved persons. Only those who are on the list will be able to contact you via Wave and everyone else will be ignored.
That feature should certainly help to address the concerns certain folks have about Wave's "noise level," to some, an overwhelming amount of activity that led them to call out Wave as a distraction and a time-waster instead of the futuristic productivity product it intends to be. By allowing those who can't seem to embrace Wave's cacophony the ability to limit their collaborators, Wave could transfer from noisy attention killer to useful tool in an instant.
Of the three features, the first two are already in place. No date was given on the whitelisting feature, only that it will be "coming soon."
Share
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Great. But, for me, this begs the question: would Wave be a replacement for email for me, not a collaborator? (I think not: a waste of time, an overage of complexity, ¿qué no?)
Interoffice memos are also more "secure" than traditional mail. Not as useful for communicating with people outside the building though.
Also worth noting - "traditional" email is text and doesn't include full web page layouts, which makes it's very difficult to spoof. Web-based graphical email has made spoofing much easier, so whichever company popularized that should really take responsibility... oh wait.
Good article, with one glaring inaccuracy--despite what the linked Google Help page says, SSL connectivity is in fact available to ALL Google Apps users, including those using the free version. I've been using https:// for my free Google Apps e-mail users since the day they enabled the feature.
Google has many problems with Wave inherent to the way it is designed. If they close it too much no one will use it. If they open it too much it's just noise. After playing with it I see no happy balance struck on their part. They rely to much on me which makes it overly complicated. I would also argue that SPAM is not a security issue. It is what the SPAM is being used to accomplish that causes a security issue. If they just want to sell me a valid product, where is the security issue there? However, if the spammer wants to conduct a phishing attack...security problem. As far as I can tell anyone can create a g-mail account without that person being authenticated in any real way so where is the security in that? I can go into a public wave and post or edit anything that I want. Where is the security in that? That they know my id did it? It's to late for the poor soul who acted on my posts.
All of this is already possible with email. S/MIME and OpenPGP/MIME provide secure authentication and encryption, and a decent mail client (Thunderbird, Evolution, etc.) can create whitelists without any difficulty. Cryptography that is provided by web apps is highly vulnerable -- just look at the debacle with Hushmail a few years ago.
In short: if you want security, stick with email, use OpenPGP, and keep your mail routing within your organization. If you want pretend security, go ahead, use Wave.
Where's "Claims the company" in the subject? You added it on Twitter! :) http://twitter.com/sarahintampa/status/4889701559
Sarah, did you ask any security folks to confirm? Running that line without that addendum means anyone reading this quickly might think that this statement is outright true.
I think @B pointed out the substantive issue here: encrypted email behind a firewall tends to be a more secure environment for sensitive information than an external platform, whether it's webmail or Wave. To be fair, the IT news article you cite didn't do much better, just reporting on the Google execs statements, but then "crypto fairy dust" introduces some classic Aussie critique on its own.
i will appreciate if someone send me the invitation to use googlewave at manmohanjas@gmail.com
I have a lot of faith in Google and all of their products. You had to know that they would use an efficient and effective piece of encryption software. What I like, although some don't is that the encryption is mostly behind the scenes. Good stuff.