Google docs etc: is the data transfer secure?

  • Thread starter Thread starter Swamp Thing
  • Start date Start date
  • Tags Tags
    Data Google
Click For Summary
SUMMARY

The discussion centers on the security of data transfer in Google Apps, specifically addressing concerns about unencrypted data on the server despite HTTPS usage. It confirms that while data is encrypted during transmission via HTTPS, it remains unencrypted on the Google Apps server, which poses potential risks. The conversation also explores the effectiveness of VPNs in enhancing security, concluding that they do not provide additional protection beyond what HTTPS offers. The participants emphasize the importance of client-side encryption to ensure data remains secure from server access.

PREREQUISITES
  • Understanding of HTTPS encryption protocols
  • Familiarity with client-side encryption techniques
  • Knowledge of VPN functionality and limitations
  • Awareness of data privacy concerns in cloud services
NEXT STEPS
  • Research client-side encryption methods for secure data handling
  • Explore the implications of using VPNs alongside HTTPS for data security
  • Learn about the security features of alternative cloud services that prioritize user privacy
  • Investigate the potential vulnerabilities of JavaScript in web applications
USEFUL FOR

Individuals concerned about data privacy, cybersecurity professionals, developers implementing secure applications, and anyone using cloud services like Google Apps who wants to understand the implications of data encryption.

Swamp Thing
Insights Author
Messages
1,047
Reaction score
780
This video ...

... At around 01:26 they say that data to and from the Google apps server goes across unencrypted.

Is that true, given that all these services are necessarily over HTTPS ?

On a related note, does a VPN layer add any value in terms of data security, above that provided by HTTPS ?
 
Technology news on Phys.org
Swamp Thing said:
... At around 01:26 they say that data to and from the Google apps server goes across unencrypted.

Is that true, given that all these services are necessarily over HTTPS ?
The point they are making is that the data is unencrypted on the Google Apps server. They are presumably promoting alternative services where the server does not have the keys to unencrypt the data and all decryption is done on the client. This also means that all processing also has to be done on the client.

Edit: that's not very clear. The services they are presumably promoting have an additional layer of encryption in the client application so the flows are:

User data -> encrypted using password -> HTTP message -> encrypted via HTTPS -> internet -> decrypted via HTTPS -> server app: stores data encrypted using password unknown to server.

Server: retrieves data encrypted using password unknown to server -> HTTP message -> encrypted via HTTPS -> internet -> decrypted via HTTPS -> client app: decrypts data using password.

Swamp Thing said:
On a related note, does a VPN layer add any value in terms of data security, above that provided by HTTPS ?
No, the security in HTTPS comes from the fact that only your browser has the private key to decrypt communication from the server and only the server has the private key to decrypt communication from you.
 
Last edited:
Reply
  • Like
Likes   Reactions: Swamp Thing
pbuk said:
Server: retrieves data encrypted using password unknown to server -> HTTP message -> encrypted via HTTPS -> internet -> decrypted via HTTPS -> client app: decrypts data using password.
There is still a hitch with that process that bothers me. The reality is that if one can see the data in a browser before encrypting it or after decrypting it, the data is technically readable by the server as well with javascript. I know the whole business model of these companies is to say "we promise we won't do that", but it is still technically possible if someone (government, hackers, frustrated employees) took control of the server somehow.

With apps offered through an app store, it is a little better as the app files are downloaded only for a specific version and if the app is properly audited or open-source, a change in the javascript files would be noticed and users (hopefully) would be alerted.

More on this:

 

Similar threads

Do you want to build a website?
  • · Replies 15 ·
Replies
15
Views
3K
What is the purpose of the OSI model and how does it partition the flow of data?
  • · Replies 1 ·
Replies
1
Views
2K
Custom icon for specific file type in Nautilus on Ubuntu 22.04
  • · Replies 10 ·
Replies
10
Views
2K
  • Sticky
How to use the "w" in www
  • · Replies 0 ·
Replies
0
Views
4K
Anonimity: Time to take the internet back.
  • · Replies 3 ·
Replies
3
Views
4K
Google France Sued by Bottin Cartographes for Providing Free Map Services
  • · Replies 10 ·
Replies
10
Views
4K
I could really use some help picking my optional module [GameDev]
  • · Replies 2 ·
Replies
2
Views
3K
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
  • · Replies 8 ·
Replies
8
Views
4K
Undergrad Calculating distance, object speed, etc - RE:Falcon9
  • · Replies 7 ·
Replies
7
Views
2K
Total security communication system
  • · Replies 4 ·
Replies
4
Views
2K