Google docs etc: is the data transfer secure?

  • Thread starter Thread starter Swamp Thing
  • Start date Start date
  • Tags Tags
    Data Google
Click For Summary
The discussion centers on the security of data transmitted to and from Google Apps servers, specifically questioning the claim that this data is unencrypted. It is clarified that while HTTPS encrypts data in transit, the data stored on Google Apps servers may not be encrypted in a way that prevents the server from accessing it. The conversation highlights the potential benefits of alternative services that utilize client-side encryption, where data is encrypted before it reaches the server, ensuring that the server cannot decrypt it. Additionally, the value of using a VPN in conjunction with HTTPS is debated. It is noted that HTTPS provides robust security as it ensures that only the client and server can decrypt the communication. However, concerns are raised about the possibility of servers accessing data through JavaScript, emphasizing that while companies may promise not to do so, vulnerabilities exist that could allow unauthorized access by malicious actors. The discussion also touches on the relative security of apps from app stores, which may offer better protection if they are properly audited or open-source.
Swamp Thing
Insights Author
Messages
1,035
Reaction score
774
This video ...

... At around 01:26 they say that data to and from the Google apps server goes across unencrypted.

Is that true, given that all these services are necessarily over HTTPS ?

On a related note, does a VPN layer add any value in terms of data security, above that provided by HTTPS ?
 
Technology news on Phys.org
Swamp Thing said:
... At around 01:26 they say that data to and from the Google apps server goes across unencrypted.

Is that true, given that all these services are necessarily over HTTPS ?
The point they are making is that the data is unencrypted on the Google Apps server. They are presumably promoting alternative services where the server does not have the keys to unencrypt the data and all decryption is done on the client. This also means that all processing also has to be done on the client.

Edit: that's not very clear. The services they are presumably promoting have an additional layer of encryption in the client application so the flows are:

User data -> encrypted using password -> HTTP message -> encrypted via HTTPS -> internet -> decrypted via HTTPS -> server app: stores data encrypted using password unknown to server.

Server: retrieves data encrypted using password unknown to server -> HTTP message -> encrypted via HTTPS -> internet -> decrypted via HTTPS -> client app: decrypts data using password.

Swamp Thing said:
On a related note, does a VPN layer add any value in terms of data security, above that provided by HTTPS ?
No, the security in HTTPS comes from the fact that only your browser has the private key to decrypt communication from the server and only the server has the private key to decrypt communication from you.
 
Last edited:
Reply
  • Like
Likes Swamp Thing
pbuk said:
Server: retrieves data encrypted using password unknown to server -> HTTP message -> encrypted via HTTPS -> internet -> decrypted via HTTPS -> client app: decrypts data using password.
There is still a hitch with that process that bothers me. The reality is that if one can see the data in a browser before encrypting it or after decrypting it, the data is technically readable by the server as well with javascript. I know the whole business model of these companies is to say "we promise we won't do that", but it is still technically possible if someone (government, hackers, frustrated employees) took control of the server somehow.

With apps offered through an app store, it is a little better as the app files are downloaded only for a specific version and if the app is properly audited or open-source, a change in the javascript files would be noticed and users (hopefully) would be alerted.

More on this:

 

Thread 'For those who ask: "What programming language should I learn?"'

Learn If you want to write code for Python Machine learning, AI Statistics/data analysis Scientific research Web application servers Some microcontrollers JavaScript/Node JS/TypeScript Web sites Web application servers C# Games (Unity) Consumer applications (Windows) Business applications C++ Games (Unreal Engine) Operating systems, device drivers Microcontrollers/embedded systems Consumer applications (Linux) Some more tips: Do not learn C++ (or any other dialect of C) as a...
View full post »

Similar threads

Do you want to build a website?
  • · Replies 15 ·
Replies
15
Views
3K
What is the purpose of the OSI model and how does it partition the flow of data?
  • · Replies 1 ·
Replies
1
Views
2K
Custom icon for specific file type in Nautilus on Ubuntu 22.04
  • · Replies 10 ·
Replies
10
Views
2K
  • Sticky
How to use the "w" in www
  • · Replies 0 ·
Replies
0
Views
4K
Anonimity: Time to take the internet back.
  • · Replies 3 ·
Replies
3
Views
4K
Google France Sued by Bottin Cartographes for Providing Free Map Services
  • · Replies 10 ·
Replies
10
Views
4K
I could really use some help picking my optional module [GameDev]
  • · Replies 2 ·
Replies
2
Views
3K
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
  • · Replies 8 ·
Replies
8
Views
4K
I Calculating distance, object speed, etc - RE:Falcon9
  • · Replies 7 ·
Replies
7
Views
2K
Total security communication system
  • · Replies 4 ·
Replies
4
Views
2K