Google docs etc: is the data transfer secure?

  • Thread starter Thread starter Swamp Thing
  • Start date Start date
  • Tags Tags
    Data Google
AI Thread Summary
The discussion centers on the security of data transmitted to and from Google Apps servers, specifically questioning the claim that this data is unencrypted. It is clarified that while HTTPS encrypts data in transit, the data stored on Google Apps servers may not be encrypted in a way that prevents the server from accessing it. The conversation highlights the potential benefits of alternative services that utilize client-side encryption, where data is encrypted before it reaches the server, ensuring that the server cannot decrypt it. Additionally, the value of using a VPN in conjunction with HTTPS is debated. It is noted that HTTPS provides robust security as it ensures that only the client and server can decrypt the communication. However, concerns are raised about the possibility of servers accessing data through JavaScript, emphasizing that while companies may promise not to do so, vulnerabilities exist that could allow unauthorized access by malicious actors. The discussion also touches on the relative security of apps from app stores, which may offer better protection if they are properly audited or open-source.
Swamp Thing
Insights Author
Messages
1,028
Reaction score
763
This video ...

... At around 01:26 they say that data to and from the Google apps server goes across unencrypted.

Is that true, given that all these services are necessarily over HTTPS ?

On a related note, does a VPN layer add any value in terms of data security, above that provided by HTTPS ?
 
Technology news on Phys.org
Swamp Thing said:
... At around 01:26 they say that data to and from the Google apps server goes across unencrypted.

Is that true, given that all these services are necessarily over HTTPS ?
The point they are making is that the data is unencrypted on the Google Apps server. They are presumably promoting alternative services where the server does not have the keys to unencrypt the data and all decryption is done on the client. This also means that all processing also has to be done on the client.

Edit: that's not very clear. The services they are presumably promoting have an additional layer of encryption in the client application so the flows are:

User data -> encrypted using password -> HTTP message -> encrypted via HTTPS -> internet -> decrypted via HTTPS -> server app: stores data encrypted using password unknown to server.

Server: retrieves data encrypted using password unknown to server -> HTTP message -> encrypted via HTTPS -> internet -> decrypted via HTTPS -> client app: decrypts data using password.

Swamp Thing said:
On a related note, does a VPN layer add any value in terms of data security, above that provided by HTTPS ?
No, the security in HTTPS comes from the fact that only your browser has the private key to decrypt communication from the server and only the server has the private key to decrypt communication from you.
 
Last edited:
  • Like
Likes Swamp Thing
pbuk said:
Server: retrieves data encrypted using password unknown to server -> HTTP message -> encrypted via HTTPS -> internet -> decrypted via HTTPS -> client app: decrypts data using password.
There is still a hitch with that process that bothers me. The reality is that if one can see the data in a browser before encrypting it or after decrypting it, the data is technically readable by the server as well with javascript. I know the whole business model of these companies is to say "we promise we won't do that", but it is still technically possible if someone (government, hackers, frustrated employees) took control of the server somehow.

With apps offered through an app store, it is a little better as the app files are downloaded only for a specific version and if the app is properly audited or open-source, a change in the javascript files would be noticed and users (hopefully) would be alerted.

More on this:

 
Dear Peeps I have posted a few questions about programing on this sectio of the PF forum. I want to ask you veterans how you folks learn program in assembly and about computer architecture for the x86 family. In addition to finish learning C, I am also reading the book From bits to Gates to C and Beyond. In the book, it uses the mini LC3 assembly language. I also have books on assembly programming and computer architecture. The few famous ones i have are Computer Organization and...
I have a quick questions. I am going through a book on C programming on my own. Afterwards, I plan to go through something call data structures and algorithms on my own also in C. I also need to learn C++, Matlab and for personal interest Haskell. For the two topic of data structures and algorithms, I understand there are standard ones across all programming languages. After learning it through C, what would be the biggest issue when trying to implement the same data...
Back
Top