Gmail: Bringing easy end-to-end encryption to all businesses - I'm not sure how I feel about this and its implementation?
Posted by segagamer@reddit | sysadmin | View on Reddit | 14 comments
https://workspace.google.com/blog/identity-and-security/gmail-easy-end-to-end-encryption-all-businesses?hl=en
When the recipient is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail. The recipient can then use a guest Google Workspace account to securely view and reply to the email.
If I'm understanding this correctly, if (and when) everyone starts doing this, then users will "get used to" having to click an email link to view a message.
Isn't this going to make detecting phishing emails and avoiding malicious links even harder? Or am I misunderstanding something here?
embrsword@reddit
Email encryption is a challenge very few are equipped to deal with, you either have these portal based solutions where the content never really leaves the provider or you have to deal with key exchanges and identity verification that ultimately come back to PKI
As someone who has done plenty with PKI in my experience most people are stressed out just requesting and renewing certificates, if you asked them to run the PKI they might shit themselves.
TiredButEnthusiastic@reddit
It’s also going to mean I have to create a Google account just to read an email from you… I guess Google need to juice the numbers for the next quarter or something.
nethack47@reddit
If you have a limited SSO connection to Google, for example so that DevOps can use GCP, but don't use it for the whole business. Then the users not provisioned will be unable to sign up for a Google account with the receiving email address.
The requirement to use a Google account will quickly become a problem. A lot of users who can't connect with a company account will start using non company accounts to receive secure emails. Either the guest account won't need to be a google account, or it will become a problem for people not using Google Workspace.
Horsemeatburger@reddit
Would have helped if you had at least read the blog entry, which clearly states
TiredButEnthusiastic@reddit
Exactly my point. You send a mail to my NON-GMAIL account and I will have to sign up to a Google account (not a Gmail account) to read it.
Horsemeatburger@reddit
Where, exactly, does it state you'll need a Google account for reading an E2EE email this way?
1Pawelgo@reddit
It's meant to force as many people as possible to use gmail. Gmail already gets away with too much shit no smaller email provider would be able to do.
Horsemeatburger@reddit
Such as?
nullbyte420@reddit
oops we took your storage away, now you gotta pay for it. also there's ads in your list of emails
Horsemeatburger@reddit
You mean like there are in literally any free email service?
And what about the stuff small email providers get away with?
"We're offering highest levels of privacy and security, better than anyone else, pinky swear. Yeah, we still log your IPs so we can rat you out when we asked to." (Proton)
"We're offering true E2E encrypted emails no-one can read, not even law enforcement. But yes, we're happy to provide law enforcement access to your emails before it gets encrypted." (Tuta)
"Hey, we just leaked 40 million SMTP records, including location details and unique email addresses from large corporations and French government agencies, but won't tell you about it." (Alinto)
"Hey, we've been hacked and lost 235 million records so your data is out there, but we still put our fingers in our ears and pretend it never happens." (NetEase)
There's lots of shit smaller email providers get away with.
littleko@reddit
No, you're understanding it correctly. Training users for years to never click unexpected links, then shipping a workflow built entirely on clicking unexpected links to view "secure" messages. We've been dealing with this pattern for years with Proofpoint/Zix encrypted portals and the phishing kits that mimic them are already mature.
It's the same problem Microsoft's OME has. Convenience won, security awareness lost.
Horsemeatburger@reddit
As the blog entry states, this is for E2E encrypted emails, not for regular emails.
The problem is that sending E2E encrypted emails still is largely a mess where you have to deal with the very high complexity of setting up PKI across two different standards (PGP, S/MIME), which is only workable with known partners. You can't just send random people encrypted emails, and despite the body being encrypted the metadata remains unencrypted for this to work.
What Google does is offering an alternative that's actually usable. It means you won't have to deal with setting up PKI infrastructure, you can send E2E encrypted emails to literally anyone.
It's not a new concept, either. Many businesses use secure transmission providers like Kiteworks or Citrix FileShare. This is essentially the same just for email. If your users can handle Kiteworks then they should be able to handle this.
It's about time someone came up with something like this. Maybe this will finally put an end to the still way too common practice of especially small businesses asking to be sent sensitive information and documents via regular email.
lemaymayguy@reddit
Sounds like every other secure email product.
Torschlusspaniker@reddit
Yeah but most portal based secure email systems work the same way.
I guess if your email scanner can't read it the issue falls onto your next layer of security.
The announcement has kind of a Kumbaya message at the top and then hits you with get fucked if you are not an enterprise (I am seeing plus) subscriber.
"At Google, we believe that secure, confidential communication should be available for organizations of all sizes. However, end-to-end encrypted (E2EE) email was historically a privilege reserved for organizations with significant IT resources"