Tuesday, June 16, 2009

A chastity belt for the Cloud


It's not often that I try and predict the future, but every once and a while I'll step out on a limb and try to forsee the untold. So when it comes to Cloud Computing, I'll proffer this: Soon there will be a day when personal computers carry no software pre-installed, and the internet will hold any software program you may need.

Of course, Cloud Computing is the storing of information on massive servers instead of on your computer. Email has already "gone Cloud." Hotmail, Gmail, Yahoo Mail, etc. store email information on servers located across the country. Microsoft Outlook, which stores information on your actual harddrive, is used less and less. Soon, programs like Word and Excel will be in the Cloud, and you will log-on to a website to create your spreadsheet rather than log-on to your own computer.

Of course, this brings up security issues. Lot's of them. How can we trust Google and Yahoo to keep our documents safe? Are their servers more secure than our own laptops? Can someone hack and read our email?

That is the very question asked of Google by 37 of the country's best encryption and cyber security experts in a recent letter. Some of the most well-known white-hat hackers signed the letter, which notes that Google "locks down other applications, such as Google Voice, Health, AdSense and AdWords, by running all their traffic — not just the login — via the https protocol."

According to Threat Level, Google’s web apps do require users to log-in via https, but after that, most users check their email, read their documents and look at their calendars “in the clear.” That means any ne’er-do-well with the brains to install WireShark or Linux can sit in a cafe, using their packet sniffer to check, read, and look along with them. Even worse, a clever attacker can "side-jack" a user's cookie and actually log-in to those services at the same time the user is in them. From there they can edit and delete your documents, scour your email for sensitive data and even send out mail under your name.

What does this mean in plain English?

Http is what we all typically use to visit websites. The "s" in Https, however, stands for secure, and is another security layer that protects against eavesdroppers. This https is what Google currently does NOT use, which prompted the letter.

Technically, individual internet users can change his or her browser setting to always use https, but it's not the default. Why not? It adds additional information to Google's servers, thereby increasing expenses.

At the end of the day, if we think someone would read our emails, you may want to make the switch and pay attention to this post. This probably applies to individuals who email important work product information. However, for those emailers who simply use email to keep in touch, send funny video clips and pictures, it's not the big of a concern.