Why does GMail hate end-to-end encryption?
Its idea of enterprise S/MIME support is asking users to upload their *private* keys in PKCS12 bundle so Google can decrypt their messages for them
1/3pic.twitter.com/06RKtGpxhM
This is the legacy version of twitter.com. We will be shutting it down on June 1, 2020. Please switch to a supported browser, or disable the extension which masks your browser. You can see a list of supported browsers in our Help Center.
Vulnerability researcher at Google. This is a personal stream, opinions expressed are mine.
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Add this Tweet to your website by copying the code below. Learn more
Add this video to your website by copying the code below. Learn more
By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.
| Country | Code | For customers of |
|---|---|---|
| United States | 40404 | (any) |
| Canada | 21212 | (any) |
| United Kingdom | 86444 | Vodafone, Orange, 3, O2 |
| Brazil | 40404 | Nextel, TIM |
| Haiti | 40404 | Digicel, Voila |
| Ireland | 51210 | Vodafone, O2 |
| India | 53000 | Bharti Airtel, Videocon, Reliance |
| Indonesia | 89887 | AXIS, 3, Telkomsel, Indosat, XL Axiata |
| Italy | 4880804 | Wind |
| 3424486444 | Vodafone | |
| » See SMS short codes for other countries | ||
This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.
Hover over the profile pic and click the Following button to unfollow any account.
When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.
The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.
Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.
Get instant insight into what people are talking about now.
Follow more accounts to get instant updates about topics you care about.
See the latest conversations about any topic instantly.
Catch up instantly on the best stories happening as they unfold.
Why does GMail hate end-to-end encryption?
Its idea of enterprise S/MIME support is asking users to upload their *private* keys in PKCS12 bundle so Google can decrypt their messages for them
1/3pic.twitter.com/06RKtGpxhM
"hosted S/MIME provides an added layer of security compared to using SMTP over TLS to send emails"https://security.googleblog.com/2017/02/hosted-smime-by-google-provides.html …
It would at least have been honest if they called it "key-escrowed SMIME"
Hosted S/MIME sounds pretty good, no? They never claim it provides end-to-end encryption FWIW
What is the point of hosted S/MIME? Before employees can upload their existing cert & keys to Google, the company must have already setup a PKI. At that point they could just as well as Thunderbird, Outlook, Apple Mail etc. Why bother with web UI?
It's because a large portion of SMTP traffic is still sent in cleartext. Why bother with web UI? I don't know, this is like asking why Gmail makes sense when you already have native desktop clients
If the goal is to encrypt SMTP traffic, Gmail only needs the recipient public-key eg the S/MIME certificate
How does uploading your *private* key help the cause? 
That's an odd question, we've already established this isn't end-to-end encryption, so the key is needed for normal operation of the client, right? I think implication is there are no benefits from managing S/MIME this way, but that doesn't seem true (certainly a tradeoff tho).
Agreed that being able to send encrypted email from web UI is useful But most S/MIME usage is selective & only small fraction of incoming is encrypted Does escrowing private key to Gmail for the 1% make sense vs falling back on desktop client?
Or, can we separate encryption a& decryption sides of this feature, and make the latter optional? IMO more people could benefit that way (including those who won't escrow their keys by policy or can't because keys are in hardware)
Not just encryption, also signing, right? I dunno, obviously that would be possible, but at that point why not use a desktop client and IMAP, which is possible today.
From https://security.googleblog.com/2017/02/hosted-smime-by-google-provides.html …: "all normal processing of the email can happen, including spam/phishing/malware... search and Smart Reply... giving the benefit of strong authentication and encryption in transit - without losing the safety and features of Google's processing"
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.