Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

gmail security is really only good between gmail accounts and is definitely stored in plain text in the googlesphere use PGP if you need to guarantee email privacy.


> is definitely stored in plain text in the googlesphere

have a source for that?


By definition, since Google can index email and mine it for keywords, they have access to the contents of it, which makes it isomorphic to plaintext.


They almost surely are for a myriad of reasons, but searchability does not imply a database must be isomorphic to plain text: searchable encrypted database techniques have long existed and have been implemented as things like CryptDB http://css.csail.mit.edu/cryptdb/ which let you set the level of encryption and how much information leakage is possible.


That could be done on the client side, reading the text on the page, like I assume they do for every other AdSense-enabled page.


AdSense detection is not done on the client side. AdSense knows which ads to serve on which page because it leverages the search index cache and content analysis of that page. In the same way, Google serves contextual ads in Gmail by indexing the content of each email as it comes in.

Of course, every other major public email provider in the world stores email in plaintext too, do I don't get how this is a knock against Google specifically.


It's not though. Training the data models for Priority Inbox would also require access to message contents and metadata and happens offline in batch.


That's not the same thing though. Plain text is a security risk because users tend to reuse passwords. If it's hashed then that wouldn't be the case, even if they can mine it or whatever.


If the content of the email were hshed then the recipient couldn't read it!


They could if it were a reversible key-based hash.

http://en.wikipedia.org/wiki/Cryptographic_hash_function


I believe you're thinking of a 'cipher'.

Cryptographic hashes (even keyed ones) are expected to be one-way functions.


Could be my bad here, but I said "reversible key-based", which isn't what most cryptographic one-way hashes are.

For ASCII text, modulo 13 is a reversible operation (a/k/a rot13). It's not key-based, may not be a hash, and I'm not aware of any specifically key-based hashes, but that's along the lines of what I was thinking.

Fully admitting winging this one though.


Well your Wikipedia link was about cryptographic hash functions so I figured that's what you intended to refer to.

So when you wrote "key-based hashes", I interpreted that as meaning a cryptographic hash-like function with key input, e.g. HMAC the "Keyed-Hash Message Authentication Code".

Modulo 13 is different than rot13. Modulo 13 is actually a hash function, whereas rot13 is a permutation.

If rot13 took a key (e.g. if it were rotN instead) it would make a primitive cipher. But it doesn't, so it behaves like a cipher that is always used with a fixed key or a cipher the key is already decided in the context of discussion.

The process of applying a specific key to a cipher is called "keying". So just to make things even more confusing, we could perhaps refer to rotN<N = 13> (AKA "rot13") then as a "keyed cipher".

:-)


What the hell are you talking about?

Google is not storing hashes of your emails instead of the emails. How is anything under discussion related to passwords?


I'm sorry, I misunderstood. The parent comment didn't mention emails being in plaintext, but just "Gmail." I took that as meaning passwords.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: