GMail and SSL Encryption – how much is encrypted

encryptiongmailssl

It's strangely difficult to find out exactly how SSL works with email, at least insofar as answering my specific question – when I connect to gmail using SSL, I understand that my connected is secure and thus data is all encrypted between MY COMPUTER and the GMAIL SERVER. However, is that all SSL does? For example, when I open an email on my computer, the data between Mountain View (or whatever) and my house is encrypted? Would that mean then if I email my friend who also uses gmail with SSL/secure gmail enabled, then if I send an email also with an attachment to his gmail account that email as well as the attachment are encrypted at my computer, sent to GMail server, and then provided my friend uses SSL then he can security acquire the email too? So there is no need for those firefox encryption addons? Are those just for more robust encryption algorithms?

So in summary, here is what I think I have learned (and provides a summary for others reading). PLEASE CORRECT ME IF I AM WRONG:

gmail sends emails to google servers with HTTP. gmail also retrieves emails from google servers with HTTP. when you connect to the google servers using https (as opposed to http) then the connection between your gmail client and the gmail servers is secure and data is encrypted going back and forth between the two.
when using a client (thunderbird for example) SMTP is used to send emails, and IMAP/POP are used for retrieving emails. At the add-on/options level, you can tell these clients to use TLC for both the SMTP and IMAP/POP steps.
The google servers probably don't use TLS with SMTP when bouncing emails back and forth amongst their servers.
Conclusion – if using gmail, always use HTTPS but know there is no encryption between google's servers, but in the 'outside world' the connection between google clients (as long as using https) is secure. if using thunderbird (or something else) turn on TLS.

Is this correct?

Best Answer

When you trust the certificate from the site encrypted with SSL, you can:

Trust that the connection to that web server is encrypted.
Trust that the identity of that web server is correct (ie its not phishing scam).
Trust that someone isn't intercepting your traffic to the web server (man in the middle).

(the important thing here, of course, is that you trust the certificate presented by Google's mail server, which you generally should :-))

The data you submit in a form when composing an email will be encrypted through HTTPS as it travels from your client browser to the Gmail server that will pass it off to the SMTP server. When you display mail in your browser from the server, this is also encrypted.

SMTP does not encrypt mail, however. There are ways to use TLS (transport layer security) over IMAP and POP to encrypt the authenication data from the user/client to the server. When you connect via IMAP/POP with TLS, the data you receive when retrieving mail is encrypted from the server to you. IMAP and POP are retrieval protocols only. When you use an external client such as Thunderbird to send mail, it will go through an SMTP server. This can be encrypted as well using SASL/TLS with SMTP, but again that is only from your client to the server, and not from the server to its final destination.

If you want to send and receive encrypted email end to end, no matter where it goes on the network, then you need to look into a solution like PGP/GPG. For more information about this, see the question I asked. Gmail's webui doesn't support usage of PGP/GPG, so you'll need to set that up with an external mail client such as Thunderbird, Mail.app, or Outlook (or others).

As far as email you send from your Gmail account to a friend's Gmail account, it is sent around inside Google's internal mail infrastructure. This may have one or more hops between servers, but usually stays within their private (10.x.x.x) network. You can verify this by looking at the headers of the email your friend sends. From the email in the Gmail webui, hit the drop down button next to the "Reply" and click "Show Original". You're looking for lines that start with "Received:", like these:

Received: by 10.215.12.12 with SMTP id p12cs100615qai;
        Sun, 18 Jan 2009 15:04:17 -0800 (PST)
Received: by 10.90.100.20 with SMTP id x20mr2195513agb.12.1232319857088;
        Sun, 18 Jan 2009 15:04:17 -0800 (PST)
Received: by 10.90.68.11 with HTTP; Sun, 18 Jan 2009 15:04:17 -0800 (PST)

This is a Gmail to Gmail message I have. The first (last) message here indicates that the mail server 10.90.68.11 received the message in question from an HTTP connection (webui). Then the mail went via SMTP to 10.90.100.20, then SMTP to 10.215.12.12, where it was delivered to me.

Again, while this is all internal to Google's network, SMTP should not be considered a secure protocol for sending sensitive information. Anyone who has access to the systems in the chain above can potentially read the message. Also note that Google Apps may go through a gateway system on their network that has an external address (still owned by Google, though).

Related Solutions

How to use encryption with Gmail

Generally there are two approaches to achieve your goal. For this example I would tie with GPG as far as its open alternative to proprietary PGP, which I do not have license to use it. Basically you will need OpenPGP library as well as your public/private key pair.

Using Gmail in web browser

These are seamlessly integrated into browser, so in your Gmail session will be shown additional buttons on encrypted message - show original, decrypt and encrypt for new messages.

Chrome: gmail-Crypt plugin
- EDIT: If you cannot install above plugin, there's perfect alternative Mymail-Crypt for Gmail™
Chrome/Firefox: mailvelope

Using own Thick Email Client

These are integrated into particular clients so you can import your keys as well as keys of your friends or add them on the fly. You can encrypt/decrypt message via context button.

Outlook: gpg4win plugin
Thunderbird: enigmail plugin

Generating key pairs

I prefer to use gpg4win which is delightful for this task using its front-end Kleopatra.

Final adjustments

I would advice to turn on forced SSL encrypted while visiting Gmail which can be configured in Settings -> General.

Email without SSL

You don't have to put stunnel on your client machine or your server machine.

You can put it on either, or one in between.

It will listen on some port.

You connect the non-ssl client to that port that stunnel listens on and it will then connect to the ssl server.

Here is a snippet from stunnel.conf notice the example in there by default, uses gmail!

; Example SSL client mode services

;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995

;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993

[gmail-smtp]
client = yes
accept = 127.0.0.1:345
connect = smtp.gmail.com:465

But notice also that the [gmail-smtp] (what you want), only connects to port 465 which is ssl without starttls https://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587

It seems stunnel only supports that form of ssl..

But that's OK because gmail supports that (on port 465).

Best Answer

Related Solutions

How to use encryption with Gmail

Email without SSL

Related Question