Tuesday February 9, 2010 11:28 PM AEST
Vulnerability Alerts
SANS
 
Microsoft
 
CERT/CC
 
 
 
Latest Comments
"I too have been a labor voter for many years and will not be voting for them again. The ..."
on Net filter legislation to go public by March
by maxt | Feb 9, 2010 7:56 PM
 
"I’ve just had a user receive a rehashed version of this with an attached html file containing a ..."
on ATO struck by new phishing scam
by Owen Lutz | Feb 9, 2010 6:01 PM
 
"hi"
on Chinese hacker school shut down
by manish kumar | Feb 9, 2010 4:27 PM
 
"Hey 'hey con-roy' ... from Google Australia's head of policy Iarla Flynn"We don't believe that ..."
on Conroy meets with Google for YouTube filtering
by Keep it real | Feb 9, 2010 3:33 PM
 
"@penno Off-site storage is a good solution unless you have some decent backup software to ..."
on Opinion: My holiday tip - backup your data now
by Charmgene | Feb 9, 2010 2:36 PM
Email Security

Google Wave secured with 'crypto fairy dust'

  • Email a Friend
  • Print Page
Google Wave secured with 'crypto fairy dust'
Related Articles
By Munir Kotadia
Oct 15, 2009 5:13 PM | 4 Comments
Tags: google | wave | greg | privacy | encryption | whitelist | spoof | sniff | networking | services | security
Wave goodbye to email spoofing.

Google Wave, the search giant's email-like collaboration tool, has been designed to avoid common security issues associated with traditional email because it contains a 'sprinkle of crypto fairy dust', according to the product manager of the technology, who was speaking to media in Sydney today.

User privacy is a huge concern for Google, according to Greg D'alesandre, Google Wave product manager.

He said Wave has been built with two levels of security designed to stop criminals exploiting the technology by spoofing another account - pretending to be someone they are not - or by sniffing Wave traffic while it is travelling between users.

"It is relatively easy to fake - or spoof - an email address. One thing we built into the Wave protocol is what we call crypto fairy dust. This means every piece of information you are getting on a Wave from another Wave server has authentication information built into it.

"So you know you are getting the Wave from the person that is sending it to you and it has not changed mid-stream. This is a very big problem in current communication technologies - data can be changed mid stream and you will never know," said D'alesandre.

In addition, he said, all Wave traffic is encrypted using https.

"If somebody was watching packets passing between the computer and the Wave server, they wouldn't be able to decrypt the information.

"There are a lot of products where you can choose if you want to use https. If you are at an internet café and decide not to use [https], it means there is a possibility for somebody to sniff that traffic. We don't give you that option," said D'alesandre.

He admitted that forcing encryption on users slows the product down but he said it was a price worth paying.

"Even though it is slower we think it is important to do it anyway. We have built privacy concerns from the ground up rather than waiting till there are issues and addressing them afterwards," D'alesandre said.

Google Wave users will soon also have the option to whitelist people they want to collaborate with. This means only people on their whitelist will be able to contact them - everyone else will be ignored.

Google Wave is currently in a limited beta test. The company has not yet indicated when it will be opened to the general public.

 
Ads by Google
Thoughts on this article? Add a comment below.
Comments: 4
"If somebody was watching packets passing between the computer and the Wave server, they wouldn't be able to decrypt the information" This sort of comment amazes me, in this day and age. Lots of firewall vendors offer DPI which is able to break down an SSL stream (a man in the middle attack essentially) and do it transparently to the user. I'd trust an HTTPS page as far as I could throw it.
SC Magazine - comments icon Posted by StewartOct 16, 2009 10:01 AM
But apparently the security is NOT only based on HTTPS but on built-in encryption: "...every piece of information you are getting on a Wave from another Wave server has authentication information built into it." Hence, more security.
SC Magazine - comments icon Posted by JanetOct 17, 2009 7:31 AM
The security is only as good as the weakest link though. If you have the username/password (via the decrypted SSL stream) it doesn't any difference whether this 'encryption fairy dust' exists.
SC Magazine - comments icon Posted by StewartOct 19, 2009 9:41 AM
'...every piece of information...' could simply mean they are using a hash to make sure the data has not been modified but I really want to be sure someone else has not read what I wrote (except the intended recipient, that is). I still would not call Wave an email replacement. It looks like a great collaboration tool but I prefer true end-to-end encryption for my e-mail replacement. For this, I would much prefer TrulyMail. There I know all my messages are stored on the server encrypted... literally nobody but the intended recipient can read it.
SC Magazine - comments icon Posted by JohnOct 19, 2009 2:53 PM
Report this comment as offensive:

   * Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.  
Name:
*
 
Email:
(will not be displayed)
*
 
Comment:
(HTML not permitted)
*
 
Validation
*

Enter the code you see below:

 

 
 
 
 
 
 
Messaging Whitepapers
 
Popular Tags
adobe attack attacks china cyber facebook flaw flaws google internet malware microsoft networking online privacy scam security social twitter web