Can sniffers be used with encrypted email like Gmail? Aren’t https
connections secure even for public/ wireless connections? Someone told me Gmail
was hacked by China. Can they do this?
There’s a misconception here that I want to clear up: Gmail is not encrypted
In fact, encrypted mail is very rare.
I want to cover what encrypted mail means and how it relates to https.
And then I’ll talk about getting hacked.
Become a Patron of Ask Leo! and go ad-free!
Encrypted email implies that the message that you are sending is itself
encrypted before it even leaves your machine.
The great news about using this kind of
is that it doesn’t matter
if the email message is being transmitted in the clear or not or if someone accessed it at any point in transit. The message is and remains encrypted
until the recipient decrypts it.
The problem is that there is no pervasive standard for encrypted email.
Actually, encrypting email messages today requires a little bit of savvy on
both the sender and the recipient’s part, and typically, it requires additional
software or encryption certificates to be installed. On top of that, encryption
technologies that are commonly used are not necessarily compatible with each
In other words, email encryption remains a bit of a mess.
But for those sufficiently motivated, it is indeed possible. Personally, I
recommend the Enigmail extension to Thunderbird which relies on PGP/GPG
to encrypt and/or digitally sign messages.
And none of that relates to https.
Https encrypts your data while it is being transmitted between your computer
and the remote server.
What that means is that when you use a service like Gmail, a message is
actually stored in the clear on your machine and Google’s mail servers.
Https encrypts the message, and anything else, only while that message is in
transit between your computer and Google’s.
The good news is that https is a ubiquitous standard. It doesn’t suffer from
the confusion around email encryption. All web browsers support it; it’s
simply up to the service whether or not to make an https connection
Additional good news is that https protects you from the most common form of
data sniffing: the wireless connection between your computer and your Internet
connection. As I’ve written about before, anyone with a laptop and the
appropriate free software can listen in to unencrypted conversations at an open
Wi-Fi hotspot. If your email messages themselves are not encrypted (and most are not), then https is there to protect you.
A downside – sort of – is that https only protects the connection between
your computer and the server. The message is stored in unencrypted form,
transmitted between mail servers in potentially unencrypted form, stored on
your recipient’s computer in unencrypted form, and may even have been
downloaded to your recipient’s computer in unencrypted form if they were not using https or an equivalent.
Google was not hacked.
Is it possible? Absolutely.
Is it likely? Not very. Seriously, I consider this possibility extremely,
I definitely hear from people who are absolutely convinced that their email
provider’s servers have been hacked, but in absolutely every case that
I’ve encountered, deeper inspection turns up some significantly more mundane
explanation for whatever problem it is that they’re seeing.