1

Gmail provides an SSL connection and also encrypts the entire session by default. But if you send a mail, once it leaves gmails servers, it can be read at any point on the internet. But what about Gmail to Gmail paths (i.e. I send an email from my gmail account to somebody elses gmail account). Is that encrypted too, within gmails own servers? Also the same question for gmail chat (chatting with another gmail user).

user2428118
  • 2,788
  • 16
  • 23
Mark
  • 61
  • 1
  • 2
  • 3
    That's a question for Google, not us (and I'd be very alarmed if they'd answer it!). They could do it, or not: there are good reasons for them to go either way. My money would be on them not doing it, but I've no way of knowing. – Graham Hill May 03 '12 at 10:51
  • 1
    When in doubt, PGP. – Iszi May 03 '12 at 12:35
  • Related: http://security.stackexchange.com/a/13222/953 – Iszi May 03 '12 at 12:36
  • Ah, thanks Iszi, that gives me an idea of an answer. – Graham Hill May 03 '12 at 13:46
  • thanks, I just found this one, which answers it very well...except for Google Chat http://security.stackexchange.com/questions/6489/what-steps-do-gmail-yahoo-mail-and-hotmail-take-to-prevent-eavesdropping-on-e – Mark May 03 '12 at 18:08

4 Answers4

2

While we have no visibility of Google's internal security measures, there is a more general answer.

There are two common approaches to securing an email.

  • You can encrypt the contents at one client, and decrypt them at the other client.
  • You can set up secure channels and send the mail over that.

Both work in theory, but in practice it is very difficult to be sure that the channel stays encrypted over the whole of it's journey, because you usually don't control each step of the way.

In addition, even if Google were encrypting their internal traffic, they decrypt it at various points so they can read the contents (so they can target adverts at you) so they, or an internal attacker, can access your mail regardless.

So as a general rule, if you need to email confidential information, you should encrypt it at the client.

Graham Hill
  • 15,474
  • 37
  • 63
2

Yes, it is encrypted.

Is email from Google users to other Google users encrypted in transit?

Yes. This includes Gmail, Google Apps and notifications from Google+.

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
1

Snowden leaks showed that Google wasn't encrypting the tunnels between their datacenters (now they are), so at least at the time this was asked, it would have been possible to extract its contents even though it never leaved Google systems (maybe restricted to a fraction of gmail users, I don't know how Google partitions the datacenters used for each customer email data).

Ángel
  • 18,188
  • 3
  • 26
  • 63
0

It depends what kind of encryption you expect.

  • The ideal encryption is end-to-end, that is the mail is only available in clear for the sender and the recipient. Google/Gmail does not provide this kind of protection by itself, you have to use PGP or S/MIME on top of the existing infrastructure.
  • If you have no problems that only Google has the mail in clear text you are probably happy with the encryption it currently offers. That is encryption for the web interface (HTTPS) or for the mail client (IMAPS, SMTPS). Of course you also need the right browser and mail client which guarantees, that it you really communicate with Google and not some Man-In-The-Middle. That means proper certificate checking, preferable with certificate pinning - not all browser and mail clients provide this.
  • And if you are inside a company you might have firewalls in-between, which intercept the encrypted connections and thus can access the unencrypted mails (and passwords) too. In this cases the mail is still encrypted between your computer and the firewall and again between the firewall and Google, but is available in clear text on the firewall itself.

I summary: Even if the mail is sent only over encrypted channels, there will be some systems in the path which can access the mail in clear text.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434