Google beefs up security for Gmail, Docs and Google+

Google has increased the security of products such as Gmail, Google+ and Google Docs, by adding a feature called forward secrecy.

The company turned on HTTPS by default for Gmail and search last year. In a blog post on Tuesday, security team member Adam Langley said forward secrecy would make Google's services more secure in the long term.

Forward secrecy is, as the name suggests, intended to make sure that what is sent privately stays private in the future. Session keys for specific connections are derived from private keys that are usually held on the service provider's server.

These private keys are almost always secure, but Langley said there was a danger that faster computers in the future could crack them, allowing a hacker to retrospectively decrypt emails that were secure at the time they were sent.

"Forward secrecy requires that the private keys for a connection are not kept in persistent storage," Langley wrote. "An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions."

Langley said Google had turned on forward secret HTTPS for Gmail, SSL search, Docs and Google+, and had also released work the company did on the open-source OpenSSL library to allow it to flip the switch.

"You can check whether you have forward secret connections in Chrome by clicking on the green padlock in the address bar of HTTPS sites," Langley wrote. "Google's forward secret connections will have a key exchange mechanism of ECDHE_RSA."

However, Langley added, only Chrome and Firefox will use the ECDHE_RSA (elliptic curve Diffie-Hellman RSA) key exchange mechanism by default.

Recent versions of Internet Explorer support ECDHE, but not the combination of ECDHE and the RC4 cipher, which Google uses. Langley said Google hopes to support Internet Explorer in the future.