Google Blogoscoped

Forum

Gmail offline Gears Database not encrypted

Sankalp Kallakuri [PersonRank 1]

Friday, May 14, 2010
8 years ago2,902 views

The local database is not fully encrypted . This is a follow up on my post on this forum earlier.
blogoscoped.com/forum/168768.h ...

I found the offline functionality in the settings and the functionality worked fine. From a security perspective i feel it needs a lot more maturity.
The local storage isnt encrypted and occupies a whole lot of space.

Adobes AIR SQLite combination provides a much more secure, elegant , light and easy method for an offline client.

TOMHTML [PersonRank 10]

8 years ago #

What do you mean by "not fully encrypted". Can you tell us what is encrypted and what is not?

Ionut Alex. Chitu [PersonRank 10]

8 years ago #

I don't think Firefox, Chrome or other browsers encrypt local storage data, cookies, browser history etc.

Sankalp Kallakuri [PersonRank 1]

8 years ago #

By not fully encrypted I mean you will see the messages in plain text. There is a bunch of encrypted data, but I could not find the string i used as a password among the files which were saved offline. I could find the string I used as username. This done by just opening the locally stored files in a text editor.
Couple of .db files do not have the actual messages but data files stored in the local gears storage had plain text.
If you use the AIR SQLite option to have local storage the then the entire local database is encrypted. The encryption is done based on a encryption key generated by built in AIR classes, the key is generated using a SALT as well as login credentials.

David Mulder [PersonRank 10]

8 years ago #

As Ionut already mentioned, nothing is encoded by the browser (except passwords) including the html5 databases implemented in webkit browsers and firefox. This makes sense, as once the security of a computer is breached any encryption is pointless (because the program/system can simply observe and log all data) (note: the program is NOT a man in the middle, but rather listens on one of the two sides). The only advantage of encrypted data is that if your computer system would be physically stolen, it would prevent losses.

Roger Browne [PersonRank 10]

8 years ago #

> The only advantage of encrypted data is that if your computer
> system would be physically stolen, it would prevent losses.

...and to protect against that, you're better off with a whole-disk encryption system, than to depend on a browser extension.

Sankalp Kallakuri [PersonRank 1]

8 years ago #

[put at-character here]Roger and David: An SQLIte database can be fully encrypted. Why dont you download gears and play with it a little. Also download an Adobe Integrated Runtime [AIR]application which has abilities for encrypted local storage. Look at all the .db files for both gears and AIR, you shall see what I mean.

This has nothing to do with browser encryption. In an enterprise solution where several users may use the same machine to access a different copy of the application it makes sense to have an encrypted local database withing the users private environment.

Why do you think google discourages use of offline storage on public computers?

Roger Browne [PersonRank 10]

8 years ago #

> Why dont you download gears and play with it a little.

Because Google has announced that they will not be developing Gears further, as they will be moving to HTML5 for offline data storage.

Rohit Srivastwa [PersonRank 10]

8 years ago #

Its an old as well as known fact & already an attack tool is in the wild to exploit it (in a way)

andlabs.org/tools/imposter/imp ...

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!