Gmail security architecture

views:

310

answers:

+2 Q:

Gmail security architecture

Hello,

I am trying to understand gmail's authentication mechanism. I know it uses https for transporting the user credentials during login and then the rest of the communication happens over http. How is this achieved? Is some kind of key exchanged during the initial session over https and used in subsequent requests? if yes, Isn't some kind of key agreement protocol (e.g. Diffie-Hellman) better for exchanging the shared key instead of https?

+2 A:

https uses asymmetric encryption to obtain a symmetric key. After cookies are set using https they are the source of authentication over http. Unless the user has set https to be always used

cobbal 2009-04-01 09:57:55

Hi, Thanks for your reply.However, my question is if it is only to exchange the initial credentials in a secure manner, then why use https? or why isn't a key agreement protocol like Diffie-Helman used instead of https.

Suresh Kumar 2009-04-04 14:02:56

https uses something similar to Diffie-Helman, and has the added security of a trusted root certificate, thereby preventing man in the middle attacks.

cobbal 2009-04-04 15:05:58

Thanks again. If https uses a key agreement protocol internally, I think this answers my question. For me, MITM attack and message level security is not a priority and certificates is a strict no no.

Suresh Kumar 2009-04-05 05:31:47

A great resource for understanding how to create a secure login (different from gmail's approach) is http://pajhome.org.uk/crypt/md5/auth.html the authentication is implemented in javascript and makes use of hashes instead of encryption.

cobbal 2009-04-05 14:12:07

ansaurus

tags:

views:

answers:

Gmail security architecture

related questions