Hacker News new | past | comments | ask | show | jobs | submit login

What I found fascinating is that Google is digitally signing the data given to authorities. This is more than any free or paid user can obtain.

You have a green padlock in your URL but can you prove in court you received a given email? No, because a SSL connection is transient and you can't replay it to show that Google's certificate digitally signed that email in GMail.




> a SSL connection is transient and you can't replay it to show that Google's certificate digitally signed that email in GMail.

Actually, there the TLSNotary[1] protocol that allows you to use the https connection as a means to sign the web content your browser received. There is the PageSigner browser extension that uses TLSNotary to sign webpages.

However, it seems like this project wasn't given a lot of love this last few years. Good news is version 2.0 has been released just a week ago[2], with support for TLS 1.2, but with a major drawback for me: it now trusts a server generating the TLS keys for the notarized page. Sure, it's an "oracle" server not controlled by PageSigner but still operated by Amazon.

[1] https://tlsnotary.org/ [2] https://tlsnotary.org/wp/?p=45


> can you prove in court you received a given email? No, because a SSL connection is transient and you can't replay it to show that Google's certificate digitally signed that email in GMail.

A TLS session replay is unnecessary. If you've got the email with its headers intact then you can prove that you received that email.

You might want to learn what email headers are available to you. You'd be interested in learning about ARC-Seal, ARC-Message-Signature, ARC-Authentication-Results, and DKIM-Signature. Those headers will let you cryptographically validate that a message is authentic -- that the email is unaltered as Google received it from whoever sent it.

You'll also be interested in learning about Key Transparency: the signatures are created using Google's PKI which should be listed in any public key transparency log. That will let you prove that the signatures you validated were created using something that only Google knows.


>...that the email is unaltered as Google received it from whoever sent it.

Well technically whatever sent it. That stuff is all about the identity of mail servers, not individuals.


> can you prove in court you received a given email

Actually, you can get DKIM pubkey from DNS, and verify the e-mail. My mail server does that upon reception, and appends an extra header with validation results to the message.

So in my e-mail client I see:

Authentication-Results: ....; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=sKwsgxpv

on e-mail from gmail users.

So unless Google claims I hacked the gmail or the account of the sender, I can't fake that e-mail message and make it validate.


> can you prove in court you received a given email

You can subpoena Google for the records. It would probably be easier to rely on that in court than cryptographic proof, as the legal system understand that much better.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: