Why does Google use the term "Off the record" when there is a product called Off the record[1] that has been used for end-to-end encryption of IM that pre-dates Google Talk?<p>Google does many good things, but it would be unreasonable for anyone to expect that they wouldn't store all your chat messages. "Chats that have been taken off the record aren't stored in your Gmail chat history, or in the Gmail chat history of the person you're chatting with. "[2]<p>[1] <a href="https://otr.cypherpunks.ca/" rel="nofollow">https://otr.cypherpunks.ca/</a>
[2] <a href="https://support.google.com/talk/answer/29291?hl=en" rel="nofollow">https://support.google.com/talk/answer/29291?hl=en</a>
I don't think this is a problem. In the email vs OTR debate, signed emails are not forgeable because you are not supposed to give away your private signing key - to claim that someone forged a signed email, you must convince that your private signing key was compromised at that time.<p>However, in this case you don't hold the private signing key, so Google can make whatever signatures it wants, even of things you didn't say, and there is no <i>cryptography</i> that links it back to you - because as a Google chat user, you don't have a private signing key.
Thanks for the heads up regarding the undocumented XMPP extension!<p>I'm sure Google chat already maintains plenty of additional signatures, checksums, etc. that stay entirely server-side; any of which would be more than sufficient to '<i>prove[...] cryptographically that your account sent that message</i>' should law enforcement need to '<i>verify the signature is correct</i>'.
How does signing a message make it any less (or more) ephemeral? You either store the copy or you don't (and Google does). I don't see how a signature could influence that.
I suspect this is a HMAC-SHA1 similar to what the blog author surmised. It's possibly a response to the recent fiasco where they misrouted IMs.<p>I think they use this signature in their backend as a last defense when routing a message to a recipient. Being meant for the backend explains why messages with corrupt signatures are accepted (the backend notices that incoming signature is bad, so it doesn't use the signature to check the message when routing).<p>2) I'm curious about what people who say "crytpo in the browser/JS is bad" think about this. This seems to be a pretty good application of crypto to achieve a very narrow goal.
Maybe I'm missing the point here, but why is giving each message a signature worse than just hanging onto the message itself? Unless I'm missing something, each of these messages is sent to Google's servers, and presumably stored (forever).<p>In that sense, even without the signature, the record itself still exists. I'm thinking maybe they're trying to say that in the case of an end-user having a signature, <i>they</i> could look the message up? In that case, if they have a copy of that message in their inbox anyway, again, what is the difference?<p>Not trying to discredit the article, I think I must be overlooking something.
The article is really interesting, but I start rolling my eyes when the author jumps to the implication that this is some sort of plot to make government intrusion easier. I doubt that -- the police and litigants already have a myriad of ways to obtain and get chat transcripts admitted in court.<p>Perhaps this is a way to ensure message integrity when people are traversing networks that inspect TLS sessions?<p>Many enterprise environments, for example, use proxy servers that terminate SSL sessions at the network boundary, inspect the content, and then re-encrypt using a self-signed key. Perhaps Google has observed some malicious or obnoxious use of that technology in public or institutional wifi environments. (ie. inserting ads, filtering "naughty" words, etc)<p>The article implies that this is some sort of plot to make government intrusion easier. I doubt that -- the police and litigants already have a myriad of ways to obtain and get chat transcripts admitted in court.