Dr. Philip Emeagwali said the Internet is the repository of knowledge in the twenty first century. He's a supercomputer scientist and Internet pioneer with the IQ of a university, so we should listen to him.
We've built ourselves a huge exterior brain and filled it with our information. Is the private information in our exterior brain secure enough, or is the protection a little patchy? What about all the documents we have stored in the cloud? With Google Docs having become one of the more popular cloud repositories, there are tools specifically geared to securing that vast amount of stored information with an extra layer of encryption But do we really need it? It depends on your approach.
Approaches to security
Internet security is a complex, technical, and constantly shifting realm. We do what we can with the tools available. And some of us do more than others.
There are three common approaches that people take to dealing with Internet security - blind trust, paranoia, and best effort.
It's better to leave Internet security to the experts, so you let the Internet companies take care of security. You use Google Docs, but don't take any special precautions. Google protects Google Docs for you. After all, that's surely in their business interests.
If you have ever ended up at a website that says, in big bold letters, "Warning! 2 people are spying on you!" and momentarily worried about the people nearby, then you have experienced FUD (Fear, Uncertainty and Doubt).
FUD is strong on both sides of the Internet user bell curve. FUD leads the technically illiterate to avoid anything that may leak private information to strangers, such as any use of Google Docs. FUD also leads security experts to avoid anything that may leak private information to strangers, such as any use of Google Docs.
Competent and experienced Internet users -- the rest of us -- take reasonable security precautions. We are happy to use Google Docs. We do put some effort into tightening up our Internet security, but we won't go too far. Checking a certificate chain is no problem, but writing an encryption algorithm is way too hard.
After many years of building up a language of icons, we know that a padlock means security enforcement. A web browser padlock means the conversation between the two endpoints (local web browser and Google's remote server) is protected. We have protected our local workstation with a screen lock and perhaps disk encryption. The last piece of the puzzle is protecting the remote document.
CipherDocs and SafeGDocs
I've previously written about an extension for Firefox called CipherDocs, which has been languishing in beta since I first wrote about it. While still available for download, the FAQ page warns that "the beta should not be used for confidential information as it is not in a mature stage", which rather limits its usefulness. However, there is a new and similar extension, SafeGDocs, from a Spanish organization called Gradiant (Galician Research and Development Center in Advanced Telecommunications).
Where the CipherDocs extension (cipherdocs_1_0_12.xpi) is a 6MB file, the SafeGDocs extension (safegdocs_v1.4.5beta.xpi) is a fraction of that size at 119KB. In itself, that doesn't mean very much because all modern workstations will laugh in the face of a few megabytes. It's what the size represents that makes the difference.
Installation of SafeGDocs is simple. Actually getting to the installation page is a bit tricky -- you have to jump through a few hoops to get to the web browser extension (you must reply to a mail from SafeGDocs and agree to terms and conditions) but once you're there, it's a one-click install. The SafeGDocs implementation is all contained within that little Mozilla package - dependencies have been removed.
Installation of CipherDocs requires fiddling with browser configuration and security libraries. The CipherDocs site does link straight to the Mozilla extension, which is easier, but the CipherDocs implementation runs in a JVM (Java Virtual Machine). It's hard to turn a Java app, with its convoluted structure, security restrictions, and complicated runtime needs, into a simple install, and the CipherDocs people have not hit on the magic combination.
In action, SafeGDocs keeps it simple for the user. It's got a padlock icon - the SafeGDocs padlock means your remote document is protected. The list of your files in Google Drive shows an extra AES label on your encrypted documents.
CipherDocs, SafeGDocs and many other security add-ons talk AES (Advanced Encryption Standard). That AES label means, behind the scenes, your document and password have both been fed to a symmetric cipher and the resulting impenetrable mess is stored on your Google Drive. When you open the document up, your encrypted file and password have been fed to the same cipher and the resulting readable doc is displayed in your browser. SafeGDocs encrypts the document content and also the styles - font size, colours, tables and so on.
If you want to find out if SafeGDocs is effective and easy to use, give it a try. It's free. If you are a mathematician or security expert who can look for security holes, see if you can break it. For the rest of us, we will just be happy that it is an easy way to add more security.
Nick Hardiman builds and maintains the infrastructure required to run Internet services. Nick deals with the lower layers of the Internet - the machines, networks, operating systems, and applications. Nick's job stops there, and he hands over to the designers and developers who build the top layer that customers use.