Google Wave, the company's new real-time collaboration platform currently in private beta, is more secure than traditional email, claims the company. According to Greg D'alesandre, Google Wave product manager, that's because Google has focused on addressing privacy and security issues as the product was built from the ground up instead of waiting to deal with them later. Speaking to media in Sydney today, he detailed several of Wave's security features which are meant to stop criminals from exploiting the new technology and harming Wave users.
Built In Features to Prevent Spoofing
As reported by Australian news outlet ITNews, Wave has multiple levels of security which are designed to prevent email spoofing. Spoofing, meaning when you receive an email that claims to be from either a person or company you know but is actually from someone else - a hacker in most cases.
D'alesandre says the Wave protocol is more secure because it includes something he jokingly refers to as "crypto fairy dust." That's obviously meant to be a simple and fun way to explain the security complexities built into Wave which involve detailed authentication mechanisms to keep users safe from malicious attacks. In Wave, every bit of info you receive from another Wave user has already been authenticated as to its origin so you can be assured that they are who they say they are.
"You know you are getting the Wave from the person that is sending it to you and it has not changed mid-stream. This is a very big problem in current communication technologies - data can be changed mid stream and you will never know," said D'alesandre.
HTTPS Enabled by Default
For an additional layer of security, all Wave traffic is by default encrypted via HTTPS, a protocol for secure communications. That represents a big change in Google's standard policy regarding use of this protocol. It wasn't until July of 2008 that Gmail users were even given the option to encrypt messages using SSL and to enable it, you had to go into your settings and make a change - something that most mainstream users would never have bothered with. By the end of 2008, Google was only offering SSL as a feature in its other Google Apps programs if users were on either the Premier or Education editions. That meant that for non-paying consumer users, Google Docs, Calendar and other online offerings were only available via unencrypted HTTP sessions.
Today, little has changed. Still, only users of Premier and Education Editions have access to SSL and it's not switched on by default. The protocol is now available for Gmail, Chat, Calendar, Docs and Sites but not the Start page, Google Video or the Google Talk desktop client. Consumers using free Google apps like Docs still don't have SSL unless they type it in the address bar manually.
D'alesandre admitted that switching on encryption in Wave slows down the service a little (which probably explains the company's hesitance to switch it on in other products, too), but they ultimately decided that the security it provides was worth it.
Whitelisting Kills the Noise
A third security feature of sorts coming to Wave in the future is the ability to do "whitelisting." Wave users will be able to select which people they want to collaborate with and place them on a whitelist of approved persons. Only those who are on the list will be able to contact you via Wave and everyone else will be ignored.
That feature should certainly help to address the concerns certain folks have about Wave's "noise level," to some, an overwhelming amount of activity that led them to call out Wave as a distraction and a time-waster instead of the futuristic productivity product it intends to be. By allowing those who can't seem to embrace Wave's cacophony the ability to limit their collaborators, Wave could transfer from noisy attention killer to useful tool in an instant.
Of the three features, the first two are already in place. No date was given on the whitelisting feature, only that it will be "coming soon."