Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Security of Google Talk

Posted on 2006-10-30
12
Medium Priority
?
1,874 Views
Last Modified: 2008-02-01
One of my clients would like to use email (specifcally webmail) for interoffice communication in a dental office (also occasionally want to be able to view outside the office).  The office has approx 30 associates who would use this method of communication.  Email is of course slow and insecure so I am considering Google Talk (IM).  I would like to know:

1) how secure/insecure is this?

2) Is there a way that I can control passwords for all of the users?

3) what port does G Talk use and is it always open (listening?) and is that a security risk?

Is there a better way to achieve the same result?

Bill

0
Comment
Question by:billrush2
  • 4
  • 3
  • 2
  • +2
12 Comments
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 17836500
I'm thinking that the reql question is not how secure or well built it is, but how the jury will react when they find out that the dentists were sending their patient's private information to a free service they didn't have a contract with guaranteeing a specific level of security.
0
 

Author Comment

by:billrush2
ID: 17836791
Unfortunately - very true!
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 400 total points
ID: 17837331
The packets are secure from the client to the server via them being encrypted via TLS (ssl's replacement)  and from the server to the other client.
GTalk is based on the Jabber protocol http://www.google.com/talk/about.html#privacy

GoogleDesktop might have something that your looking for, but I'm not sure
http://desktop.google.com/enterprise/about.html#admin
But I don't think there is centralized managment for Gtalk... you might use your own jabber server internally, there are tools for that.

IM typically is a 3rd party service. You sign in to Gtalk, AIM, MSN, and your on-line talking to that services servers, those servers then send your messages to other online buddies/contacts, and since each client initiated the contact to the IM's servers, your not listening for anything other than contact from those servers.
1.2.3.4 on port 45698 connects to (IM sever) 9.8.7.6 on port 443... no one can contact 1.2.3.4 on port 45698 unless their ip is 9.8.7.6... it's called an established session
or a stateful session: http://en.wikipedia.org/wiki/Stateful_firewall
-rich
0
WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

 
LVL 2

Assisted Solution

by:Tayger
Tayger earned 300 total points
ID: 17837385
Email is of course slow and insecure so I am considering Google Talk (IM).

=> You can use PGP encrypton that is a very strong security, but of couse not as fast as intime talk.
http://eu.pgpstore.com/ (Im sure there are also free PGP programs around)

1) how secure/insecure is this?
=> Atm Google talk is beta. Unless its stable I wouldnt recommend it if security is a issue. All over: no system is unbreakable.
Googles business is storing and analyizing data. So they store certain user data (how you configure Google talk, how long you very talking per session, timepoint of using GT, stored contatcs in GT, frequency and size of sent files, communication partner)
All over I didnt find anything they are storing/checking what is spoken over GT.
Sent data are encrypted like in most IM tools.

2) Is there a way that I can control passwords for all of the users?
=> No, Google talk is a single user program.

3) what port does G Talk use and is it always open (listening?) and is that a security risk?
=> As long as GT is open and set to "Online" its listening to GT server. Any programm with a open port to the Internet is vulnerable as soon as a exploit is known. IM programs are in general very secure against exploits (you dont hear a lot of IM exploits).
GT uses default port 5223. If its not working Google recommends port 443. Hacker programs will proably dock on those ports. So its recommandable to change the port to any other ID.

Is there a better way to achieve the same result?
=> Google talk is not better or worse than other IM tools. I have no security issue but Im happy with Skype. Of course they all have some unqiue features others wont have.
There are also providers you can find in Internet offering so called "meeting rooms" but they cost every time you use them and its only good for time based meetings.

As long as the dentist have http://www.experts-exchange.com/images/submitButton.gifa PC with unprotected customer dathttp://www.experts-exchange.com/images/submitButton.gifa on it online, they will not be less with a proved IM tool.

Oh, I just saw that PGP also offers IM encryption. You got more infos on the link above.

Hope I could help
Tayger
0
 

Author Comment

by:billrush2
ID: 17837436
So is the use of G Talk less secure than communicating via unsecured email?  Sounds like they are equivalent.  Is this accurate?

Bill

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17837625
No... Gtalk is encrypted, mail by default isnt...
-rich
0
 
LVL 2

Expert Comment

by:Tayger
ID: 17837640
Hmmm, you mixing two types of communication tools. But due both sending data over Internet I agree with you.

Tayger
0
 
LVL 2

Expert Comment

by:Tayger
ID: 17837680
Richrumble, you're right. I was thinking from the point that both wouln't be encrypted.
0
 

Assisted Solution

by:FarFromHome
FarFromHome earned 300 total points
ID: 17862701
Are the employee's of this dental office going to use gTalk to relay protected health information over the network? If so then I you can't recommend that solution to your client. When you are dealing with HIPAA you have to be vigilant about the protection of the patient information. These are the issues I see with doing this.

1. Everyone has to create a google mail account. There is no mass password tool to facilitate this. You are at the mercy of your users using simple passwords.
2. Google by default turns on chat history. This means that patient information will be stored on google servers and is forever searchable by you.
3. Being that your data has now been stored by google you have lost control of the data. If an employee quits or is terminated they have permanent access to this information.

Just think of the ramifications of a disgruntled employee having access to this data once they've been terminated. They could then start an investigation into your clients HIPAA practices. With $10k per day fines per area of non-compliance that could really add up when they have blatant proof of your non-compliance.

If inner-office communication is a priority then I would recommend running a Wildfire server. This is based off of Jabber which is the same protocol that gTalk uses. You can use encryption which would be preferable. Best of all the data stays within your network!!

http://www.jivesoftware.org/
0
 
LVL 2

Expert Comment

by:Tayger
ID: 17868942
FarFromHome, some points I have to correct:

Its not true that entered text is stored on Google's side. They store data like session time, set config, etc. but - so far - not typed text.  You can YOURSELF activate chat history on the local PC if you want to. Information you entered/set on GMail/over email will be used for internal (Google) analysis but NO ONE except Google can search that personal stuff.

Here is Googles licence agreement: http://www.google.com/talk/privacy.html

Google commited to the termns of SafeHarbor: http://www.export.gov/safeharbor/index.html

Just to make some things clear.
0
 

Expert Comment

by:FarFromHome
ID: 17869095
Do you even have a google talk account? It does in fact store your chat conversations on their servers. I just created another gmail account and by default they save chat history. You can also search your chat history from your gmail account. It is stored on googles servers and you can search it from any computer in the world. Try it out before you comment on it next time...
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17869293
By default, chats are not logged, Tayger is correct, you have to enable the setting- further you can go off-record if you wish
Your chat history will appear here if you choose to save your chats. You can change this in Settings
http://www.google.com/talk/chathistory.html
http://mail.google.com/support/bin/answer.py?ctx=%67mail&hl=en&answer=29290
http://mail.google.com/support/bin/answer.py?answer=29291 (off the record chats...)
-rich

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question