"Without knowing how data is transferred between Google servers, nobody has any basis for knowing if risk still exists. We all now know that there is a hole, but without knowing more details, vague assurances from Google do not constitute reliable evidence that the hole has been plugged," he added.
Google's vague response suggests that the company hasn't completed the major undertaking Grosse referred to in September, and customers should take note of this, Heiser said.
"This is an instance in which the extreme size and complexity of Google should be a matter of suspicion for its users. Is the traffic or infrastructure supporting their search and advertising business a factor that inhibits the implementation of encryption between their sites?" Heiser said.
Peter Firstbrook, another Gartner analyst, was also unimpressed with Google's lack of response.
"As usual, Google gives no real information here," he said via email, referring to the March 20 blog post. "It is another 'trust us, we're doing the right thing.' No hyperlink into a fuller explanation. There may be a weakness in the new encryption scheme. We just don't know."
The lesson for buyers of software-as-a-service (SaaS) products is clear, according to Heiser: Demand clear, granular explanations from vendors about their security technology and policies.
"No amount of 'we have the following features' can ever help a SaaS buyer fully understand where a particular service might have undesirable vulnerabilities, if you don't have full details on the technology and topology of that service," he said. "SaaS is the digital equivalent to sausage: Mystery meat is not necessarily bad for you, but if you don't have full knowledge of the ingredients, you can never fully understand the health hazards."