It means that the Google Front End (GFE) server is where encryption/decryption of SSL happens, and that communication outside the GFE (e.g., Google->Client) is encrypted, while communication behind the GFE (internal to the Google Cloud) is clear text.
Yes. It would be considered a private datacenter environment. Someone with DC access or in this case the ability to tap a closed fiber network can still attack it. This mostly applies to state actors.
[Edit: apparently, the decryption does not happen real time. Instead, the encyrpted traffic is stored and decrypted later. Either NSA/GCHQ think the latency introduced by doing a full mitm with the private key would blow their cover, or they're using some algorithm that isn't fast enough for full mitm. The below is a bad interpretation.]
My interpretation is that they've acquired - either via bag job or by unpublished algorithm - Google private keys, and are decrypting and copying traffic immediately before the Google Front End, then impersonating the client to the Google Front End. Presumably, the Google Front End is on Google premises, and Google would be aware of the warrant that let NSA install such a device behind the Google Front End, whereas the peering point in front of the Google Front End (or on the fiber to the Google Front End) would be on Telco premises, and we've seen the Telco's be all to eager to cooperate. Oh, except Qwest, where the CEO found himself in jail.
It means that the Google Front End (GFE) server is where encryption/decryption of SSL happens, and that communication outside the GFE (e.g., Google->Client) is encrypted, while communication behind the GFE (internal to the Google Cloud) is clear text.
The implication is that there is no SSL from the front end web server to the back end data center, thus it is susceptible to snooping at that point.
Yes. It would be considered a private datacenter environment. Someone with DC access or in this case the ability to tap a closed fiber network can still attack it. This mostly applies to state actors.
[Edit: apparently, the decryption does not happen real time. Instead, the encyrpted traffic is stored and decrypted later. Either NSA/GCHQ think the latency introduced by doing a full mitm with the private key would blow their cover, or they're using some algorithm that isn't fast enough for full mitm. The below is a bad interpretation.]
My interpretation is that they've acquired - either via bag job or by unpublished algorithm - Google private keys, and are decrypting and copying traffic immediately before the Google Front End, then impersonating the client to the Google Front End. Presumably, the Google Front End is on Google premises, and Google would be aware of the warrant that let NSA install such a device behind the Google Front End, whereas the peering point in front of the Google Front End (or on the fiber to the Google Front End) would be on Telco premises, and we've seen the Telco's be all to eager to cooperate. Oh, except Qwest, where the CEO found himself in jail.
Your interpretation is completely wrong.