I don't know much about the low-level details of CAC. (We've somewhat assiduously avoided working for the government --- not for political reasons).
I would venture a guess that Google 2-factor is comparably as resilient as DoD smart card auth, except for the fact that it relies on the security of your mobile device, and nobody in the world knows how far China can take an iOS exploit at the moment.
The SMS/GSM network is probably totally insecure against foreign adversaries (it's sound enough right now for routine financial transactions but I wouldn't want my bank account directly hooked up to it).
If you're going to use GMail, you should use Chrome. Chrome pins GMail's TLS certificates; Google will not let Chrome pretend that Comodo or GoDaddy or some Middle Eastern CA nobody's heard of has signed their own certificates.
I trust Chrome's TLS connecting directly to Google's TLS server more than I trust any third party VPN service. In fact, I don't trust VPN services at all. VPN software scares the shit out of me.
Make sure your desktop isn't owned up. If you're on a hostile network --- like, you really know the network is hostile --- one strategy is to install VMWare and use it to host an image that can run Chrome, and then have that VM be the only thing on your computer that talks to the network at all. Even if you start with a trustworthy connection to Google, you assume an attacker can trick Chrome (or Firefox or Safari or whatever you use to get to things besides GMail) into talking to some other random website, at which point the entire clientside of your browser is vulnerable to every zero-day vulnerability anybody knows about. Aurora, for instance, was just Javascript events.
I would venture a guess that Google 2-factor is comparably as resilient as DoD smart card auth, except for the fact that it relies on the security of your mobile device, and nobody in the world knows how far China can take an iOS exploit at the moment.
The SMS/GSM network is probably totally insecure against foreign adversaries (it's sound enough right now for routine financial transactions but I wouldn't want my bank account directly hooked up to it).
If you're going to use GMail, you should use Chrome. Chrome pins GMail's TLS certificates; Google will not let Chrome pretend that Comodo or GoDaddy or some Middle Eastern CA nobody's heard of has signed their own certificates.
I trust Chrome's TLS connecting directly to Google's TLS server more than I trust any third party VPN service. In fact, I don't trust VPN services at all. VPN software scares the shit out of me.
Make sure your desktop isn't owned up. If you're on a hostile network --- like, you really know the network is hostile --- one strategy is to install VMWare and use it to host an image that can run Chrome, and then have that VM be the only thing on your computer that talks to the network at all. Even if you start with a trustworthy connection to Google, you assume an attacker can trick Chrome (or Firefox or Safari or whatever you use to get to things besides GMail) into talking to some other random website, at which point the entire clientside of your browser is vulnerable to every zero-day vulnerability anybody knows about. Aurora, for instance, was just Javascript events.
Disable Java.
Thanks for your service.