Google to try more security on Gmail

1 comment | 1I like it!
June 16, 2009, 04:04 PM —  IDG News Service — 

After prompting by a group of privacy advocates, Google said Tuesday that it plans to test a more secure version of its Gmail service to see if it is viable.

Google plans to change its back-end servers so that some users will automatically use an encrypted HTTPS (Hypertext Transfer Protocol Secure) connection when they use Gmail. Right now, everyone uses HTTPS to log in to Gmail, but after that Web pages are sent without encryption.

This is a bad thing, privacy experts say, because it means that hackers with access to a network -- say at a café with Wi-Fi -- could take over a Google account using a technique known as session hijacking. They could also read e-mail, which often contains sensitive information.

"If you wanted to steal someone's identity, the inbox is where it's at," said Christopher Soghoian, one of the experts who called on Google to make the changes.

Soghoian, a student fellow with the Berkman Center for Internet and Society at Harvard University, was one of 38 security and privacy experts who Tuesday called on Google to adopt HTTPS.

Not only does HTTPS encrypt e-mail, making it harder to read, it also provides a way of authenticating the servers, so users can be more sure that they're really talking to Google and not some phishing site.

Gmail users can already read their messages via HTTPS, but to do this they need to click a "browser connection" box at the bottom of the settings page. Under the test, HTTPS would be turned on by default. HTTPS can be used to securely connect part or all of a Web page.

Google Docs and Calendar users can connect via HTTPS as well, but there's no setting to make this permanent. Users must simply type in https:// every time they connect to these services.

Last year, Google said it didn't use HTTPS by default because it would make the Web site too slow.

Soghoian has floated the idea at privacy events over the past few weeks that Google should be pressured to adopt SSL (Secure Sockets Layer), and Google's response to him was fast.

"We'll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their e-mail," Google Software Engineer Alma Whitten said in a blog posting Tuesday. "Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS?"

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

I like it!
Close

On Twitter now

google

Powered by Twitter
You are logged in | Sign out
Sign in and post to Twitter

What are you thinking?

Cancel Tweet sent

On Twitter now

Comments

The gmail https situation

Several comments. First, https does not encrypt emails. It establishes an link between the browser and server where the data on that link is encrypted, and then decrypted when it comes out the other side. So the email itself stays decrypted.

Secondly, one of the consequences of this change (as I have been using it for a while now) is that any HTML based emails send will generate a warning about the fact that while the link to gmail is https, not all the links within a specific email are https, and thus you have a mix of "secure" and "unsecure".

Lastly, understand that while this may protect one in a wifi cafe from session hacking, it does not protect the user from various other security threats (not that you implied otherwise). People can still impersonate a site in an email, etc.
| reply
peer-to-peer

Esther Schindler
If the comments are ugly, the code is ugly

claird
SVG a graphics format for 21st century

pasmith
Take Chrome OS for a test spin

Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?

sjvn
64-bits of protection?

jfruh
Android fragments vs. the iPhone monolith

mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive

 

Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann

Join the conversation here

The Daily Tip

The Daily TipQuick, practical advice for IT pros. Made fresh daily.

Hot tips:

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

Newsletters

Subscribe to ITWORLD TODAY and receive the latest IT news and analysis.

I would like to receive offers via email from ITworld partners.
By clicking submit you agree to the terms and conditions outlined in ITworld's privacy policy.
Featured Sponsor

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Marketplace