Google is adding a much-demanded feature to its email service that offers improved security by ensuring users get an encrypted connection each time they access their account via a web connection. The new option means email sessions are automatically protected from start to finish with the secure sockets layer protocol even if a …
this isn't news
Firefox | Tools | Add-ons | CustomizeGoogle | Options | GMail | Secure (Switch to https)
It's news to me.
I didn't know this, so thanks, Register, for providing this information.
this is news
Sure, there are add-ons to do it, but google supporting it themselves raises the bar for the rest of the industry.
Why isn't this on be default?
Coat, Hat, Pub.
Cheers, El Reg
I reckon this could the start of a Viz style El Reg "Top Tips" section. After all, we already have the equivalent of "Letterbocks"...
Just enabled the Gmail fancy security goodness myself.
"so if you don't use insecure networks you may not want to bother."
Sorry to point out the bleedin' obvious, but unless you're accessing gmail from within google's LAN (i.e. not via the internet), you're using an insecure network. For example, my connection goes through c.a. 5 other networks + my ISP from my LAN to gmail.
What it should say is: "if the content of your emails is not valuable to a third party, don't bother". i.e. if you only get mail from Aunty Mabel & similar on your gmail account.
SSL should be browser default.
It would be nice if the browsers tried a SSL connection first when given a host name without an explicit http://. it would make caching a little more difficult, but the privacy and security that would come to most internet users simply from IE and Firefox defaulting to https:// would seem to be an obviously good thing.
+1 to google
@chuckufarley: https connections place more load on web servers (or load balancers), so it's cheaper to use https as little as possible
@Pheet: haha i thought the same. The internet is such a secure network!
So, well done Google. Some websites still send sensitive/password information by email so I'd rather it were encrypted.
Still, [pointing out bleedin' obvious again] the transport of mail from sender to gmail is still normally unencrypted, so i'm not 100% happy.
I, like this grumpy alien, am never 100% happy
This is good stuff - but it seems to have broken my Gmail Notifier.
This seems to be enabled by default for my personal domain. Nice.
Doesn't work when referred from Google Search
I am in the habit of using the basic Google Search page as my default browser page. To check my mail I click the Gmail menu option at the top of that page, to transfer to Gmail. Initially I see that it's an HTTPS connection but as soon as my password is verified, it defaults back to plain old HTTP. At least, it did when I tried it just now.
SSL, even without SSL!
"The new option means email sessions are automatically protected from start to finish with the secure sockets layer protocol even if a user accesses the account by typing http://gmail.com"
Are you joking? Oh dear, I don't see a Joke Alert.
I take it that the non-ssl Gmail site will redirect you to an https url under certain circumstances, but that clearly doesn't add up to the above absurdity.
Paris, because what's an IT angle without IT expertise?
IPSec, VPN, IPV6, sit down.
It would be nice but it is impractical. SSL connections can not by definition be cached (caching is also called eavesdropping when you don't want the caching to occur). No ISP has the sort of bandwidth infrastructure to do provide internet without caching. Also, latency is doubly worse for 99% of websites that have no need to secure data.
What is needed is for more providers to do what Google has done here; to redirect users to the secured Login screen and keep communications over SSL for the entire session.
its available to freetards and not us paytards on Apps.
Gmail still leaking though
However, be aware that your account name (e-mail address) is still displayed on a regular (unencrypted) Google search while you are logged in to Gmail. [Example: Go to https://mail.google.com and login. Open a second tab or window and go to http://www.google.com and it displays your account name on the top right.]
You'd think that Google would have updated their mobile app to allow for the "always on" setting...
...but no. I can log in, but it won't refresh the message list (or read an existing one).
Re: SSL, even without SSL!
It's fairly obviously saying that it'll sort itself out. I assume it'll redirect.
Breaks Notifier, but easy to fix...
Gmail Notifier will break when selecting https, but will work again after applying this:
well on my session
I have logged in at the moment, it's not encrypted.
go go billyG
To SSL or not to SSl.
So with this feature enabled I have a secure, encrypted connection between my PC and the Google mail servers thus allowing me to evade Phorm type technology that is installed at my ISPs' premises for the purpose of profiling my data and dishing me up more relevant ads. Sounds like sweetness and light to me.
But wait, haven't I already entered into a compact with the devil when I signed up for my Gmail account? Yep, I agreed they could carry out deep packet inspection of my data so that they could serve me up more relevant ads. Aw, shit.
The point here is that 'our' data has a commercial value and we should ensure that in return for access to that data we receive a suitable return. In Googles case we get a first class webmail service and access to many other valuable services including the best search engine on the internet. Whereas from the likes of Phorm you get a pathetic phishing filter that had to be bolted on to justify their very existence.
Ad-blocking is not a crime, it's a way of life.
A feature since day 1
People have been crying their eyes out for this but you've always been able to maintain an an encrypted connection while checking your google webmail. All you needed to do was go to https://mail.google.com. This is since sometime early on when you got an invitation sent to you at random when you accessed google.com and use was still invitation-based.
I understand that for people who don't know what they're doing since they probably type mail.google.com which defaults to the non-SSL. But this update is really just a minor privacy issue. I like it and agree that it should have been there in the first place, but it's quite minor especially since you were already able to achieve this protection.
On the other hand, the microsoft webmail services DON'T offer this so far that I can tell.
@AC isn't the only one - this has completely killed the handy Gmail Notifier which sits in my tray.
I don't know what's more important: security or convenience?!
Answers on a postcard please ...
Hopefully they included support for hosted domains this time
They apparenty didn't feel that domain hosted users didn't need the option, as it would ALWAYS drop back to http: after the login, even if you entered HTTPS: when you logged into your hosted domain's page.
I'm off to check all those other wonderful Google apps to see if they also got some SSL love...
It would be even better if *all* connections defaulted to https:// even if an explicit http:// header were present.
That way it would help immeasurably in keeping our sneaking, eavesdropping government scum from looking at what happens online.
Extend this to *all* traffic of every type and we'd be nearly back to where we were before the internet made traffic analysis and trawling too easy for the enemies of the people (that's governments for the hard of thought).
re: raises the bar for the rest of the industry.
Isn't this the sort of obvious feature that we as web 2.0 google-worshipping surfers seem to turn a blind-eye to for the sake of a wanky interface? This should have been the default behaviour since day one...
Another BS neologism is coined..
"Sidejacking", whatever happened to plain old eavesdropping? This was a fairly obvious problem to a lot of people before Errata Security came along.
iPhone GMail still unsecured...
The iPhone is still unsecured when clicking on the default Google app button. The address is http:www.google.com/... . To fix this you need to logon to https:// www.gmail.com/... once, login and bookmark the site, I named mine Google Secure and added an icon to the Home Screen for when I'm away from home.
Wonder how secure Apple's own Mail application is?
Jolly Roger, because someone will crack this too..
Does this protect me against Sweden?
So this is nothing to do with Phorm then?
Of course Google would not have done this just to bugger up Phorm and the other competition to their adware dominance by establishing SSL connections to customers using Google services....
News to me, very unpubliced
I've had a gmail account for three years and this is the first i've heard of it.
Instead of crappy ads and faff - publicise the useful stuff!
Where I work blocks a certain https page because they they want to block the google chat application which inadvertently means blocking me using this :(
Kudos to Google for this welcome development. Now it means that your private mail can only be read by Google, rather than Google + world + dog.
Breaks both desktop Notifer and Gmail for mobile
You can set Gmail for mobile to always use a secure network, but it didn't work until I reset the first setting...
That said, you may not want some bozo on your behalf sending suggestively lewd comments to Aunty Mabel and your teenage neices, or pointing out to your entire address book (your boss and your mother included) that /their/ mother smelled of submarine oil and wasn't sure which of the engineroom crew was their father but when sober she was sure an ID parade would quickly identify the one as plug-ugly as they were.
Remember kids, security isn't just for financial stuff....
For me the greatest advantage of this Firefox addon is not so much switching all Google apps to https, but the fact that it stops your search data being sent to Google Analytics, and it strips out all those sponsored ads from the results pages! I am constantly surprised when people mention being annoyed by online ads of all sorts, but then I have Customize Google, Adblock Plus and Flashblock installed, and I have seen nary an ad in years! <:D
Gmail still leaking though - more
Monitoring the packets from invocation of the https page to login results in 11 packets, all https except one packet http, which clearly shows the email address, in the set cookie IFAIK.
Anyone else confirm this, but in my view, its not totally secure.
I put this together from the goole secure pro user script thats been out there for some time now.
"Forces gMail, gCal, Google Docs & Spreadsheets, Google Reader, Facebook.com, Posten.no, Psdata.no and Qxl.no to use an ssl connection. Read the instructions!"
Sorry Dan, but Ebay seems to be some of the same shitty thingie as facebook tho, theres also a facebook group, we want full ssl support in facebook or something. I've tried highlighting this problem for years now.
First, thanks for this useful tip. I just changed my settings (and my wife's) to ensure we can sent items such bank info data to (for example) our son without being concerned about it being intercepted. (Google specifically says it is both to and from their servers). I notice that now my Documents and Calender data also go through a https: URL, so I assume these are encrypted as well. Very nice.
One curious thing: after I changed my Gmail account to https:, I logged out, opened my wife's (to fix it also), and got an https: connection there too. I checked and changed the setting anyway, but it seems that it did keep the secure connection once set on the other account.
I have no problem with the account NAME being transferred un-encrypted, that is closer to a public record anyway, and I don't get much junk e-mail on the account anyway, compared to my other accounts (work and an ISP).