Gmail and HTTPS

If you use gmail, all of your email is probably going unencrypted over the Internet, allowing fairly easy snooping of all your sensitive data. You may feel good that there's an "https://" in your address bar after you type "gmail.com" into it and hit enter, but notice that after you authenticate and start reading email, it's gone back to "http://".

It's been possible for a while to work around this and use https even for email content if you knew what to do in the address bar, but now gmail has made it easier. There's a new option in the main Settings screen called "Always use https". I strongly encourage all gmail users to turn this option on.

It's still really lame that they haven't made it the default mode of operation. Come on, gmail, don't you care about privacy?

Posted by Christopher Armstrong at Friday, August 08, 2008

6 comments:

Anonymous said...

You can in the "free" accounts but I don't see that option in the business account I have (free version).

4:19 PM
Christopher Armstrong said...

Yeah, for some reason they haven't rolled out that option for Apps For Domains (I use it as well). In the meantime, you'll just have to make sure you go to

https://mail.google.com/a/yourdomain

to make sure you're using https.

4:23 PM
Colin M said...

What makes you think Google has ever cared about privacy?

:)

7:45 PM
chris said...

I came across this post in the 'unofficial planet python' feed and recognized your name from Twisted Matrix project.
I had never noticed that it reverted back to http. Thanks for the tip!

5:58 AM
ddaa said...

Probably, it defaults to http because https would cause a regression in performance that users would be able to sense.

I do not remember the details, but I saw Launchpad developers talk a lot about this conundrum.

In the end, using https for contents boiled down to a few alternatives:

* Preventing the browser from caching anything (not CSS, no JavaScript, no images), which makes the user experience painful.

* Having some browsers display a "broken lock" some other warning about the page including "insecure content".

* Imposing use of Firefox and asking users to turn on some undocumented option to enable https caching.

A lot of users would be set back by Gmail "suddenly becoming slow", and would not give a damn about it suddenly becoming more secure.

1:51 PM
puzzling.org said...

ddaa: as of Firefox 3 the relevant option is on by default.

The bug on launchpad is this one: https://bugs.launchpad.net/launchpad/+bug/46591

6:06 AM

Post a Comment

Subscribe to: Post Comments (Atom)