Google will switch from http to the encrypted https by default for every Gmail customer after deciding that the potential slowing of its service is justified by more secure mail.
Google had allowed people to choose to use the encrypted https if they wanted to, launching the option back in 2008.
However, after an investigation into the impact to the service, Google has decided to make https standard for all, with the option to turn it off.
Snoop stopper
"In 2008, we rolled out the option to always use https — encrypting your mail as it travels between your web browser and our servers," blogged Gmail Engineering Director Sam Schillace,
"Using https helps protect data from being snooped by third parties, such as in public wifi hotspots. We initially left the choice of using it up to you because there's a downside: https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data.
"Over the last few months, we've been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do."
Rolling out
"We are currently rolling out default https for everyone," he adds. "If you've previously set your own https preference from Gmail Settings, nothing will change for your account.
"If you trust the security of your network and don't want default https turned on for performance reasons, you can turn it off at any time by choosing "Don't always use https" from the Settings menu.
"Gmail will still always encrypt the login page to protect your password. Google Apps users whose admins have not already defaulted their entire domains to https will have the same option."
There are some issues with offline Gmail, with Google posting a help page to work around it.
Your comments (2) Click to add a new comment
completelyprivatefiles
August 27th 2010
2. It's important to understand that https/SSL as described in this article only means that stuff you send to Gmail from your computer is encrypted while it's being transmitted. It doesn't mean that the messages that are stored on Gmail's servers are necessarily encrypted. Also, when you send an email outside of the gmail.com domain, that message is going to be sent in plain text. You have to encrypt the message itself if you want to ensure that it's secure all the way until it reaches its recipients. You can do that with something like FireGPG
http://getfiregpg.org/s/home
or our own Gmail Gadget:
http://bit.ly/bFozBT
Alert a moderator
josephadeo
January 13th 2010
1. This of course won't change much for those of us who have been using the https option ever since it was offered, but at VeriSign we're applauding the emphasis Google is putting on safety. It would be even better to see them implementing extended validation ssl and the phish-proof green url bar, but default https is a great start, and its absence should alert folks to potential phishing strategies when they arise. Great news.
Alert a moderator
Tell us what you think
You need to Log in or register to post comments