this isn't news
Firefox | Tools | Add-ons | CustomizeGoogle | Options | GMail | Secure (Switch to https)
Google is adding a much-demanded feature to its email service that offers improved security by ensuring users get an encrypted connection each time they access their account via a web connection. The new option means email sessions are automatically protected from start to finish with the secure sockets layer protocol even if …
"so if you don't use insecure networks you may not want to bother."
Sorry to point out the bleedin' obvious, but unless you're accessing gmail from within google's LAN (i.e. not via the internet), you're using an insecure network. For example, my connection goes through c.a. 5 other networks + my ISP from my LAN to gmail.
What it should say is: "if the content of your emails is not valuable to a third party, don't bother". i.e. if you only get mail from Aunty Mabel & similar on your gmail account.
It would be nice if the browsers tried a SSL connection first when given a host name without an explicit http://. it would make caching a little more difficult, but the privacy and security that would come to most internet users simply from IE and Firefox defaulting to https:// would seem to be an obviously good thing.
@chuckufarley: https connections place more load on web servers (or load balancers), so it's cheaper to use https as little as possible
@Pheet: haha i thought the same. The internet is such a secure network!
So, well done Google. Some websites still send sensitive/password information by email so I'd rather it were encrypted.
Still, [pointing out bleedin' obvious again] the transport of mail from sender to gmail is still normally unencrypted, so i'm not 100% happy.
I, like this grumpy alien, am never 100% happy
I am in the habit of using the basic Google Search page as my default browser page. To check my mail I click the Gmail menu option at the top of that page, to transfer to Gmail. Initially I see that it's an HTTPS connection but as soon as my password is verified, it defaults back to plain old HTTP. At least, it did when I tried it just now.
"The new option means email sessions are automatically protected from start to finish with the secure sockets layer protocol even if a user accesses the account by typing http://gmail.com"
Are you joking? Oh dear, I don't see a Joke Alert.
I take it that the non-ssl Gmail site will redirect you to an https url under certain circumstances, but that clearly doesn't add up to the above absurdity.
Paris, because what's an IT angle without IT expertise?
This post has been deleted by its author
It would be nice but it is impractical. SSL connections can not by definition be cached (caching is also called eavesdropping when you don't want the caching to occur). No ISP has the sort of bandwidth infrastructure to do provide internet without caching. Also, latency is doubly worse for 99% of websites that have no need to secure data.
What is needed is for more providers to do what Google has done here; to redirect users to the secured Login screen and keep communications over SSL for the entire session.
However, be aware that your account name (e-mail address) is still displayed on a regular (unencrypted) Google search while you are logged in to Gmail. [Example: Go to https://mail.google.com and login. Open a second tab or window and go to http://www.google.com and it displays your account name on the top right.]
So with this feature enabled I have a secure, encrypted connection between my PC and the Google mail servers thus allowing me to evade Phorm type technology that is installed at my ISPs' premises for the purpose of profiling my data and dishing me up more relevant ads. Sounds like sweetness and light to me.
But wait, haven't I already entered into a compact with the devil when I signed up for my Gmail account? Yep, I agreed they could carry out deep packet inspection of my data so that they could serve me up more relevant ads. Aw, shit.
The point here is that 'our' data has a commercial value and we should ensure that in return for access to that data we receive a suitable return. In Googles case we get a first class webmail service and access to many other valuable services including the best search engine on the internet. Whereas from the likes of Phorm you get a pathetic phishing filter that had to be bolted on to justify their very existence.
Ad-blocking is not a crime, it's a way of life.
People have been crying their eyes out for this but you've always been able to maintain an an encrypted connection while checking your google webmail. All you needed to do was go to https://mail.google.com. This is since sometime early on when you got an invitation sent to you at random when you accessed google.com and use was still invitation-based.
I understand that for people who don't know what they're doing since they probably type mail.google.com which defaults to the non-SSL. But this update is really just a minor privacy issue. I like it and agree that it should have been there in the first place, but it's quite minor especially since you were already able to achieve this protection.
On the other hand, the microsoft webmail services DON'T offer this so far that I can tell.
They apparenty didn't feel that domain hosted users didn't need the option, as it would ALWAYS drop back to http: after the login, even if you entered HTTPS: when you logged into your hosted domain's page.
I'm off to check all those other wonderful Google apps to see if they also got some SSL love...
It would be even better if *all* connections defaulted to https:// even if an explicit http:// header were present.
That way it would help immeasurably in keeping our sneaking, eavesdropping government scum from looking at what happens online.
Extend this to *all* traffic of every type and we'd be nearly back to where we were before the internet made traffic analysis and trawling too easy for the enemies of the people (that's governments for the hard of thought).
The iPhone is still unsecured when clicking on the default Google app button. The address is http:www.google.com/... . To fix this you need to logon to https:// www.gmail.com/... once, login and bookmark the site, I named mine Google Secure and added an icon to the Home Screen for when I'm away from home.
Wonder how secure Apple's own Mail application is?
Jolly Roger, because someone will crack this too..
Great...
You can set Gmail for mobile to always use a secure network, but it didn't work until I reset the first setting...
http://mail.google.com/support/bin/answer.py?hl=en_GB&ctx=mail&answer=74765
http://mail.google.com/support/bin/answer.py?answer=100210
That said, you may not want some bozo on your behalf sending suggestively lewd comments to Aunty Mabel and your teenage neices, or pointing out to your entire address book (your boss and your mother included) that /their/ mother smelled of submarine oil and wasn't sure which of the engineroom crew was their father but when sober she was sure an ID parade would quickly identify the one as plug-ugly as they were.
Remember kids, security isn't just for financial stuff....
For me the greatest advantage of this Firefox addon is not so much switching all Google apps to https, but the fact that it stops your search data being sent to Google Analytics, and it strips out all those sponsored ads from the results pages! I am constantly surprised when people mention being annoyed by online ads of all sorts, but then I have Customize Google, Adblock Plus and Flashblock installed, and I have seen nary an ad in years! <:D
I put this together from the goole secure pro user script thats been out there for some time now.
"Forces gMail, gCal, Google Docs & Spreadsheets, Google Reader, Facebook.com, Posten.no, Psdata.no and Qxl.no to use an ssl connection. Read the instructions!"
http://userscripts.org/scripts/show/24701
http://userscripts.org/scripts/show/5951
Sorry Dan, but Ebay seems to be some of the same shitty thingie as facebook tho, theres also a facebook group, we want full ssl support in facebook or something. I've tried highlighting this problem for years now.
First, thanks for this useful tip. I just changed my settings (and my wife's) to ensure we can sent items such bank info data to (for example) our son without being concerned about it being intercepted. (Google specifically says it is both to and from their servers). I notice that now my Documents and Calender data also go through a https: URL, so I assume these are encrypted as well. Very nice.
One curious thing: after I changed my Gmail account to https:, I logged out, opened my wife's (to fix it also), and got an https: connection there too. I checked and changed the setting anyway, but it seems that it did keep the secure connection once set on the other account.
I have no problem with the account NAME being transferred un-encrypted, that is closer to a public record anyway, and I don't get much junk e-mail on the account anyway, compared to my other accounts (work and an ISP).