back to article Google gives GMail always-on encryption

Google is adding a much-demanded feature to its email service that offers improved security by ensuring users get an encrypted connection each time they access their account via a web connection. The new option means email sessions are automatically protected from start to finish with the secure sockets layer protocol even if …

COMMENTS

This topic is closed for new posts.
  1. hey_may
    Dead Vulture

    this isn't news

    Firefox | Tools | Add-ons | CustomizeGoogle | Options | GMail | Secure (Switch to https)

  2. Anonymous Coward
    Happy

    It's news to me.

    I didn't know this, so thanks, Register, for providing this information.

  3. Ed

    this is news

    Sure, there are add-ons to do it, but google supporting it themselves raises the bar for the rest of the industry.

  4. chuckufarley Silver badge
    Pirate

    Dumb question...

    Why isn't this on be default?

    Coat, Hat, Pub.

  5. Anonymous Coward
    Anonymous Coward

    Cheers, El Reg

    I reckon this could the start of a Viz style El Reg "Top Tips" section. After all, we already have the equivalent of "Letterbocks"...

    Just enabled the Gmail fancy security goodness myself.

  6. Pheet
    Boffin

    secure networks...

    "so if you don't use insecure networks you may not want to bother."

    Sorry to point out the bleedin' obvious, but unless you're accessing gmail from within google's LAN (i.e. not via the internet), you're using an insecure network. For example, my connection goes through c.a. 5 other networks + my ISP from my LAN to gmail.

    What it should say is: "if the content of your emails is not valuable to a third party, don't bother". i.e. if you only get mail from Aunty Mabel & similar on your gmail account.

  7. Lorax
    Thumb Up

    SSL should be browser default.

    It would be nice if the browsers tried a SSL connection first when given a host name without an explicit http://. it would make caching a little more difficult, but the privacy and security that would come to most internet users simply from IE and Firefox defaulting to https:// would seem to be an obviously good thing.

  8. Anonymous Blaggard
    Alien

    +1 to google

    @chuckufarley: https connections place more load on web servers (or load balancers), so it's cheaper to use https as little as possible

    @Pheet: haha i thought the same. The internet is such a secure network!

    So, well done Google. Some websites still send sensitive/password information by email so I'd rather it were encrypted.

    Still, [pointing out bleedin' obvious again] the transport of mail from sender to gmail is still normally unencrypted, so i'm not 100% happy.

    I, like this grumpy alien, am never 100% happy

  9. Anonymous Coward
    Anonymous Coward

    Notifier

    This is good stuff - but it seems to have broken my Gmail Notifier.

  10. ben edwards

    domains

    This seems to be enabled by default for my personal domain. Nice.

  11. charles platt

    Doesn't work when referred from Google Search

    I am in the habit of using the basic Google Search page as my default browser page. To check my mail I click the Gmail menu option at the top of that page, to transfer to Gmail. Initially I see that it's an HTTPS connection but as soon as my password is verified, it defaults back to plain old HTTP. At least, it did when I tried it just now.

  12. Anonymous Coward
    Paris Hilton

    SSL, even without SSL!

    "The new option means email sessions are automatically protected from start to finish with the secure sockets layer protocol even if a user accesses the account by typing http://gmail.com"

    Are you joking? Oh dear, I don't see a Joke Alert.

    I take it that the non-ssl Gmail site will redirect you to an https url under certain circumstances, but that clearly doesn't add up to the above absurdity.

    Paris, because what's an IT angle without IT expertise?

  13. This post has been deleted by its author

  14. Adam
    Coat

    @Lorax

    It would be nice but it is impractical. SSL connections can not by definition be cached (caching is also called eavesdropping when you don't want the caching to occur). No ISP has the sort of bandwidth infrastructure to do provide internet without caching. Also, latency is doubly worse for 99% of websites that have no need to secure data.

    What is needed is for more providers to do what Google has done here; to redirect users to the secured Login screen and keep communications over SSL for the entire session.

  15. Will
    Paris Hilton

    shame

    its available to freetards and not us paytards on Apps.

    Will

  16. Anonymous Coward
    Anonymous Coward

    Gmail still leaking though

    However, be aware that your account name (e-mail address) is still displayed on a regular (unencrypted) Google search while you are logged in to Gmail. [Example: Go to https://mail.google.com and login. Open a second tab or window and go to http://www.google.com and it displays your account name on the top right.]

  17. Gio Ciampa
    Unhappy

    Mobile snafu...

    You'd think that Google would have updated their mobile app to allow for the "always on" setting...

    ...but no. I can log in, but it won't refresh the message list (or read an existing one).

    Oops!

  18. Anonymous Coward
    Anonymous Coward

    Re: SSL, even without SSL!

    It's fairly obviously saying that it'll sort itself out. I assume it'll redirect.

  19. Tudor Svensson
    Happy

    Breaks Notifier, but easy to fix...

    Gmail Notifier will break when selecting https, but will work again after applying this:

    http://www.wikihow.com/Hack-Gmail-Notifier-to-Use-SSL

  20. Anonymous Coward
    Gates Horns

    well on my session

    I have logged in at the moment, it's not encrypted.

    go go billyG

  21. Jimmy

    To SSL or not to SSl.

    So with this feature enabled I have a secure, encrypted connection between my PC and the Google mail servers thus allowing me to evade Phorm type technology that is installed at my ISPs' premises for the purpose of profiling my data and dishing me up more relevant ads. Sounds like sweetness and light to me.

    But wait, haven't I already entered into a compact with the devil when I signed up for my Gmail account? Yep, I agreed they could carry out deep packet inspection of my data so that they could serve me up more relevant ads. Aw, shit.

    The point here is that 'our' data has a commercial value and we should ensure that in return for access to that data we receive a suitable return. In Googles case we get a first class webmail service and access to many other valuable services including the best search engine on the internet. Whereas from the likes of Phorm you get a pathetic phishing filter that had to be bolted on to justify their very existence.

    Ad-blocking is not a crime, it's a way of life.

  22. Anonymous Coward
    Anonymous Coward

    A feature since day 1

    People have been crying their eyes out for this but you've always been able to maintain an an encrypted connection while checking your google webmail. All you needed to do was go to https://mail.google.com. This is since sometime early on when you got an invitation sent to you at random when you accessed google.com and use was still invitation-based.

    I understand that for people who don't know what they're doing since they probably type mail.google.com which defaults to the non-SSL. But this update is really just a minor privacy issue. I like it and agree that it should have been there in the first place, but it's quite minor especially since you were already able to achieve this protection.

    On the other hand, the microsoft webmail services DON'T offer this so far that I can tell.

  23. Chris
    Unhappy

    Gmail Notifier

    @AC isn't the only one - this has completely killed the handy Gmail Notifier which sits in my tray.

    I don't know what's more important: security or convenience?!

    Answers on a postcard please ...

  24. Anonymous Coward
    Anonymous Coward

    Hopefully they included support for hosted domains this time

    They apparenty didn't feel that domain hosted users didn't need the option, as it would ALWAYS drop back to http: after the login, even if you entered HTTPS: when you logged into your hosted domain's page.

    I'm off to check all those other wonderful Google apps to see if they also got some SSL love...

  25. Anonymous Coward
    Black Helicopters

    @Lorax

    It would be even better if *all* connections defaulted to https:// even if an explicit http:// header were present.

    That way it would help immeasurably in keeping our sneaking, eavesdropping government scum from looking at what happens online.

    Extend this to *all* traffic of every type and we'd be nearly back to where we were before the internet made traffic analysis and trawling too easy for the enemies of the people (that's governments for the hard of thought).

  26. Craig
    Thumb Up

    re: raises the bar for the rest of the industry.

    Isn't this the sort of obvious feature that we as web 2.0 google-worshipping surfers seem to turn a blind-eye to for the sake of a wanky interface? This should have been the default behaviour since day one...

  27. Anonymous Coward
    Unhappy

    Another BS neologism is coined..

    "Sidejacking", whatever happened to plain old eavesdropping? This was a fairly obvious problem to a lot of people before Errata Security came along.

  28. Anonymous Coward
    Pirate

    iPhone GMail still unsecured...

    The iPhone is still unsecured when clicking on the default Google app button. The address is http:www.google.com/... . To fix this you need to logon to https:// www.gmail.com/... once, login and bookmark the site, I named mine Google Secure and added an icon to the Home Screen for when I'm away from home.

    Wonder how secure Apple's own Mail application is?

    Jolly Roger, because someone will crack this too..

  29. Anonymous Coward
    Anonymous Coward

    Does this protect me against Sweden?

    nt.

  30. The Cube

    So this is nothing to do with Phorm then?

    Of course Google would not have done this just to bugger up Phorm and the other competition to their adware dominance by establishing SSL connections to customers using Google services....

  31. archie lukas
    Flame

    News to me, very unpubliced

    I've had a gmail account for three years and this is the first i've heard of it.

    Instead of crappy ads and faff - publicise the useful stuff!

  32. Dave
    Unhappy

    sucks :(

    Where I work blocks a certain https page because they they want to block the google chat application which inadvertently means blocking me using this :(

  33. Gianni Straniero
    Joke

    Great news

    Kudos to Google for this welcome development. Now it means that your private mail can only be read by Google, rather than Google + world + dog.

  34. Hugo
    Thumb Down

    Breaks both desktop Notifer and Gmail for mobile

    Great...

    You can set Gmail for mobile to always use a secure network, but it didn't work until I reset the first setting...

    http://mail.google.com/support/bin/answer.py?hl=en_GB&ctx=mail&answer=74765

    http://mail.google.com/support/bin/answer.py?answer=100210

  35. Anonymous Coward
    Unhappy

    @aunty mabel

    That said, you may not want some bozo on your behalf sending suggestively lewd comments to Aunty Mabel and your teenage neices, or pointing out to your entire address book (your boss and your mother included) that /their/ mother smelled of submarine oil and wasn't sure which of the engineroom crew was their father but when sober she was sure an ID parade would quickly identify the one as plug-ugly as they were.

    Remember kids, security isn't just for financial stuff....

  36. Patrick Bateman
    Thumb Up

    Customize Google

    For me the greatest advantage of this Firefox addon is not so much switching all Google apps to https, but the fact that it stops your search data being sent to Google Analytics, and it strips out all those sponsored ads from the results pages! I am constantly surprised when people mention being annoyed by online ads of all sorts, but then I have Customize Google, Adblock Plus and Flashblock installed, and I have seen nary an ad in years! <:D

  37. Anonymous Coward
    Alert

    Gmail still leaking though - more

    Monitoring the packets from invocation of the https page to login results in 11 packets, all https except one packet http, which clearly shows the email address, in the set cookie IFAIK.

    Anyone else confirm this, but in my view, its not totally secure.

  38. Mike
    Coat

    Userscripts anyone?

    I put this together from the goole secure pro user script thats been out there for some time now.

    "Forces gMail, gCal, Google Docs & Spreadsheets, Google Reader, Facebook.com, Posten.no, Psdata.no and Qxl.no to use an ssl connection. Read the instructions!"

    http://userscripts.org/scripts/show/24701

    http://userscripts.org/scripts/show/5951

    Sorry Dan, but Ebay seems to be some of the same shitty thingie as facebook tho, theres also a facebook group, we want full ssl support in facebook or something. I've tried highlighting this problem for years now.

  39. Peter Bradshaw
    Happy

    Google Security

    First, thanks for this useful tip. I just changed my settings (and my wife's) to ensure we can sent items such bank info data to (for example) our son without being concerned about it being intercepted. (Google specifically says it is both to and from their servers). I notice that now my Documents and Calender data also go through a https: URL, so I assume these are encrypted as well. Very nice.

    One curious thing: after I changed my Gmail account to https:, I logged out, opened my wife's (to fix it also), and got an https: connection there too. I checked and changed the setting anyway, but it seems that it did keep the secure connection once set on the other account.

    I have no problem with the account NAME being transferred un-encrypted, that is closer to a public record anyway, and I don't get much junk e-mail on the account anyway, compared to my other accounts (work and an ISP).

This topic is closed for new posts.

Other stories you might like