Google to try more security on Gmail

Privacy advocates have called for a more secure version of the webmail service

After prompting by a group of privacy advocates, Google said Tuesday that it plans to test a more secure version of its Gmail service to see if it is viable.

Google plans to change its back-end servers so that some users will automatically use an encrypted HTTPS (Hypertext Transfer Protocol Secure) connection when they use Gmail. Right now, everyone uses HTTPS to log in to Gmail, but after that Web pages are sent without encryption.

This is a bad thing, privacy experts say, because it means that hackers with access to a network -- say at a café with Wi-Fi -- could take over a Google account using a technique known as session hijacking. They could also read e-mail, which often contains sensitive information.

"If you wanted to steal someone's identity, the inbox is where it's at," said Christopher Soghoian, one of the experts who called on Google to make the changes.

Soghoian, a student fellow with the Berkman Center for Internet and Society at Harvard University, was one of 38 security and privacy experts who Tuesday called on Google to adopt HTTPS.

Not only does HTTPS encrypt e-mail, making it harder to read, it also provides a way of authenticating the servers, so users can be more sure that they're really talking to Google and not some phishing site.

Gmail users can already read their messages via HTTPS, but to do this they need to click a "browser connection" box at the bottom of the settings page. Under the test, HTTPS would be turned on by default. HTTPS can be used to securely connect part or all of a Web page.

Google Docs and Calendar users can connect via HTTPS as well, but there's no setting to make this permanent. Users must simply type in https:// every time they connect to these services.

Last year, Google said it didn't use HTTPS by default because it would make the Web site too slow.

Soghoian has floated the idea at privacy events over the past few weeks that Google should be pressured to adopt SSL (Secure Sockets Layer), and Google's response to him was fast.

"We'll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their e-mail," Google Software Engineer Alma Whitten said in a blog posting Tuesday. "Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS?"

If the test works out, then Google will "turn on HTTPS by default more broadly, hopefully for all Gmail users," Whitten said.

Google wouldn't say when it will begin testing, but the company is ahead of rivals Yahoo and Microsoft, which do not offer their users an HTTPS connection, said Jeremiah Grossman, chief technology officer with White Hat Security.

Because encrypted messages contain more information, HTTPS can slow down Web surfing, and if Google finds that performance is so bad that some users drop the service, that would be a major problem, he said.

On the other hand, HTTPS performance can be sped up by using special chips on the server, called accelerators. But that costs money.

"Free, always-on HTTPS is pretty unusual in the email business, particularly for a free email service," Whitten wrote. "But we see it as another way to make the Web safer and more useful. It's something we'd like to see all major webmail services provide."

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Topics: Gmail, web mail, Google, security
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?