Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Moves To HTTPS By Default

Posted by timothy on from the you-mean-I-gotta-log-in-again? dept.

clone53421 writes "Although Gmail has long supported HTTPS as an option, Gmail announced their decision yesterday to switch everyone to HTTPS by default: 'We initially left the choice of using it up to you because there's a downside: https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data. Over the last few months, we've been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.' I wonder if this has anything to do with the reports of Chinese users having their accounts hacked? 'Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,' said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail's servers."

9 of 275 comments (clear)

  1. iGoogle support? by l2718 · · Score: 5, Informative

    For the moment Google's own gadget for for iGoogle doesn't support HTTPS access to gmail.

    1. Re:iGoogle support? by incripshin · · Score: 5, Informative

      I have been complaining about this for a while. You cannot mix http and https content in a page, so the only solution is to send the whole page and all the gadgets over https. This is possible to do now, though you have to type in https://www.google.com/ig (necessary parts: https, www, /ig). There is also no preference for this as far as I can tell.

  2. Sniffing? I disagree. by FooAtWFU · · Score: 4, Informative

    Google couldn't really tell if there was sniffing going on in their users' connections. They could, however, figure out exactly what sort of activities someone using POP or IMAP or the web UI (or some compromised internal Google tool) ended up doing, based on logs.

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  3. Great! by jwinster · · Score: 4, Informative

    Great move by Google, although TFA points out that there are some problems with offline gmail and HTTPS, kudos to them for coming straight out and saying it may be a problem, while posting a link for some workarounds: http://mail.google.com/support/bin/answer.py?hl=en&answer=172697

    --
    Q.E.D.
  4. Intercepting emails by Adrian+Lopez · · Score: 5, Informative

    'Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,' said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail's servers.

    Actually, I read somewhere that hackers gained access to a system designed to give law enforcement access to people's emails, presumably under warrant. [sarcasm]Who could have ever imagined the same loopholes intended for use by law enforcement could possibly be exploited by hackers as well?[/sarcasm]

    --
    "In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
  5. Found the source by Adrian+Lopez · · Score: 5, Informative

    I found the source. It's from PC World:

    That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

    --
    "In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
  6. Re:Hang on... by Brian+Gordon · · Score: 4, Informative

    Might as well scoop up the mod points if someone's going to get them. This, moron.

  7. Not through sniffing by Charles+Dodgeson · · Score: 4, Informative

    Apparently the two compromised accounts were because of "access a system used to help Google comply with search warrants by providing data on Google users." I've blogged about this. And my source for all of that is from an article in Computer World.

    --
    Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
  8. Re:Wait, what? by profplump · · Score: 4, Informative

    If you're using keep-alive at the HTTP layer you're most certainly not closing and re-opening the underlying SSL socket -- in typical implementations the HTTP code is only vaguely aware that SSL even exists.

    Now not every server or client supports or uses keep-alive. But if you do then SSL is only negotiated once per session, not once per HTTP request.