Gmail Moves To HTTPS By Default

← Back to Stories (view on slashdot.org)

Gmail Moves To HTTPS By Default

Posted by timothy on Wednesday January 13, 2010 @10:34AM from the you-mean-I-gotta-log-in-again? dept.

clone53421 writes "Although Gmail has long supported HTTPS as an option, Gmail announced their decision yesterday to switch everyone to HTTPS by default: 'We initially left the choice of using it up to you because there's a downside: https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data. Over the last few months, we've been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.' I wonder if this has anything to do with the reports of Chinese users having their accounts hacked? 'Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,' said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail's servers."

7 of 275 comments (clear)

Min score:

Reason:

Sort:

Next step: encryption at rest by giladpn · 2010-01-13 10:57 · Score: 3, Interesting

OK, better late then never. Good that Google has finally introduced HTTPS as a default.

Now the next feature we all need is encryption of the content of our data when it is at rest on disks in Google's data center. That way even Google employees cannot read our mail. Not for serving up ads. Not for any reason whatsoever.

And after that, Facebook and Twitter...

Nah, I'm dreaming.
Not really informative by billstewart · 2010-01-13 11:46 · Score: 3, Interesting

1a - If your email is encrypted with IPSEC, then there's a per-packet overhead from the extra packet header; it's not really a percentage, though you could think of it that way for average packet sizes. It's not significant for most applications except VOIP, which typically has very small data wrapped in lots of RTP/UDP/IPSEC/IP headers.
1b - If your email is encrypted at or above the transport layer, there's typically minimal overhead. The data encryption doesn't take extra space, except sometimes for the last packet of a session which might not contain a full block of plaintext so it gets padded by a few bytes.
1c - There's typically some setup overhead for key exchange. It doesn't take much transmission time unless you're on some funky very-low-bit-rate transmission medium, but there can be a couple of RTTs and some public-key math calculation time. So maybe it takes an extra second for you to start Gmail - big deal.
2 - That's why you compress the data *before* encrypting. Not many people use compressed transmission systems these days (e.g. fancy WAN optimizer tricks), and if anybody's still using SLIP or PPP with header compression, it doesn't care about HTTPS vs HTTP because that's not a Layer 1/2/3 problem.

--

Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Re:Not through sniffing by Blakey+Rat · 2010-01-13 11:51 · Score: 4, Interesting

That access is actually provided in a ton of places you wouldn't expect.
Did you know that Xbox Live encrypts everything by default?
Did you know the one and only exception is... voice communication? Hmm...

--
Comment of the year
Gmail gadget for iGoogle by kindbud · 2010-01-13 11:57 · Score: 3, Interesting

I removed the Gmail gadget for iGoogle from my iGoogle homepage, because despite the iGoogle being loaded via HTTPS, the Gmail gadget would use plain HTTP.
Have they changed the Gmail Gadget to also use HTTPS? I couldn't find anything about it.

--
Edith Keeler Must Die
Correction to summary by metrometro · 2010-01-13 12:07 · Score: 4, Interesting

"Only two Gmail accounts appear to have been accessed"... by attacking Google systems directly. Using other methods, the attackers were highly successful.
Google disclosed that upon investigating users suspected of being attacked, they found "dozens" of Chinese human rights activists who had been compromised through phishing, malware or other systems that allowed security forces (presumably) to read their mail via a valid authentication. So, while Google itself may be mostly reliable on the backend, the security ecosystem as a whole is deeply flawed.
Google: "as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers."
http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
So go change your passwords.
What about slashdot? by ratboy666 · 2010-01-13 12:57 · Score: 4, Interesting

I really want EVERY site I visit to use https. Why doesn't slashdot?

--
Just another "Cubible(sic) Joe" 2 17 3061
Re:Hang on... by asserted · 2010-01-13 13:30 · Score: 3, Interesting

> Maybe that cert has been compromised by a Chinese insider.
i don't see mail.google.com's cert on any revocation lists, so it's probably ok.
given the approach google has taken in other aspects of the unfolding drama,
i think it's a fairly safe bet that it would've been revoked by now if there was any doubt that it may have been compromised.