Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Moves To HTTPS By Default

Posted by timothy on from the you-mean-I-gotta-log-in-again? dept.

clone53421 writes "Although Gmail has long supported HTTPS as an option, Gmail announced their decision yesterday to switch everyone to HTTPS by default: 'We initially left the choice of using it up to you because there's a downside: https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data. Over the last few months, we've been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.' I wonder if this has anything to do with the reports of Chinese users having their accounts hacked? 'Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,' said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail's servers."

3 of 275 comments (clear)

  1. Re:Not through sniffing by Blakey+Rat · · Score: 4, Interesting

    That access is actually provided in a ton of places you wouldn't expect.

    Did you know that Xbox Live encrypts everything by default?

    Did you know the one and only exception is... voice communication? Hmm...

    --
    Comment of the year
  2. Correction to summary by metrometro · · Score: 4, Interesting

    "Only two Gmail accounts appear to have been accessed"... by attacking Google systems directly. Using other methods, the attackers were highly successful.

    Google disclosed that upon investigating users suspected of being attacked, they found "dozens" of Chinese human rights activists who had been compromised through phishing, malware or other systems that allowed security forces (presumably) to read their mail via a valid authentication. So, while Google itself may be mostly reliable on the backend, the security ecosystem as a whole is deeply flawed.

    Google: "as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers."
    http://googleblog.blogspot.com/2010/01/new-approach-to-china.html

    So go change your passwords.

  3. What about slashdot? by ratboy666 · · Score: 4, Interesting

    I really want EVERY site I visit to use https. Why doesn't slashdot?

    --
    Just another "Cubible(sic) Joe" 2 17 3061