Gmail Moves To HTTPS By Default

clone53421 writes "Although Gmail has long supported HTTPS as an option, Gmail announced their decision yesterday to switch everyone to HTTPS by default: 'We initially left the choice of using it up to you because there's a downside: https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data. Over the last few months, we've been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.' I wonder if this has anything to do with the reports of Chinese users having their accounts hacked? 'Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,' said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail's servers."

iGoogle support?

[l2718]

For the moment Google's own gadget for for iGoogle doesn't support HTTPS access to gmail.

Re:iGoogle support?

[incripshin]

I have been complaining about this for a while. You cannot mix http and https content in a page, so the only solution is to send the whole page and all the gadgets over https. This is possible to do now, though you have to type in https://www.google.com/ig (necessary parts: https, www, /ig). There is also no preference for this as far as I can tell.

Sniffing? I disagree.

[FooAtWFU]

Google couldn't really tell if there was sniffing going on in their users' connections. They could, however, figure out exactly what sort of activities someone using POP or IMAP or the web UI (or some compromised internal Google tool) ended up doing, based on logs.

Great!

[jwinster]

Great move by Google, although TFA points out that there are some problems with offline gmail and HTTPS, kudos to them for coming straight out and saying it may be a problem, while posting a link for some workarounds: http://mail.google.com/support/bin/answer.py?hl=en&answer=172697

Intercepting emails

[Adrian+Lopez]

'Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,' said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail's servers.

Actually, I read somewhere that hackers gained access to a system designed to give law enforcement access to people's emails, presumably under warrant. [sarcasm]Who could have ever imagined the same loopholes intended for use by law enforcement could possibly be exploited by hackers as well?[/sarcasm]

The beginning of HTTPS for everything by default?

[maillemaker]

I've long held that the only answer to pervasive surveillance is to encrypt everything.

It won't stop them from cracking things that attract their attention, but for most things it won't be worth the hassle.

Encrypt everything.

Found the source

[Adrian+Lopez]

I found the source. It's from PC World:

That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

Re:Found the source

And that right there, proves we're at war with China--much more than Al Qaeda. Just like George Washington's crossing of the Delaware, their attacks happen on Christmas eve.

People say it's kolluj students with time off, and to a certain extent--near uni holidays, you can see port scans and other crap go up. But the real--nasty brutish attempts, the subtle ones--happen christmas, easter, labor day--right when people aren't paying close attention. They're diabolical, they're automated--and tools like fail2ban don't catch the ssh brute force attempts, because they come from thousands of hosts one at a time--just trying to sneak in. And that's in addition to the web application attacks.

I haven't finished writing my fake SSH server yet to see what people do when they get in, but I'm betting the entire medium is just one giant funnel to beijing intelligence looking to slurp down as many usernames and passwords as they can.

They're in our network, they've been in our networks. They've compromised the DoD, and hundreds of defense contractors, and the national labs. And because they're all corporate, it hardly ever makes the news--people that reveal it are sued and/or fired under suspicious circumstances.

Make no mistake--this is war, and China is winning because we refuse to even admit it.

Re:Hang on...

[Brian+Gordon]

Might as well scoop up the mod points if someone's going to get them. This, moron.

Not through sniffing

[Charles+Dodgeson]

Apparently the two compromised accounts were because of "access a system used to help Google comply with search warrants by providing data on Google users." I've blogged about this. And my source for all of that is from an article in Computer World.

Re:Not through sniffing

[Blakey+Rat]

That access is actually provided in a ton of places you wouldn't expect.

Did you know that Xbox Live encrypts everything by default?

Did you know the one and only exception is... voice communication? Hmm...

Correction to summary

[metrometro]

"Only two Gmail accounts appear to have been accessed"... by attacking Google systems directly. Using other methods, the attackers were highly successful.

Google disclosed that upon investigating users suspected of being attacked, they found "dozens" of Chinese human rights activists who had been compromised through phishing, malware or other systems that allowed security forces (presumably) to read their mail via a valid authentication. So, while Google itself may be mostly reliable on the backend, the security ecosystem as a whole is deeply flawed.

Google: "as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers."
http://googleblog.blogspot.com/2010/01/new-approach-to-china.html

So go change your passwords.

Re:Wait, what?

[profplump]

If you're using keep-alive at the HTTP layer you're most certainly not closing and re-opening the underlying SSL socket -- in typical implementations the HTTP code is only vaguely aware that SSL even exists.

Now not every server or client supports or uses keep-alive. But if you do then SSL is only negotiated once per session, not once per HTTP request.

Re:The beginning of HTTPS for everything by defaul

[dissy]

I don't know, I think there are some things that don't need encryption. I don't think I will ever need encryption to read google news, for example, or to watch youtube movies.

Actually yes you need to encrypt that too.

If you are selective about what you encrypt, then the best assumption to make is that the things you don't want/need to hide are plain text, and the things you want/need to hide are encrypted.

Now when I am watching your data stream and see some google news, a youtube video, and finally an encrypted block of data, it is almost certain that whatever is in that encrypted block of data is worth my while to try and crack, as it is clearly data you want hidden.

If you encrypt everything all the time, then I would always wonder what you are hiding (if anything!)
I could take some of your encrypted data and try to crack it. Say it works once or twice, and all I see are you reading your daily news, and some video of a kitten falling over on youtube. Well hell, suddenly not only did I waste a lot of time cracking that encryption for nothing, but I would assume (possibly mistakenly) that you very well might not have anything to hide, and there is no reason to specifically look into anything you are doing.
Even if I don't assume that, and either assume or just know that you DO have something to hide... Well as a hacker, where would I start? I don't have all the time and processing power in the world to brute force everything you do. I would always be very behind your 'now' traffic. By the time I eventually did get to decrypting the part you really wanted hidden, it could be years or decades later. How much use would that data be so long after the fact? More often than not, the older the data, the less useful it is.

Encrypt everything. Nothing looks suspicious and out of the norm, so if/when you do something that you do want/need hidden from hackers, a hacker wouldn't even know it happened let alone know where to start looking for it.

Not encrypting everything just paints a huge target on the exact data you are wanting to hide in the first place.

Re:Will Yahoo! follow suit?

[shish]

I hate to read mail at cafes and other places where I'm not certain of the LAN security.

Weird, I love reading mail at insecure cafes... you can sit in the corner and play games like "match the email to the person" and "convince the businessman that you're a replacement representative for his meeting" :-)

What about slashdot?

[ratboy666]

I really want EVERY site I visit to use https. Why doesn't slashdot?