Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Moves To HTTPS By Default

Posted by timothy on from the you-mean-I-gotta-log-in-again? dept.

clone53421 writes "Although Gmail has long supported HTTPS as an option, Gmail announced their decision yesterday to switch everyone to HTTPS by default: 'We initially left the choice of using it up to you because there's a downside: https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data. Over the last few months, we've been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.' I wonder if this has anything to do with the reports of Chinese users having their accounts hacked? 'Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,' said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail's servers."

6 of 275 comments (clear)

  1. iGoogle support? by l2718 · · Score: 5, Informative

    For the moment Google's own gadget for for iGoogle doesn't support HTTPS access to gmail.

    1. Re:iGoogle support? by incripshin · · Score: 5, Informative

      I have been complaining about this for a while. You cannot mix http and https content in a page, so the only solution is to send the whole page and all the gadgets over https. This is possible to do now, though you have to type in https://www.google.com/ig (necessary parts: https, www, /ig). There is also no preference for this as far as I can tell.

  2. Intercepting emails by Adrian+Lopez · · Score: 5, Informative

    'Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,' said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail's servers.

    Actually, I read somewhere that hackers gained access to a system designed to give law enforcement access to people's emails, presumably under warrant. [sarcasm]Who could have ever imagined the same loopholes intended for use by law enforcement could possibly be exploited by hackers as well?[/sarcasm]

    --
    "In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
  3. The beginning of HTTPS for everything by default? by maillemaker · · Score: 5, Insightful

    I've long held that the only answer to pervasive surveillance is to encrypt everything.

    It won't stop them from cracking things that attract their attention, but for most things it won't be worth the hassle.

    Encrypt everything.

    --
    A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
  4. Found the source by Adrian+Lopez · · Score: 5, Informative

    I found the source. It's from PC World:

    That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

    --
    "In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
  5. Re:The beginning of HTTPS for everything by defaul by dissy · · Score: 5, Insightful

    I don't know, I think there are some things that don't need encryption. I don't think I will ever need encryption to read google news, for example, or to watch youtube movies.

    Actually yes you need to encrypt that too.

    If you are selective about what you encrypt, then the best assumption to make is that the things you don't want/need to hide are plain text, and the things you want/need to hide are encrypted.

    Now when I am watching your data stream and see some google news, a youtube video, and finally an encrypted block of data, it is almost certain that whatever is in that encrypted block of data is worth my while to try and crack, as it is clearly data you want hidden.

    If you encrypt everything all the time, then I would always wonder what you are hiding (if anything!)
    I could take some of your encrypted data and try to crack it. Say it works once or twice, and all I see are you reading your daily news, and some video of a kitten falling over on youtube. Well hell, suddenly not only did I waste a lot of time cracking that encryption for nothing, but I would assume (possibly mistakenly) that you very well might not have anything to hide, and there is no reason to specifically look into anything you are doing.
    Even if I don't assume that, and either assume or just know that you DO have something to hide... Well as a hacker, where would I start? I don't have all the time and processing power in the world to brute force everything you do. I would always be very behind your 'now' traffic. By the time I eventually did get to decrypting the part you really wanted hidden, it could be years or decades later. How much use would that data be so long after the fact? More often than not, the older the data, the less useful it is.

    Encrypt everything. Nothing looks suspicious and out of the norm, so if/when you do something that you do want/need hidden from hackers, a hacker wouldn't even know it happened let alone know where to start looking for it.

    Not encrypting everything just paints a huge target on the exact data you are wanting to hide in the first place.