I am one of 38 researchers and academics (almost all of whom are far more important and famous than I will ever be!), who has signed an Open Letter to Google’s CEO, Eric Schmidt.
The letter, whose text is released today, calls upon Google to honour the important privacy promises it has made to its customers and protect users’ communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.
Google already uses HTTPS for sign-in, but the options to make the whole of the session secure are hidden away where few people will ever find them.
Hence, at the moment pretty much everyone who uses a public WiFi connection to read their Gmail or edit a shared doc has no protection at all if any passing stranger decides to peek and see what they’re doing.
However, getting everyone to change their behaviour will take lots of explaining. Much simpler to have Google edit a couple of configuration files and flip a default the other way.
The letter goes into the issues in considerable detail (it’s eleven pages long with all the footnotes)… Eric Schmidt can hardly complain that we’ve failed to explain the issues to him !
GMail has an option to enable HTTPS in it’s settings.
However, when you use iGoogle (google.com/ig) and add the GMail gadget, you have to turn off the GMail HTTPS setting for the gadget to work. This is true even if you access iGoogle over HTTPS – it requires the GMail gadget to be accessed over HTTP!
I question putting the whole blame on Google. I am in no sense defending Google, but wish to educate the – ultimately responsible – end user. With the relatively recent PoC showing how SSL sessions can be hijacked (http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1348473,00.html), it really is up to the end user to know 100% what he/she is doing / looking at. If I wanted to, I could set up a wireless AP on my laptop and act as a wireless relay to a real AP – all the while capturing the “apparent” encrypted traffic as clear-text. – In other words – stay away from public wifi networks. Me – I build ssh tunnel back to my home network and use it as a SOCK5 proxy – that way I have total control over my sessions and their security.
It warms my heart that people are working to make things better out there, thank you.
Just another anonymous coward showing there text support for your work.
Google (in the person of Alma Whitten) has responded to the open letter — in a fairly positive way.
http://googleonlinesecurity.blogspot.com/2009/06/https-security-for-web-applications.html
Just one minor problem,
What sort of load will using HTTPS for all trafic put on Googles servers?
CPU Cycles are not free even on a free service.
Addtional attack vectors should be also considered, in order to correctly grasp the threat level.
Even connections on mobile phones may be at risk, according to what is explained and demonstrated in the post “Gmail Hijacking on mobiles” here:
http://www.mseclab.com/?p=160
It’s not just Google – what about Apple’s MobileMe service – http://www.me.com. It has the same issue, but worse – there is no HTTPS option when using the service! So mail, contacts, calendars etc are all coming down over HTTP. Google are streets ahead of Apple here.
You would think those googlers would have thought about this, since they claim to be at the “blleeding edge” of technology. I’ve noticed a lot of websites that have login features still don’t use HTTPS for logins, resulting in “real” email addresses being harvested by spammers. Yahoo used to offer a secure login option a few years back, though I think they moved it to HTTPS permanently. However, if you use chat clients, they may still go over HTTP. I’m using my real email address for this site and am curious to know if this goes over HTTP or HTTPS too…