The UK-based IT journal, The Register, has an article today on a letter sent to Google’s CEO, Eric Schmidt, by a group of 37 security researchers, asking that Google set up encrypted browsing sessions (using the https: protocol) as the default for its GMail, Google Docs, and Google Calendar services. At present, Google does use a secure (encrypted) connection for its logins, but thereafter information is sent to and from the browser in clear text. What this means is that, although there is some protection against someone “sniffing” your Google login credentials, there is nothing to stop them from, for example, intercepting the text of an appointment you put on Google Calendar, or the contents of an E-mail message sent or received from GMail:
“Google’s default settings put customers at risk unnecessarily,” reads a letter lobbed to Google CEO Eric Schmidt by 37 academics and researchers. “Google’s services protect customers’ usernames and passwords from interception and theft. However, when a user composes email, documents, spreadsheets, presentations and calendar plans, this potentially sensitive content is transferred to Google’s servers in the clear, allowing anyone with the right tools to steal that information.”
(There is an option to fix this for GMail — see below — but it does not apply to the other services.)
Most people have probably heard by now of Google’s stated objective not to be evil. I’m glad to say that Google’s initial reaction, in a post in their “Online Security” blog, was fairly positive. And, as the authors of the letter point out, Google already offers more security capability than most providers of equivalent free services.
I think the letter writers have a point, and I hope that Google decides to follow through on this. The issue of security in Web applications is becoming more and more important with the growth in “cloud computing”, and it is another situation where the average user just is not well-enough informed to be left on his or her own to make security choices. Just using the https: protocol, which provides an encrypted connection between the browser and the Web server, is not a security panacea, of course; but it does provide reasonable protection against the easiest kinds of attack, like “sniffing” on an unencrypted wireless network (e.g., at Starbucks, or my local public library).
There have been some suggestions that making encrypted connections standard would cause an unacceptable degradation in performance. Given the way the protocol works, I think this is unlikely with modern hardware. For what it’s worth, I have had always-on encryption enabled on my GMail account since it was first offered, and have never noticed any problems.
Improving the general security of the Internet benefits everyone. A measure like this is somewhat analagous to vaccination against disease. It protects the individual, of course, but it also helps everyone when it’s common, because it gives “herd immunity” by reducing the potential payoff to attacks generally.
Brian Krebs of the Washington Post also has an article on this at his “Security Fix” blog. He also has available a copy of the letter [PDF].
Using “always-on” https: with GMail
IF you are a user of Google’s GMail service, you can configure your account to always use a secure connection for the duartion of your Gmail session. To do this, select the Settings link at the top of the GMail page, then select the General settings tab. Scroll down the list of options until you get to the Browser Connection item, and select “Always Use https”. Thereafter, when using GMail, your connections will be automatically encrypted.