Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Google's Gmail Defaults to Encrypted Sessions

Google has announced that all Gmail sessions are now secured using SSL/TLS by default, rather than as a choice each individual user had to make in configuration settings. The previous default setting encrypted user logins to Gmail - as Google secures all logins - but left the content of sessions in the clear. The default encryption may be manually disabled.

Problems with offering in-the-clear webmail sessions were clear years ago, because your messages could be intercepted on public networks, such as Wi-Fi hotspots. The ante was raised in 2007, however, when a security researcher showed that the token that Google placed in a browser cookie to identify the user after login could be "sidejacked": intercepted by a local user, and used to take over a Gmail session. (See "Sidejack Attack Jimmies Open Gmail, Other Services," 27 August 2007.)

There was a workaround to use SSL at that time, where you could enter a different URL, but Google didn't expose this option, and average users would have been unaware of the consequences. In mid-2008, Google added an option to use SSL/TLS as the default, but each user had to make this setting change to activate it. (See "Google Gmail Adds Secure Session Option," 28 July 2008.)

Finally, in mid-2009, many prominent security experts asked Google in an open letter to secure all sessions for Web applications to avoid sidejacking, interception, and other issues that could allow identity theft and access to private information. (See "Security Experts Urge Google to Secure All Sessions," 19 June 2009.)

Google said then that it was concerned about latency (the delay in handshaking of transactions before data is actually sent) and additional overhead for people who don't have broadband. Apparently, Google has now tweaked its system to balance the need for speed for some users with security for all.


Make friends and influence people by sponsoring TidBITS!
Put your company and products in front of tens of thousands of
savvy, committed Apple users who actually buy stuff.
More information: <>

Comments about Google's Gmail Defaults to Encrypted Sessions
(Comments are closed.)

Ray Choiniere  2010-01-18 17:10
Very strange: this change made it impossible for me to reach my gmail box using Safari until I reset the address to http instead of https. Since I had heard nothing about the change I was baffled. Finally I guessed lucky and was able to use Firefox (which has no problem with gmail's https setting) to make the change.
Adam Engst  An apple icon for a TidBITS Staffer 2010-01-19 06:31
Very odd - I can't begin to explain what might have confused Safari.
jimsanders1  2010-01-19 09:05
I am not clear on the receipt of the message when the receiver's mail provider does not advertise SSL/TLS support? Does the Gmail encryption last only to the gmail server?
Adam Engst  An apple icon for a TidBITS Staffer 2010-01-19 09:54
Yes, all that's being encrypted here is the Web-based session from you to Gmail, which prevents a variety of attacks. This does not entail encryption of actual messages sent from the Gmail servers to your recipients.
Glenn Fleishman  2010-01-19 09:58
If Gmail is set up right, it may also talk SSL/TLS to other mail servers. There's been a long-simmering interest in securing all server-to-server communications with SSL/TLS, but it's kind of a mess.

If Gmail talks SSL/TLS to another mail server, the mail is secured between the two servers, but it's not encrypted for the recipient.
jimsanders1  2010-01-19 11:08
Thank you, Adam and Glenn -- As I thought, end-to-end cryptomail is only available with a Public-Key-based (PKI) system. Right?
Glenn Fleishman  2010-01-19 11:11
You don't need PKI, although that's the easiest way to do it without specific pre-arrangement. Using any out-of-band method, you can agree on a symmetrical key with someone, too. It's just far harder to maintain the secrecy (not integrity) of those keys.

The weak points in SSL/TLS email, even if you could assure each segment is secure (Web browser or client to server, server to server, server to client/browser), there's a decryption stage between each segment.