This article originally appeared in TidBITS on 2010-01-13 at 7:40 a.m.
The permanent URL for this article is:
Include images: Off

Google's Gmail Defaults to Encrypted Sessions

by Glenn Fleishman

Google has announced [1] that all Gmail [2] sessions are now secured using SSL/TLS by default, rather than as a choice each individual user had to make in configuration settings. The previous default setting encrypted user logins to Gmail - as Google secures all logins - but left the content of sessions in the clear. The default encryption may be manually disabled.

Problems with offering in-the-clear webmail sessions were clear years ago, because your messages could be intercepted on public networks, such as Wi-Fi hotspots. The ante was raised in 2007, however, when a security researcher showed that the token that Google placed in a browser cookie to identify the user after login could be "sidejacked": intercepted by a local user, and used to take over a Gmail session. (See "Sidejack Attack Jimmies Open Gmail, Other Services [3]," 27 August 2007.)

There was a workaround to use SSL at that time, where you could enter a different URL, but Google didn't expose this option, and average users would have been unaware of the consequences. In mid-2008, Google added an option to use SSL/TLS as the default, but each user had to make this setting change to activate it. (See "Google Gmail Adds Secure Session Option [4]," 28 July 2008.)

Finally, in mid-2009, many prominent security experts asked Google in an open letter to secure all sessions for Web applications to avoid sidejacking, interception, and other issues that could allow identity theft and access to private information. (See "Security Experts Urge Google to Secure All Sessions [5]," 19 June 2009.)

Google said then that it was concerned about latency (the delay in handshaking of transactions before data is actually sent) and additional overhead for people who don't have broadband. Apparently, Google has now tweaked its system to balance the need for speed for some users with security for all.