Skip to content
Thoughtful, detailed coverage of everything Apple for 33 years
and the TidBITS Content Network for Apple professionals
7 comments

Google’s Gmail Defaults to Encrypted Sessions

Google has announced that all Gmail sessions are now secured using SSL/TLS by default, rather than as a choice each individual user had to make in configuration settings. The previous default setting encrypted user logins to Gmail – as Google secures all logins – but left the content of sessions in the clear. The default encryption may be manually disabled.

Problems with offering in-the-clear webmail sessions were clear years ago, because your messages could be intercepted on public networks, such as Wi-Fi hotspots. The ante was raised in 2007, however, when a security researcher showed that the token that Google placed in a browser cookie to identify the user after login could be “sidejacked”: intercepted by a local user, and used to take over a Gmail session. (See “Sidejack Attack Jimmies Open Gmail, Other Services,” 27 August 2007.)

There was a workaround to use SSL at that time, where you could enter a different URL, but Google didn’t expose this option, and average users would have been unaware of the consequences. In mid-2008, Google added an option to use SSL/TLS as the default, but each user had to make this setting change to activate it. (See “Google Gmail Adds Secure Session Option,” 28 July 2008.)

Finally, in mid-2009, many prominent security experts asked Google in an open letter to secure all sessions for Web applications to avoid sidejacking, interception, and other issues that could allow identity theft and access to private information. (See “Security Experts Urge Google to Secure All Sessions,” 19 June 2009.)

Google said then that it was concerned about latency (the delay in handshaking of transactions before data is actually sent) and additional overhead for people who don’t have broadband. Apparently, Google has now tweaked its system to balance the need for speed for some users with security for all.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About Google’s Gmail Defaults to Encrypted Sessions