.

HTTPS Now Default for Gmail

<<

don

User avatar

Administrator
Administrator

Posts: 4259

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Jan 19, 2010 10:14 am

HTTPS Now Default for Gmail

Official news from Google's Sam Schillace, Gmail Engineering Director:


In 2008, we rolled out the option to always use https — encrypting your mail as it travels between your web browser and our servers. Using https helps protect data from being snooped by third parties, such as in public wifi hotspots. We initially left the choice of using it up to you because there's a downside: https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data. Over the last few months, we've been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.

We are currently rolling out default https for everyone. If you've previously set your own https preference from Gmail Settings, nothing will change for your account. If you trust the security of your network and don't want default https turned on for performance reasons, you can turn it off at any time by choosing "Don't always use https" from the Settings menu. Gmail will still always encrypt the login page to protect your password. Google Apps users whose admins have not already defaulted their entire domains to https will have the same option.

To read about other steps you can take to protect your accounts and your computers, visit google.com/help/security.

Note: If you use offline Gmail over http currently, the switch to https is likely to cause some problems. Learn more about this known issue and how to work around it.



Official blog post:
http://gmailblog.blogspot.com/2010/01/d ... gmail.html

Don
CISSP, MCSE, CSTA, Security+ SME
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1695

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Jan 20, 2010 7:48 pm

Re: HTTPS Now Default for Gmail

Public wifi hotspots?   ??? So they mean to tell me that using tools like Ettercap and SSLSTrip, they won't have folks doing mitm to grab GMAIL data, if they really want to?  I'd agree it keeps the general public from 'stumbling' onto data, but it certainly doesn't take a rocket scientist to bypass a simple ssl login scenario, particularly at a public hotspot.

Don't get me wrong... I guess it's a matter of general security, and thus, for the average joe, probably a good thing, but really, I wouldn't tout it as a HUGE security remedy.

SSL, by itself, isn't a very solid, promising safeguard, to me.  For instance, many of these sslvpn types of scenarios which rely solely on a username and password...  Let me sniff that with one of the tools above, and I now have your vpn login credentials.  However, if you ADD something to the mix, say a secureID token or something, they MAY get your username and password, but are mush less likely to get into your account using your login, as now you've added the necessity to possess the token, to be able to pass the proper key with the credentials...
Last edited by hayabusa on Wed Jan 20, 2010 7:53 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software