Google email service now defaults to SSL connections
Google has modified its Google Mail email service, also known as Gmail, in such a way that browser connections to the service are now encrypted via SSL by default. It's not known whether this change was prompted by a suggestion made last June by a group of prestigious researchers and security specialists including Eugene H. Spafford, Bruce Schneier, Jeff Moss, Jacob Appelbaum, Steven M. Bellovin, William R. Cheswick and Ronald L. Rivest, or whether it is due to the recently publicised attacks on Chinese Gmail accounts.
While account logins have always been handled via https, the connections for accessing emails were previously unencrypted by default. This allowed attackers to read their victims' emails, for instance, at Wi-Fi hot spots. Although the account settings did offer the option of using SSL encryption after logging in, only a small number of users apparently enabled this option. Following this change to the default behaviour, users who wish to disable standard encryption for any reason can do so by choosing the "Don't always use https" option.
The Google Docs service, on the other hand, remains unencrypted by default – at least when logging in via docs.google.com. To create a secure connection, users need to manually change the URL from http to https after logging in. However, if Google Docs is accessed via the link in the Google Mail account, the connection is SSL encrypted by default.
See also:
- Google considers closing its Chinese operation, a report from The H.
- Google considers always-on SSL encryption for all of its services, a report from The H.
(crve)