Securing GMail
Jun. 19th, 2009 09:01 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
slowfoxYou've probably known this for a long while, but since I've only just got around to doing it, I thought I'd mention...
As this Wired article explains, although gMail asks for your initial log on password via HTTPS (the nice, secure protocol), the rest of your session, under the default settings, is plain HTTP. Which is potentially a problem if you're checking email from a WiFi hotspot or whatever.
Changing this is easy enough, once you know where to look.
Go to Settings (upper right hand side of the screen), and from there you should be on the 'General' tab.
Right at the bottom of the page is a section headed 'Browser Connection', and, as above, the default is 'Don't always use HTTPS'. I've changed my settings to 'always use https', and haven't (yet) noticed any drawbacks.
Now, because HTTPS is encrypted, it does mean that encryption/decryption has to take place at both the client (your machine) and the server (Google's kit), so, in theory, using HTTPS all the time will slow things down a bit.
On the other hand, not using HTTPS means that the communication twixt you and Google's cloud is all in the clear, and is much easier to eavesdrop/snoop on. Especially since a tool was announced at DEFCON last year which made such snooping 'relatively easy'.
So, the general advice (from Wired, above, The Register, here, Mashable, here and the good old Beeb, here) is to always use HTTPS.
As this Wired article explains, although gMail asks for your initial log on password via HTTPS (the nice, secure protocol), the rest of your session, under the default settings, is plain HTTP. Which is potentially a problem if you're checking email from a WiFi hotspot or whatever.
Changing this is easy enough, once you know where to look.
Go to Settings (upper right hand side of the screen), and from there you should be on the 'General' tab.
Right at the bottom of the page is a section headed 'Browser Connection', and, as above, the default is 'Don't always use HTTPS'. I've changed my settings to 'always use https', and haven't (yet) noticed any drawbacks.
Now, because HTTPS is encrypted, it does mean that encryption/decryption has to take place at both the client (your machine) and the server (Google's kit), so, in theory, using HTTPS all the time will slow things down a bit.
On the other hand, not using HTTPS means that the communication twixt you and Google's cloud is all in the clear, and is much easier to eavesdrop/snoop on. Especially since a tool was announced at DEFCON last year which made such snooping 'relatively easy'.
So, the general advice (from Wired, above, The Register, here, Mashable, here and the good old Beeb, here) is to always use HTTPS.
no subject
Date: 2009-06-19 10:33 pm (UTC)However, I usually use gmail from my mail client. I'm guessing that might still be going unencrypted.
no subject
Date: 2009-06-20 08:00 am (UTC)... I'm pretty sure than in years to come, people are going to be horrified about how much of our internet activity was conducted unencrypted Back In The Day...
no subject
Date: 2009-06-19 11:02 pm (UTC)Although, when I checked, none of the radio buttons were actually default-checked. Weird.
no subject
Date: 2009-06-20 08:02 am (UTC)An odd choice, but one done, presumably for reasons of performance (possibly at their end? I mean, if you've got millions of users all connecting, that's going to have some performance hit, I'd have thought, even if the client end, only having one SSL to maintain, isn't really going to suffer too much increased workload).
no subject
Date: 2009-06-19 11:30 pm (UTC)no subject
Date: 2009-06-20 08:03 am (UTC)no subject
Date: 2009-06-20 01:23 am (UTC)no subject
Date: 2009-06-20 08:04 am (UTC)Just trying to share the bits and pieces I pick up. This is, unfortunately, having the side-effect of me becoming increasingly paranoid about what's on the web, and how safe it all is...