Securing GMail
Jun. 19th, 2009 09:01 pmYou've probably known this for a long while, but since I've only just got around to doing it, I thought I'd mention...
As this Wired article explains, although gMail asks for your initial log on password via HTTPS (the nice, secure protocol), the rest of your session, under the default settings, is plain HTTP. Which is potentially a problem if you're checking email from a WiFi hotspot or whatever.
Changing this is easy enough, once you know where to look.
Go to Settings (upper right hand side of the screen), and from there you should be on the 'General' tab.
Right at the bottom of the page is a section headed 'Browser Connection', and, as above, the default is 'Don't always use HTTPS'. I've changed my settings to 'always use https', and haven't (yet) noticed any drawbacks.
Now, because HTTPS is encrypted, it does mean that encryption/decryption has to take place at both the client (your machine) and the server (Google's kit), so, in theory, using HTTPS all the time will slow things down a bit.
On the other hand, not using HTTPS means that the communication twixt you and Google's cloud is all in the clear, and is much easier to eavesdrop/snoop on. Especially since a tool was announced at DEFCON last year which made such snooping 'relatively easy'.
So, the general advice (from Wired, above, The Register, here, Mashable, here and the good old Beeb, here) is to always use HTTPS.
As this Wired article explains, although gMail asks for your initial log on password via HTTPS (the nice, secure protocol), the rest of your session, under the default settings, is plain HTTP. Which is potentially a problem if you're checking email from a WiFi hotspot or whatever.
Changing this is easy enough, once you know where to look.
Go to Settings (upper right hand side of the screen), and from there you should be on the 'General' tab.
Right at the bottom of the page is a section headed 'Browser Connection', and, as above, the default is 'Don't always use HTTPS'. I've changed my settings to 'always use https', and haven't (yet) noticed any drawbacks.
Now, because HTTPS is encrypted, it does mean that encryption/decryption has to take place at both the client (your machine) and the server (Google's kit), so, in theory, using HTTPS all the time will slow things down a bit.
On the other hand, not using HTTPS means that the communication twixt you and Google's cloud is all in the clear, and is much easier to eavesdrop/snoop on. Especially since a tool was announced at DEFCON last year which made such snooping 'relatively easy'.
So, the general advice (from Wired, above, The Register, here, Mashable, here and the good old Beeb, here) is to always use HTTPS.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}