Mountain View, California — In an attempt to safeguard Chinese human-rights activists and other Gmail users around the world from hackers looking into their mail accounts, Google on Wednesday announced that it has shifted its Gmail to a more secure protocol by default for all times, not just during sign-on, and make the process an opt-out feature rather than opt-in, the company said.
The move came along just a day after the search giant announced it might close down its offices from China in a bid to foil attackers who sit in cafes, intercepting in on traffic passing into Gmail accounts of human rights activists.
In a blog post late Tuesday, Google said it would begin using Hypertext Transfer Protocol Secure, or HTTPS, technology to encrypt all traffic carried on its free Web-based e-mail service. HTTPS is a popular Internet protocol that combines the standard HTTP Web protocol with a layer of encryption based on the SSL/TLS protocol. It is commonly used by online banking services and shopping sites to protect secret customer data from interception by Web eavesdroppers.
Henceforth, all Gmail users will now default to using HTTPS, the secure, encrypted solution for communicating with a remote server, for their entire e-mail sessions, not just for log-in.
“Over the last few months, we have been examining the security/latency trade-off and decided that turning https on for everyone was the right thing to do,” Gmail Engineering Director Sam Schillace wrote in the Gmail blog.
Google has always applied HTTPS to encrypt login pages, and thereby defend passwords, but encryption of e-mail traffic itself has been an option that users had to select.
In 2008, Google unveiled the option to switch to HTTPS permanently. Last year, at the request of 37 privacy and security experts, Google said it was just considering about moving all Gmail users to 24-7 HTTPS as a security measure. Now, Google will move all users to HTTPS by default, arguing that the security benefits of that outweigh the slight hit to the speed of e-mail delivery that the technology imposes.
Even so, the switch does not encrypt e-mail, it simply encrypts the communications in transit between Google’s servers and a user’s computer — similarly when you use your bank’s website. E-mails sent out to other people are transmitted in the clear as they have always been. True encrypted e-mail can only be read by the sender and receiver, regardless of how they move across the internet.
“There is a lot of that activity going on right now,” said Tim Callan, vice president of marketing at VeriSign, which sells SSL technology. “E-mail accounts and e-mail content are things the con artists have learned to use to run these scams to steal money.”
This action often was not necessary when people work on fixed and secure connections, such as their home or office DSL or cable lines. But as Wi-Fi connections, especially in public places, became more popular, hackers began employing simple sniffing software to snoop on people’s online activities with the goal of stealing passwords.
The change to HTTPS for Gmail was commended by some privacy advocates, who expressed hope that other popular Web-based email services, like Yahoo Mail and Hotmail from Microsoft, would soon follow suit.
Making HTTPS use the default for all users is important because few people take the trouble to actively turn on security features, said Jeremiah Grossman, the chief technology officer of White Hat, a Web security firm. “It is a free security. Whenever that happens, we will take it.”
“Using HTTPS helps protect data from being snooped by third parties, such as in public Wi-Fi hotspots,” wrote Schillace.