Outsourcing

Use complete session encryption with Gmail

Find out how you can make Gmail encrypt your entire session when you check your email, and why you should do so right now.

When Gmail first appeared in 2004, it rocketed into popularity and prominence. It wasn't long before security experts were asking tough questions about security, though. Many such questions revolved around business practice issues such as Google spidering private emails to provide context targeted advertising.

One very basic question, however, related to the use of encrypted browser sessions when accessing a Gmail account. Gmail's default behavior encrypts the authentication process, but does not encrypt the remainder of a user's session.

Manually specifying that an encrypted connection should be used was possible by navigating to https://mail.google.com rather than http://mail.google.com, but users have noted a tendency for the HTTPS encrypted protocol connection to get dropped in favor of an unencrypted HTTP connection from time to time. There was no way to simply configure Gmail to always encrypt the entire session.

Enabling Full Session Encryption

As of July 2008, that has changed. Now, as detailed on Gmail's Enabling the HTTPS setting page, it is possible to set an option in your Gmail account's settings that mandates the use of TLS encryption for your entire session.

The process of enabling TLS encryption for your Gmail is pretty simple.

  1. Sign in to your Gmail account, and click on the Settings link in the top right corner of the interface:the Gmail main interface’s top right corner
  2. Scroll to the bottom of the Settings page, and select the radio button labeled Always use https:Gmail’s HTTPS setting
  3. Click the Save Changes button:Gmail’s Save Changes button

Done.

Why It's Important

The general answer to why it's so important to ensure the entire session is encrypted is three-fold, at least:

  1. You should want your messages to be protected against snooping by as many people as possible. Sure, Google can still read your emails even with session encryption -- and, by extension, so can law enforcement organizations and anyone else that can magic up a subpoena -- but at least some random script kiddie will have to do more than just eavesdrop on packets passing in and out of Gmail servers.
  2. Session encryption reduces the likelihood of successful cross site scripting attacks that might intercept sensitive data only intended for the server.
  3. It also reduces the likelihood of a successful man in the middle attack, in part because of the use of TLS site certificates to authenticate the site as part of the process of establishing the encrypted connection.

The more specific answer, at this time, is a specific vulnerability. A presentation at this month's DEFCON security conference in Las Vegas, Nevada unveiled a tool that can be used to automatically steal IDs of unecrypted Gmail sessions. Using this tool, you can "break in" to Gmail accounts that are accessed without encryption.

If you don't already have TLS encryption turned on by default in your Gmail account, you need to go turn it on right now.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

13 comments
jaininaveen
jaininaveen

ya, I don't know exactly how the session works here, because I am able to download a file from my account even after I logout from the mail account.... www.jaininaveen.com/?p=77

Michael Kassner
Michael Kassner

The main reason why Google has added this option is to set the secure flag in the SSL session cookie. Without this option the application is vulnerable to surf jacking, even when the application is using HTTPS. I wish Google would have published this fact or at least made it opt out instead of opt in. If you are interested you can read more about it at the link below: http://blogs.techrepublic.com.com/networking/?p=634

OnTheRopes
OnTheRopes

I've made the change. Thank you.

AlexNagy
AlexNagy

Thanks for the word up on this. I know security is an important issue but session encryption with gmail never occurred to me as I generally use secure pop to retrieve my email.

apotheon
apotheon

Compared to straight-up HTTP with encryption for only the authentication part of the session, encrypting the entire session uses a lot of CPU cycles. Every single bit of data (pun intended) that passes between the server and the client has to be encrypted when it's sent by one and decrypted when it's received by the other. Strong encryption, such as TLS used by HTTPS connections, is kind of processor intensive. Google obviously has the resources to handle the extra CPU load, but that doesn't mean it [b]wants[/b] to. It's easier to just gamble on the hope that it won't prove to be a major problem for Google, and let users fend for themselves. There may be other excuses, of course, but that's my guess as for the actual [b]reason[/b].

apotheon
apotheon

I hadn't mentioned anything about secure POP access to Gmail in the article -- but that's another way to avoid the problem of unencrypted sessions.

apotheon
apotheon

Everything still works for me, too. Of course, I'm using Pidgin for my IM client -- not the official Google client. edit: . . . on FreeBSD, so there's no Registry anyway.

AlexNagy
AlexNagy

but perhaps another reason is pressure from stockholders to put every available cycle to use making money, not making secure connections for email users. Yes, it's a user desired service but one that's not generating a lot of money, I would imagine. Especially with the advent of plugins like adblock that pretty much render google (and other) ads meaningless.

Editor's Picks