When Gmail first appeared in 2004, it rocketed into popularity and prominence. It wasn’t long before security experts were asking tough questions about security, though. Many such questions revolved around business practice issues such as Google spidering private emails to provide context targeted advertising.
One very basic question, however, related to the use of encrypted browser sessions when accessing a Gmail account. Gmail’s default behavior encrypts the authentication process, but does not encrypt the remainder of a user’s session.
Manually specifying that an encrypted connection should be used was possible by navigating to
https://mail.google.com rather than
http://mail.google.com, but users have noted a tendency for the HTTPS encrypted protocol connection to get dropped in favor of an unencrypted HTTP connection from time to time. There was no way to simply configure Gmail to always encrypt the entire session.
Enabling Full Session Encryption
As of July 2008, that has changed. Now, as detailed on Gmail’s Enabling the HTTPS setting page, it is possible to set an option in your Gmail account’s settings that mandates the use of TLS encryption for your entire session.
The process of enabling TLS encryption for your Gmail is pretty simple.
- Sign in to your Gmail account, and click on the
Settingslink in the top right corner of the interface:
- Scroll to the bottom of the Settings page, and select the radio button labeled
Always use https:
- Click the
Why It’s Important
The general answer to why it’s so important to ensure the entire session is encrypted is three-fold, at least:
- You should want your messages to be protected against snooping by as many people as possible. Sure, Google can still read your emails even with session encryption — and, by extension, so can law enforcement organizations and anyone else that can magic up a subpoena — but at least some random script kiddie will have to do more than just eavesdrop on packets passing in and out of Gmail servers.
- Session encryption reduces the likelihood of successful cross site scripting attacks that might intercept sensitive data only intended for the server.
- It also reduces the likelihood of a successful man in the middle attack, in part because of the use of TLS site certificates to authenticate the site as part of the process of establishing the encrypted connection.
The more specific answer, at this time, is a specific vulnerability. A presentation at this month’s DEFCON security conference in Las Vegas, Nevada unveiled a tool that can be used to automatically steal IDs of unecrypted Gmail sessions. Using this tool, you can “break in” to Gmail accounts that are accessed without encryption.
If you don’t already have TLS encryption turned on by default in your Gmail account, you need to go turn it on right now.