Google Apps For Education Support site

24 Jul 2008

Force Gmail to Always Use Secure Connection

Gmail rolls out a new option that lets you set the https version as default. If you go to the Settings and select “always use https“, Gmail will automatically redirect to the secure version. Until now, you had to manually type in the address bar, bookmark the address or use a Greasemonkey script.

“If you sign in to Gmail via a non-secure Internet connection, like a public wireless or non-encrypted network, your Google account may be more vulnerable to hijacking. Non-secure networks make it easier for someone to impersonate you and gain full access to your Google account, including any sensitive data it may contain like bank statements or online log-in credentials. We recommend selecting the ‘Always use https’ option in Gmail any time your network may be non-secure,” explains Google.

Read, for example, David Pogue’s post about Wi-Fi eavesdropping. “All Jon needed [to read my mail] was a packet sniffing program; such software is free and widely available. (He used a Mac program called Eavesdrop.) It sniffs the airwaves and displays whatever data it finds being transmitted in the public hot spot.”

Https is typically used for sites that deal with sensitive data, so you’ll see it when you authenticate to sites like Google or Facebook and when you use your mobile banking account, PayPal, Google AdWords and a handful of similar sites. The benefit is that the connection between your browser and the remote servers is encrypted and nobody could capture the sensitive data.

“We use https to protect your password every time you log into Gmail, but we don’t use https once you’re in your mail unless you ask for it (by visiting rather than Why not? Because the downside is that https can make your mail slower. Your computer has to do extra work to decrypt all that data, and encrypted data doesn’t travel across the internet as efficiently as unencrypted data,” says the Gmail blog.

In addition to the worse performance, Google also mentions that the mobile application could show errors if you don’t enable ‘Always use secure network connections (slower performance)‘ in the app’s settings section. If you use Firefox, don’t forget to disable the Greasemonkey scripts that redirect Gmail to the secure version and to deactivate the similar option from Firefox extensions like Better Gmail and CustomizeGoogle.

The good news is that you don’t need a similar setting for other Google applications if you use the navigation bar: Google automatically links to the secure versions of Google Calendar, Google Docs, Google Reader and Google Sites. If you don’t see the new option in Gmail’s settings, you have to wait until Gmail enables it in your account.


RSS feed for comments on this post