"Evans reminded the public of the value in turning on Gmail's HTTPS-only feature, which ensures that connections are always encrypted."

Why doesn't Google just do the right thing and turn off the weak and obsolete HTTP access? Say with a simple redirect to the HTTPS-only version?

Because occasionally.... just occasionally you might not be able to be able to use https for some reason and you're prepared to take the risk of using an unsecured connection "just that once" to get at something?

or... perhaps I'm using my gmail account for a non-personal, non-private, non-sensitive, non-secret use and I'm not particularly bothered if the communications are open at all?

People seem all to keen to loudly blame Google - when their own lack of caution and gullibility was obviously to blame.

If you're not using Wi-Fi, ir's a hard problem to intercept HTTP traffic between specific machines, too much work for the average Phisher. You need to be in cahoots with an ISP.

And, of course, BT would never let anyone install a black box that monitored all the traffic.

The local pub's wi-fi hotspot is detectable a kilometre away. If the provider is that careless about limits on transmission power, broadcasting every email I choose to read, what's their security like otherwise?

That's where HTTPS matters.

Email is inherently not secure, since signing and encryption is not standard or required, so services with access to important things -- domain names, banking, email itself -- should require more than just access to an email address in order to change or retrieve passwords.

I'm no fan of GMail but even if there was an exploit in it I would still put most of the blame on GoDaddy in this case. Email can and will be broken into; deal with it.

err, maybe because they would need twice as much CPU power to support their users, who pay (approximately) nothing for this service? If you want secure email, don't use 'free' mail providers - simple, as.

>"with Geek Condition creating a detailed proof of concept "

They did no such thing. They didn't create any proof of concept, they just hand-waved and said "well, suppose someone was able to XSRF your account (just like in that long-fixed bug), maybe they'd be able to set up a filter (just like the poc for that long-fixed bug did)". They didn't demonstrate any means to bypass the XSRF protection that google implemented after the earlier bug, they just completely guessed on the basis of no evidence that the bug (or a very similar one) must still be present because "I'm too smart to have given my details to a phisher".

No proof, just a concept. FUD, bullshit and guesswork from start to finish.

I'll agree that the blog article is still a PoC, however. In the /other/ meaning of the acronym.

... this is not the Domain Hijack Vuln you're looking for...

(Mine's the one with Luke Skywalker's lightsabre in the pocket!)

Mostly @Steven Knox

It has been pointed out that SSL isn't free. It costs CPU cycles.

Gmail is still free. Google doesn't want to support a huge SSL user base because that would require more hardware.

You could have just as easily asked, why isn't every single website on the Internet encrypted with SSL. Maybe not. Certs cost money, too. Google can eat this cost no problem, but an ongoing demand for more CPU would be a bit harder.

Strange Anti-HTTPS comments.

GMail can support everyone turning it on. That's why they feature that. Currently. They're doing fine, they can afford it.

Other companies, that aren't Google, might have 100 apps running on a small server, and of course, that wouldn't be feasible to offer HTTPS to huge groups of users. Of course, maybe if they had invested in new hardware, they could have promoted secure growth without stifling advancement.

But this is Google. They're good to go.

Calling bullshit on the SSL comments about CPU resources. GMail supports SSL IMAP, POP3, and SMTP. Sure, the user base for that is smaller than the web system, but SSL is there none the less. SSL does not impact a system badly enough to be of that much concern versus privacy. OpenSSL seems quite well-tweaked already, and the Google PowerHouse CodePlex could easily optimize an internal version, or offload SSL to hardware-based encryption using GPUs, etc.

I will also call bullshit on the idea that there is anybody who does not need nor deserve privacy and protection. Just because you think the information you send in your emails is not important, does not mean that the other end does not, or that it really is not important to someone else. At the very least, your privacy is paramount whether you believe it is or not.

Additionally, I call bullshit on the idea that HTTP traffic cannot be intercepted without ISP intervention. This is patently untrue. In the scenario following, the feasibility is on the level of people using routers with the default admin setup. We have already seen Javascripts which change router configurations, and it is entirely possible to have similar scripts which upload hacked firmwares to routers to intercept HTTP traffic, or any other unencrypted traffic for that matter.

So encryption, email keys, and the like are not the standard? Then why do we not make them the standard by using them and encouraging others to use them as well?

Paris, calling bullshit on the hat-trick.