The Register® — Biting the hand that feeds IT

Feeds

Google's China syndrome

Full Coverage

Google flips default switch for always-on Gmail crypto

Hours after dropping Chinese hack bomb

By Dan Goodin, 13th January 2010
  • print
  • alert

Customer Success Testimonial: Recovery is Everything

Just hours after Google disclosed it and at least 20 other large companies were the targets of highly sophisticated cyberattacks, the online giant said it would enhance the security of its email service by automatically encrypting entire web sessions.

The change, which Google is in the process of rolling out now, means Gmail sessions will be automatically protected from start to finish with the SSL, or secure sockets Layer, protocol, even if a user doesn't specifically ask for it. Up until now, users had to check a setting in their Gmail options to get always-on encryption.

The change bolsters Google's already significant lead in protecting web users against so-called man-in-the-middle attacks, which allow miscreants to read and modify web traffic by sitting in between victims and the sites they surf. Yahoo Mail, eBay, MySpace, Facebook, and a wide variety of other sites continue to offer https encryption only when users are logging in, making email and other sensitive pages that are visited later susceptible to so-called sidejacking and similar attacks.

The change, which many security advocates had demanded, was announced a few hours after Google accused China-based hackers of carrying out highly sophisticated attacks designed to ferret out human rights advocates. Exploits targeting Gmail services largely failed, but Google said "dozens" of accounts had been routinely accessed by unauthorized parties through phishing or malware attacks on the users themselves.

Google didn't elaborate on those attacks, so there's no way to know if always-on encryption would have prevented those account holders from being compromised. Still, the automatic use of https makes good sense and allows Google to rightfully claim even more higher ground relative to its peers. (Twitter is one of the few other popular services to offer start-to-finish https).

"We initially left the choice of using it up to you because there's a downside: https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data," Gmail Engineering Director Sam Schillace wrote. "Over the last few months, we've been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do."

Those who want to disable the feature may do so by checking a "Don't always use https" box in Gmail settings. Even then, Gmail login pages will continue to be encrypted.

Those using offline Gmail over naked http are likely to encounter problems. Troubleshooting tips are here. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

COMMENTS

House Rules Send Corrections
All Reader Comments (26)
Highly Rated
Anonymous Coward

Engineering Director FAIL

"encrypted data doesn't travel across the web as quickly as unencrypted data"

Nothing to do with the load on our servers, honest guv.

1
0
Mr Templedene

Well they broke it for me

I can no longer login in to ANY google service using my browser of choice Opera. I've not been able to login to my blogger account for nearly 2 weeks.

It works in fine firefox but I don't want to have to have two browsers open just to access google services.

I have used Opera for years and all my bookmarks, special site settings, customised options and "muscle memory" of the various keyboard shortcuts are just too much effort to move over. Plus Opera has just too many features firefox cannot match.

I'd rather not use google services than change browser.

They just lost a user, but as I never had to pay for any of it I guess I can't complain.

0
0
Jamie Jones
Reply Icon

Mr.

In some cases he's correct, due to compression.

Sure, if the webserver does gzip compression on the document before encryption, then the compression holds out, but many places use compresssion on a link, vpns, etc. and some networks, so therefore it would take longer in those cases.

Also, local caching of objects doesn't exist with https, and he might simply be describing this in a less technical way.

Both of these situations, in layman terms does mean "https is slower than http"

0
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19