Google announces that it may make use of HTTPS the default configuration for Gmail. The move comes after several security and privacy experts sent an open letter to the company urging enhanced protections for Gmail, Google Docs and Google Calendar.
officials responded June 16 to calls for better security by
announcing that the company is considering turning on HTTPS in Gmail
by default for all connections.
The announcement follows an open
letter sent to Google CEO Eric Schmidt
by nearly 40 security and privacy
experts that urged the search engine giant to enable industry-standard
transport encryption technology by default for Gmail, Google Docs and
"Google already uses industry-standard Hypertext Transfer Protocol
Secure (HTTPS) encryption technology to protect customers' log-in information,"
the letter stated. "However, encryption is not enabled by default to
protect other information transmitted by users of Google Mail, Docs or
Calendar. As a result, Google customers who compose e-mail, documents,
spreadsheets, presentations and calendar plans from a public connection (such
as open wireless networks in coffee shops, libraries and schools) face a very
real risk of data theft and snooping, even by unsophisticated attackers."
Click here to read what Google had to say
about the security of Google Docs.
In response to the letter, Alma
Whitten, a software engineer on Google's Security & Privacy Teams,
blogged that the company is planning a trial phase in which the move will
be tested on small samples of different types of Gmail users.
"Unless there are negative effects on the user experience or it's
otherwise impractical, we intend to turn on HTTPS by default more broadly,
hopefully for all Gmail users," Whitten wrote. "We're also
considering how to make this work best for other apps including Google Docs and
Google Calendar (we offer free HTTPS for those apps as well)."
"We know that tens of millions of Gmail users rely on it to manage
their lives every day, and we have offered HTTPS access as an option in Gmail
from the day we launched," she continued. "If you choose to use
HTTPS in Gmail, our systems are
designed to maintain it throughout the e-mail session-not just at log-in-so
everything you do can be passed through a more secure connection."
Free, always-on HTTPS is unusual in the e-mail business, Whitten noted, but
can help make the Web safer.
"It's something we'd like to see all major Webmail services provide,"
In the open letter, the authors-whose backgrounds reach from academia to the
research community-outlined the risks associated with account hijacking and
data interception through tools such as packet sniffers. The letter also stated
that Google does not do enough to encourage users to enable encryption, and
that the "Always use HTTPS" option in Gmail should be extended to
Google Docs and Google Calendar as well.
"We strongly urge you to follow the lead of the
financial industry and enable HTTPS encryption by default for the users of
Google Mail, Docs and Calendar ... Given the huge threat posed by identity theft,
it is vital that Google take proactive steps to protect its users from these
risks," the letter stated.