Google officials responded June 16 to calls for better security by announcing that the company is considering turning on HTTPS in Gmail by default for all connections.
The announcement follows an open letter sent to Google CEO Eric Schmidt by nearly 40 security and privacy experts that urged the search engine giant to enable industry-standard transport encryption technology by default for Gmail, Google Docs and Google Calendar.
“Google already uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers’ log-in information,” the letter stated. “However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose e-mail, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers.”
In response to the letter, Alma Whitten, a software engineer on Google’s Security & Privacy Teams, blogged that the company is planning a trial phase in which the move will be tested on small samples of different types of Gmail users.
“Unless there are negative effects on the user experience or it’s otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users,” Whitten wrote. “We’re also considering how to make this work best for other apps including Google Docs and Google Calendar (we offer free HTTPS for those apps as well).”
“We know that tens of millions of Gmail users rely on it to manage their lives every day, and we have offered HTTPS access as an option in Gmail from the day we launched,” she continued. “If you choose to use HTTPS in Gmail, our systems are designed to maintain it throughout the e-mail session-not just at log-in-so everything you do can be passed through a more secure connection.”
Free, always-on HTTPS is unusual in the e-mail business, Whitten noted, but can help make the Web safer.
“It’s something we’d like to see all major Webmail services provide,” she wrote.
In the open letter, the authors-whose backgrounds reach from academia to the research community-outlined the risks associated with account hijacking and data interception through tools such as packet sniffers. The letter also stated that Google does not do enough to encourage users to enable encryption, and that the “Always use HTTPS” option in Gmail should be extended to Google Docs and Google Calendar as well.
“We strongly urge you to follow the lead of the financial industry and enable HTTPS encryption by default for the users of Google Mail, Docs and Calendar … Given the huge threat posed by identity theft, it is vital that Google take proactive steps to protect its users from these risks,” the letter stated.