Google Gmail Switches HTTPS to Always On by Default

HTTPS is now the default setting for Gmail users. Google's security decision follows revelations of efforts by attackers to improperly access the Gmail accounts of Chinese human rights activists.

Google has opted to turn on HTTPS for Gmail continuously by default to protect user e-mails.

The move follows the revelation that there have been repeated attempts to access Gmail accounts belonging to Chinese human rights activists, as well as calls from security and privacy experts for Google to deploy the technology automatically to secure e-mail.

"Over the last few months, we've been researching the security/latency tradeoff and decided that turning HTTPS [HTTP Secure] on for everyone was the right thing to do," Gmail Engineering Director Sam Schillace wrote Jan. 12 on the official Gmail blog.

"We are currently rolling out default HTTPS for everyone. If you've previously set your own HTTPS preference from Gmail Settings, nothing will change for your account ... Gmail will still always encrypt the log-in page to protect your password. Google Apps users whose admins have not already defaulted their entire domains to HTTPS will have the same option."

In 2008, Google gave Gmail users the option of choosing to use HTTPS by default. In June 2009, the company announced that it would consider making HTTPS the Gmail default following an open letter to Google CEO Eric Schmidt from nearly 40 security pros urging the company to enable industry-standard transport encryption technology by default for Gmail, Google Docs and Google Calendar.

Users will retain the ability to turn off HTTPS if they have performance concerns, Schillace said, explaining that those who don't want the feature can select "Don't always use HTTPS" from the settings menu.