Google: always-on email HTTPS is ‘pretty unusual’


17 Jun 2009

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Following an open letter to Google’s CEO Eric Schmidt from 37 researchers and academics in the fields of computer science, information security and privacy law, asking for more user protection through default encryption, the company has said it plans to incorporate these suggestions, possibly for all Gmail users.

The HTTPS (secure HTTP) encryption technology is an industry standard and is used by Google, but it is not a default setting across Gmail and Google Docs when data is being transferred, the security experts who wrote to Google said.

“Rather than forcing users of Gmail, Docs and Calendar to ‘opt-in’ to adequate security, Google should make security and privacy the default,” the letter said.

The letter went on to point out that massive data breaches such as the TK Maxx incident http://www.siliconrepublic.com/news/article/7290/cio/hack-attack-at-tk-maxx/ showed that valuable information can and will be exploited by hackers, adding that tools such as packet sniffers make it even easier for amateur hackers to intercept confidential files. As Gmail and Google’s other services are so widely used, Google should lead by example, the letter stated.

In a blog post response to the letter, Alma Whitten, software engineer for Security and Privacy Teams at Google, said: “ Free, always-on HTTPS is pretty unusual in the email business, particularly for a free email service, but we see it as another way to make the web safer and more useful. It’s something we’d like to see all major webmail services provide.

“In fact, we’re currently looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.”

Despite pointing this out, Whitten said Google does see the point of HTTPS for power users and will be trialling this offering soon. However, she noted that Google wants to completely understand the impact – for example, slower service – of an always-on HTTPS user experience.

“We’re also considering how to make this work best for other apps including Google Docs and Google Calendar (we offer free HTTPS for those apps as well),” she added.

By Marie Boran