Researchers ask Google to make HTTPS the default

A group of 37 researchers in information security and privacy law have sent an open letter to Google encouraging the company to enable HTTPS as the default protocol for Google Mail, Docs, and Calendar. Doing so, the letter says, will protect Google customers’ communications from theft and snooping.

“Google uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers’ login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Google supports HTTPS encryption for the entire Gmail, Docs or Calendar session. However, this is disabled by default, and the configuration option controlling this security mechanism is not easy to discover. Few users know the risks they face when logging into Google’s Web applications from an unsecured network, and Google’s existing efforts are little help.

Support for HTTPS is built into every Web browser and is widely used in the finance and health industries to protect consumers’ sensitive information. Google even uses HTTPS encryption, enabled by default, to protect customers using Google Voice, Health, AdSense and Adwords.

Rather than forcing users of Gmail, Docs and Calendar to “opt-in” to adequate security, Google should make security and privacy the default.”

See the post on Wired’s Threat Level blog for more information and a quote from Google in response.

“Google responded Tuesday morning, saying that it is already ahead of the pack by even offering HTTPS, and that the company is looking into whether it would make sense to turn it on as the default for all Gmail users.

“Free, always-on HTTPS is pretty unusual in the e-mail business, particularly for a free e-mail service,” Google engineer Alma Whitten wrote Tuesday morning on Google’s security blog. ”It’s something we’d like to see all major webmail services provide.”

The company is planning a trial where small samples of different types of Gmail users will be shifted to a default HTTPS to see how fast things load, how happy users are and what networks or computer setsups fair badly, according to Whitten.

“Unless there are negative effects on the user experience or it’s otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users,” Whitten wrote, noting that the extra cost associated with the computing power needed for encyrption was not holding the company back.”

Comments are closed.