Google recently made a change on Gmail which allows users to enable SSL encryption (also known as https) for the entire site/application where previously SSL was only used on the login page <insert applause sound here>.
Being that I’ve been using GMAIL recently for more than just transitory throwaway email (I know… I know…) I’m very happy Google decided to further protect it’s customers by adding SSL to the entire site!
Let’s Quickly get to the How-To Enable SSL for All Pages inside Gmail:
1) Login to Gmail and Click Settings
2) Scroll to the bottom and Click the Bullet Always use https and Click Save Settings
3) Refresh your Browser (usually just by pressing F5) and TADAA!!! This refreshment enables HTTPS for all GMAIL Pages!
Some of you might be asking “What’s the big deal? Why the excitement? Sure, encryption in transit is a good thing. But the likelihood that someone is sniffing/capturing my traffic between my browser and the Gmail server is probably between 1-5% at best. (50%-75% if you have a bored IT guy at work.)” And ya know what, if that’s what worried me, I’d agree; don’t waste the time. BUT, that’s not the scenario that concerns me.
You see, one of the great things about Gmail (or any online service for that matter) is its ability to be accessed from any computer, anywhere in the world including:
- Mobile Device (iPhone etc.)
- Friend/Relative/Girl Friends
- Kiosk Terminals (see where I’m going with this?)
And that’s actually where the danger lies. You see, almost all Website pages you access (including your Gmail, Hotmail, and Yahoo Mail accounts) are cached by your Web browser and stored on the computer’s (or Kiosk’s) local hard drive. The only exception to this rule, of course, is SSL protected pages!!! You see, the default behavior for almost all Internet Browsers (out of the box) is NOT to cache SSL pages (aka https pages.) That’s why I’m making such a big deal about Google enabling SSL protection for ALL pages on Gmail.
Example – A few years back when I worked for a corporation as a computer forensics specialist, some of the most useful data I would gather would be from the user’s Cached Internet Folders. It’s amazing what you ALWAYS find in there. Included in the findings was ALWAYS the user’s emails from their Hotmail or Yahoo Mail accounts. I know… eek!
So, do you get it? Go now and enable SSL ASAP if you’re a GMAIL user. Trust me, the last thing you want is your personal email sitting on an airport terminal kiosk left for anyone to read and exploit!
As of 8/26/08 (Bad news for Yahoo and Hotmail Users)
- Gmail.com – SSL/https encryption supported for all pages including Login and Email Reading/Authoring
- mail.Yahoo.com – SSL/https forced during login however SSL is unsupported for any other page
- Hotmail.com/mail.Live.com – SSL/https is unsupported for ANY pages (not even the login page)
Questions? Comments? Would love to hear from you!