14 DAY TRIAL // After security researchers and privacy advocates begged Google for years to enable HTTPS on Gmail by default, the company finally decided to do it. The most important consequence is that users checking their email from insecure networks will be protected from Man-in-the-Middle attacks.
For well over a decade, the Hypertext Transfer Protocol Secure, or HTTPS, has been used to communicate securely over the Web. Today, it is a standard for websites that deal with sensitive data, like payment transactions or personally identifiable information (PII).
However, security experts have long argued, and for good reason, that e-mail accounts should also be protected through this technology. This is because a mailbox compromise can have a greater impact on an individual's life, than, let's say, stolen credit-card details.
To put things into perspective, if your credit card is compromised and someone racks up fraudulent charges on it, the account can easily be canceled and your bank will most likely reimburse you. However, if someone obtains access to your primary e-mail account, they can really glance into your personal life. They can read private information about you, and possibly your family and friends, or they can impersonate you. That cannot be so easily reversed.
Additionally, a lot of people do not delete confirmation emails with login details for other accounts from their Inboxes. And even if they would, with enough information about them and access to their e-mail account, an attacker can request password resets on most websites where they are registered.
Just to exemplify, back in July, starting just by compromising the personal e-mail account of a Twitter employee, a hacker ended up gaining access to the Gmail, Google Apps, AT&T, Amazon, PayPal, iTunes, MobileMe or GoDaddy accounts of multiple Twitter employees, including its founders, Evan Williams and Biz Stone. He also walked off with a load of Twitter confidential corporate documents and internal memos. All he used was social engineering.
At the 2008 Defcon hacking conference in Las Vegas, a security researcher demonstrated a Man-in-the-Middle (MitM) attack able to hijack Gmail accounts, precisely because the lack of HTTPS. First, the attacker had to join the same network as the targeted Gmail user – this can be easily achieved in the case of public wireless hotspots or poorly protected personal WLANs – and run an automated tool.
The attack worked because websites like Gmail used session cookies (text-based files) to identify logged-in users for a predetermined amount of time or until the user signed off manually. The tool sent traffic to the targeted user containing an image loaded from mail.google.com, thus tricking the browser to respond with the session cookie for identification. With the cookie file in his possession, the attacker could put it into his own browser and access the webmail session of their victim.
Forcing the entire webmail session over HTTPS, and not just the authentication process, has two benefits. First, data passed between the browser and the server is always encrypted, which makes intercepting such traffic useless. Secondly, the user can always be sure they are connected to the correct website, otherwise the handshake between the server and the client will fail. This is particularly important in the case of DNS poisoning attacks, when the DNS record for a domain name is hijacked and pointed to an IP under the attacker's control.
Google has implemented HTTPS support for entire sessions in Gmail since 2008. However, benefiting from this added protection required users to access their account's settings and turn the feature on, or to manually type https://mail.google.com in the browser address bar. That might seem easy enough for the computer-literates or security-aware individuals, but the reality is the average user expects the email to work "out-of-the-box."
Because of this, a number of 37 reputed security researchers, privacy advocates and academics, sent a letter to Google's CEO, Eric Schmidt, in June 2009, asking him to consider encrypting all Gmail, Google Docs and Google Calendar connections by default. The company responded that it would take it into consideration and would perform tests on various groups of users to determine the impact on performance.
By design, HTTPS connections are slower than HTTP ones, because of the encryption and decryption taking place, but this should generally be unnoticeable for broadband users. Of course not everyone has a fast Internet connectivity, but, in a time when the number of users with broadband connectivity outweighs that of users with slower connections, it doesn't seem fair to deprive them of an important security feature.
However, this doesn't mean that users in developing countries with poor Internet access will no longer be able to use Gmail properly. This is because Google only reversed the default state of the settings, which means HTTPS can now be disabled manually from the account options.