Google has enabled default HTTPS connections for Picasa Web Albums, proving yet again that complex mainstream services used by millions around the world can be secured with SSL/TLS without major problems.For years, online service providers have used SSL for the authentication process in order to protect clear text passwords from being sniffed from network traffic.
However, while this does mitigate an attack vector, it does not also protect session cookies from being stolen.
This kind of man-in-the-middle attack was strongly publicized last due to a Firefox extension called Firesheep, which allows attackers to hijack the accounts of people connected over open wireless networks with a few clicks.
At the time when Firesheep came out, Google was among the few Internet companies to offer a mainstream service with full-session HTTPS enabled by default, Gmail.
One of the others was PayPal, but the company is part of the financial industry where the use of SSL is standard for online transactions.
Hotmail later added a full-session HTTPS option too, but not activated by default. Facebook did too, however, because of the way it is designed, its implementation breaks important functionality.
Google also implemented default HTTPS for some other services that deal with potentially sensitive data and are part of its Google Apps platform, such as Docs, Calendar and Sites.
Judging by the way things are moving along, Google, will soon have a large portfolio of mainstream SSL-protected products, while many of its competitors will have none.
In addition, the company recently made another major move towards securing accounts by
providing a two-factor authentication option for everyone.
The company has certainly come a long way from June 2009, when 37 security researchers, privacy advocates and academics
sent a joint letter to Eric Schmidt, pleading for default full-session HTTPS in Gmail.
Find us on Google+
