Why Gmail users are "needlessly" being put at risk.
Saturday, June 20, 2009
Leave a Comment
The 38 signatories want Google to start using the secure version of the HTTP protocol to protect Gmail users.In response, Google said it was considering trials of the secure system with a select group of users."As more of us end up using insecure internet access - such as Wi-Fi in coffee shops, libraries, and so forth - there's a real risk of session hijacking,"
The risk was from hi-tech criminals who snoop on the unencrypted data passing back and forth to steal ID files called "session cookies" generated when these applications start being used.
In Gmail's case, this could mean they might send e-mails in the owner's name, abuse their identity, change a password, or hijack an account.
"It's a frightening prospect,"
The open letter pointed out that Google used HTTPS to protect the data of users of its Health and Voice applications.While Google does make it possible to use HTTPS all the time when signed on to Gmail, Docs, or Calendar the option was so hard to find that few would use it, suggested the letter.
It pointed out that most users retain default options and were likely to be leaving themselves at risk.
"...unless the security issue is well known and salient to consumers, they will not take steps to protect themselves by enabling HTTPS,"
If Google took the step to turn on HTTPS all the time, the risks would be removed.
In response, Google is looking into whether it made sense to use HTTPS all the time in Gmail. But before it did so it wanted to be sure that the average user experience of Gmail was not markedly changed by turning it on.
It feared that enabling the encryption would slow down response times as data was scrambled and unscrambled on a PC and Google's mail servers.
Google is planning a trial in which we'll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their e-mail,"
Thanks for your help