I am a huge fan of always-on https for Gmail. One problem I have run into, however, is the incompatibility of the official Gmail iGoogle gadget (even when accessing iGoogle via https). This is a minor inconvenience, however, to keep other roommates, hotel guests, Starbucks customers, etc. out of my email.
It's a shame that Google is still not forcing users to be on a SSL connection! In Europe there is a law that requires that all privacy related information is send over a secure connection (SSL).
See for more information about this law the in the Netherlands:
I'm commenting just to second Matt's complaint about not being able to access Gmail from iGoogle. I switched to "always on" a while back for just the reasons you mentioned (thank you for providing the option when other services don't!), and I don't think I noticed any difference at all in performance. It's just that I wish I could see a little more from the gadget...
Keep up the good work, and I look forward to having the option in other apps!
It would be quite interesting to know how many power users there are: How many SSL-only sessions are there (as a percentage of all daily sessions, for example)?
Including HTTPS by default sounds great.... a first step... However I am looking for some more. If you want your services to be really great for security minded people you might want to consider the option to encrypt the mails you send with Gmail. You have the tools like FireGPG however it would be great, in my opinion, if you enable encryption from within the web frontend of Gmail.
I guess this is not considered by Google because it can have a negative effect on scanning the messages for placing adds?
I wonder if people inside google labs are thinking about inserting a option like this?
I was thrilled when Gmail offered forced https for free Google Apps account and I turned it on immediately. But I think the authors of the letter are right that most people don't know enough to turn it on, so having it on by default makes sense. Users experiencing a slower Gmail is vastly more preferable to users experiencing their account being stolen, and then subsequently shut down by Google automatically after it is abused.
I would like it even more if there was a simple way to do two-factor authentication.
I have recently been reading about Yubikey, which seems simpler to use than most other methods for two-factor authentication. It would be great if Google supported and widely publicized their support for Yubikey and/or some other very simple two-factor authentication method.
I believe the SSL option in Google Apps for your Domain is not on the users' side as in the gmail account. You gotta ask your administrator (or do it yourself) to enable it in the google apps control panel under Domain Settings > General > SSL. That would enable it for all apps under your domain, which is pretty cool. The speed and responsiveness seems the same to me so far.
In update to my previous post about the legal security obligations in The Netherlands I want to reffer you to the link below with the European directives to the protection of personal data:
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
(46) Whereas the protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorized processing; whereas it is incumbent on the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected;
The web is not restricted to desktop browsers and mobile clients play an important role. Given the fact that couple of mobile browsers behave weirdly on a HTTPS connection, we need an unified approach to web security where both HTTP and HTTPS protocols are taken into consideration
you should keep HTTPS as default and give the NO HTTPS option for who thinks i'ts slower.
and i don't know if is HTTPS, but sometimes gmail stops, then i can't send e-mails or delete them, and there's nothing i can do for fixing it up, just waiting. also you guys could focus more on your apps than in HTTPS. there's a lot of good apps, but some of them, like the Twitter for google desktop, that aren't so good...
Thanks to everyone who educated me on the SSL issue for Google Apps. I found the SSL option in the admin page on the Domain Settings tab and enabled it. I have say, though, that was the last place I would have looked at without help. Thanks!
Not forcing HTTPS is terrible for a company that has so many people using its services! Not to mention this was on the google security blog... I mean, modifying content over HTTP is so easy a caveman can do it! A simple ettercap filter, understanding of your target, and some simple thinking outside of the box can easily allow me to manipulate the DOM of the client-side user and basically gives me control over the site client-side. I even recently wrote a blog post about how to do this. Then if we can get one of the services, same domain policy sucks for you guys, that's talking on a normal HTTP session to force a connection to your typically TLS'ed service, then I have access to that as well. End being, you need to force HTTPS for all of your services.
If you enhance SSL support, please consider supporting SSL gzip compression (RFC 3749). Unlike HTTP level compression, it will also affect the HTTP headers. Yes, hardly a browser supports it, but you have Chrome, might add it and finally give this feature the propagation it deserves.
It should be noted that the Firefox add-on «CustomiseGoogle» provides the user with a simple method to enable https not only for Gmail, but for Google Docs and Google Calendar as well. That said, I think it would be a great step forward if Google were to be make https the default setting for each of these applications. But it should also be noted that while doing so would offer a higher level of protection against someone else logging in to one's account (assuming that one hasn't spread one's password around), it does nothing to enhance the security of the contents. For that we need encryption, which I hope Google will also consider offering....
Given some of the odd and absurd requests in these comments, I doubt anyone from Google will read this far down, but I'll post anyways.
Why isn't this letter being sent to all web mail providers? If Google is ahead of the others, why are Google's attempts labeled inadequate? If you care about encrypting, you'll add the S to your URL. If you don't care, why should anyone else.
Joe, isn't the point about making the services provided by Google even better and more secure for all users - even the less security-conscious ? As to why anyone else should care, aside from the milk of human kindness, which admittedly doesn't always flow unhindered, the presence of unsecured users on a network tends to make all users less secure. Thus even enlightened self-interest would argue for our supporting such a step on the part of Google. And surely it's in Google's own enlightened self-interest both to be and to be perceived as a more secure provider of web services ?...
We also run our business on Google Apps. Our administrator has enabled https for all apps, but the personalized start page is still just http. It's a nice start page, and I'd be happy to make it my home page at work, but since I can't get a secure connection to it, I don't use it at all.
I notice that the article did not address using SSL to protect the basic Google Search and the search box in iGoogle pages. Both of these appear to be available at HTTPS URLs but the search feature doesn't really work.
Basically, entering a search at https://www.google.com/ig simply bounces you back to the http://www.google.com/ homepage.
That's pretty lame, for a company so proud of its engineering.
Have to agree with the ScalablePower here - surely Google can see to it that searches are always conducted from a page protected - to the degree that this constitutes a protection - by SSL ?...
Does the https serve to secure the whole page, including Chat, Video and Voice? I'm sorry if I sound naive, but when I log into Gmail in Internet Explorer, with https option always-on enabled, the following happens: The page loads without chat, there comes this Internet Explorer warning which says "There are some elements in the page which are not secure", then when I say "That's ok", the chat loads up only then. I don't want my chats to be sniffed!
I was just shocked when I saw that friends and mine project was not encrypted, and that we had to manually https://docs... It would be very good that all the future Google applications use ssl encryption.
Ok i agree this is good for security purpose, but now in my office we have facing one of major issue with this, we had blocked Gmail through firewall software, but now its not blocking from any firewall.... anyone have any solution now how we can block G mail at office with HTTPS.
There is a problem with the offline feature and Google Calendar. It silently reverts to insecure HTTP if offline is enabled making eavesdropping easy. This is bad as the user is asking for secure HTTPS but gets insecure HTTP without notice.
I wonder how long it will be before Googles SSL Encryption becomes the default. Though I may not be an expert, but does this include self-signed certificates or just those from leading authroities such as VeriSign and GeoTrust etc? I've also heard of mainpulations of Comodo to, so I guess my thought is how secure are the secure results in the https search? I also agree about the iGoogle update too.
Any change you could also add HTTPS support to Blogger?
I've just blogged about this http://gmailblog.blogspot.co.uk/2008/07/making-security-easier.html and in there I propose the idea of a cloud based service to allow secure access to sites like blogger
Thank u Google for providing all users with this key https feature. For many, it may be an option, but for me, and many Iranian activists fighting for their freedom from Islamic hardliners ruling Iran, HTTPS is a MUST, a strong, though not unbreakable, wall between freedom activists and Islamic regime who uses expensive deep-packet analysing devices from Nokia-Siemens as well as a cheap equipment from russia and china. It is also true for Syrian activists trying to inform the world from Asad's crimes against Syrians.
I hope you can extend this feature for blogging services so that bloggers can login to their control panel in a secured more.
HTTPS Does Make difference for our lives... Thank you!
39 comments :
The option to turn HTTPS always on does not seem to be available in Gmail for Google Apps.
I am a huge fan of always-on https for Gmail. One problem I have run into, however, is the incompatibility of the official Gmail iGoogle gadget (even when accessing iGoogle via https). This is a minor inconvenience, however, to keep other roommates, hotel guests, Starbucks customers, etc. out of my email.
It's a shame that Google is still not forcing users to be on a SSL connection! In Europe there is a law that requires that all privacy related information is send over a secure connection (SSL).
See for more information about this law the in the Netherlands:
http://www.networking4all.com/en/ssl+certificates/legal+obligations/
http://english.justitie.nl/themes/personal-data/
I'm commenting just to second Matt's complaint about not being able to access Gmail from iGoogle. I switched to "always on" a while back for just the reasons you mentioned (thank you for providing the option when other services don't!), and I don't think I noticed any difference at all in performance. It's just that I wish I could see a little more from the gadget...
Keep up the good work, and I look forward to having the option in other apps!
Yeah, i 'd like to have a https compatible gmail gagdet for igoogle too!!
It would be quite interesting to know how many power users there are: How many SSL-only sessions are there (as a percentage of all daily sessions, for example)?
@salsawizard ask your administrator, he/she can force https to all users with a single option
Expanding https is an excellent idea, and I echo the above pleas to get your iGoogle gadget in line with this approach.
Default https for Wave sounds prudent too...
Regards,
John
Another vote for updating the iGoogle gadget.
Including HTTPS by default sounds great.... a first step... However I am looking for some more. If you want your services to be really great for security minded people you might want to consider the option to encrypt the mails you send with Gmail. You have the tools like FireGPG however it would be great, in my opinion, if you enable encryption from within the web frontend of Gmail.
I guess this is not considered by Google because it can have a negative effect on scanning the messages for placing adds?
I wonder if people inside google labs are thinking about inserting a option like this?
Hope you can comment on this.
Regards,
Johan Louwers.
I was thrilled when Gmail offered forced https for free Google Apps account and I turned it on immediately. But I think the authors of the letter are right that most people don't know enough to turn it on, so having it on by default makes sense. Users experiencing a slower Gmail is vastly more preferable to users experiencing their account being stolen, and then subsequently shut down by Google automatically after it is abused.
I would like it even more if there was a simple way to do two-factor authentication.
I have recently been reading about Yubikey, which seems simpler to use than most other methods for two-factor authentication. It would be great if Google supported and widely publicized their support for Yubikey and/or some other very simple two-factor authentication method.
I believe the SSL option in Google Apps for your Domain is not on the users' side as in the gmail account. You gotta ask your administrator (or do it yourself) to enable it in the google apps control panel under Domain Settings > General > SSL. That would enable it for all apps under your domain, which is pretty cool. The speed and responsiveness seems the same to me so far.
In update to my previous post about the legal security obligations in The Netherlands I want to reffer you to the link below with the European directives to the protection of personal data:
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML
(46) Whereas the protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorized processing; whereas it is incumbent on the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected;
The web is not restricted to desktop browsers and mobile clients play an important role. Given the fact that couple of mobile browsers behave weirdly on a HTTPS connection, we need an unified approach to web security where both HTTP and HTTPS protocols are taken into consideration
you should keep HTTPS as default and give the NO HTTPS option for who thinks i'ts slower.
and i don't know if is HTTPS, but sometimes gmail stops, then i can't send e-mails or delete them, and there's nothing i can do for fixing it up, just waiting.
also you guys could focus more on your apps than in HTTPS. there's a lot of good apps, but some of them, like the Twitter for google desktop, that aren't so good...
Thanks to everyone who educated me on the SSL issue for Google Apps. I found the SSL option in the admin page on the Domain Settings tab and enabled it. I have say, though, that was the last place I would have looked at without help. Thanks!
The multiple-file upload Flash control from Google Labs does not obey the use-https-only setting. Please fix this.
Not forcing HTTPS is terrible for a company that has so many people using its services! Not to mention this was on the google security blog... I mean, modifying content over HTTP is so easy a caveman can do it! A simple ettercap filter, understanding of your target, and some simple thinking outside of the box can easily allow me to manipulate the DOM of the client-side user and basically gives me control over the site client-side. I even recently wrote a blog post about how to do this. Then if we can get one of the services, same domain policy sucks for you guys, that's talking on a normal HTTP session to force a connection to your typically TLS'ed service, then I have access to that as well. End being, you need to force HTTPS for all of your services.
Use https generated from CUDA libraries or some other GPU powered source of squinchy crypto maths to do this on the cheap... :)
If you enhance SSL support, please consider supporting SSL gzip compression (RFC 3749). Unlike HTTP level compression, it will also affect the HTTP headers. Yes, hardly a browser supports it, but you have Chrome, might add it and finally give this feature the propagation it deserves.
Even though SSL should always be enabled, users are free to choose and I really like that. It's the Google way.
It should be noted that the Firefox add-on «CustomiseGoogle» provides the user with a simple method to enable https not only for Gmail, but for Google Docs and Google Calendar as well. That said, I think it would be a great step forward if Google were to be make https the default setting for each of these applications. But it should also be noted that while doing so would offer a higher level of protection against someone else logging in to one's account (assuming that one hasn't spread one's password around), it does nothing to enhance the security of the contents. For that we need encryption, which I hope Google will also consider offering....
Henri
Given some of the odd and absurd requests in these comments, I doubt anyone from Google will read this far down, but I'll post anyways.
Why isn't this letter being sent to all web mail providers? If Google is ahead of the others, why are Google's attempts labeled inadequate? If you care about encrypting, you'll add the S to your URL. If you don't care, why should anyone else.
Joe, isn't the point about making the services provided by Google even better and more secure for all users - even the less security-conscious ? As to why anyone else should care, aside from the milk of human kindness, which admittedly doesn't always flow unhindered, the presence of unsecured users on a network tends to make all users less secure. Thus even enlightened self-interest would argue for our supporting such a step on the part of Google. And surely it's in Google's own enlightened self-interest both to be and to be perceived as a more secure provider of web services ?...
Henri
We also run our business on Google Apps. Our administrator has enabled https for all apps, but the personalized start page is still just http. It's a nice start page, and I'd be happy to make it my home page at work, but since I can't get a secure connection to it, I don't use it at all.
I notice that the article did not address using SSL to protect the basic Google Search and the search box in iGoogle pages. Both of these appear to be available at HTTPS URLs but the search feature doesn't really work.
Basically, entering a search at https://www.google.com/ig simply bounces you back to the http://www.google.com/ homepage.
That's pretty lame, for a company so proud of its engineering.
Have to agree with the ScalablePower here - surely Google can see to it that searches are always conducted from a page protected - to the degree that this constitutes a protection - by SSL ?...
Henri
Does the https serve to secure the whole page, including Chat, Video and Voice? I'm sorry if I sound naive, but when I log into Gmail in Internet Explorer, with https option always-on enabled, the following happens:
The page loads without chat, there comes this Internet Explorer warning which says "There are some elements in the page which are not secure", then when I say "That's ok", the chat loads up only then. I don't want my chats to be sniffed!
Rammy
The scalable Power is the best feature in Google. Thanks for the info..
bloggers
I was just shocked when I saw that friends and mine project was not encrypted, and that we had to manually https://docs...
It would be very good that all the future Google applications use ssl encryption.
I agree with Vivek Khurana
----
Hoodia Gordonii
Ok i agree this is good for security purpose, but now in my office we have facing one of major issue with this, we had blocked Gmail through firewall software, but now its not blocking from any firewall....
anyone have any solution now how we can block G mail at office with HTTPS.
Rajesh
There is a problem with the offline feature and Google Calendar. It silently reverts to insecure HTTP if offline is enabled making eavesdropping easy. This is bad as the user is asking for secure HTTPS but gets insecure HTTP without notice.
I wonder how long it will be before Googles SSL Encryption becomes the default. Though I may not be an expert, but does this include self-signed certificates or just those from leading authroities such as VeriSign and GeoTrust etc? I've also heard of mainpulations of Comodo to, so I guess my thought is how secure are the secure results in the https search? I also agree about the iGoogle update too.
Any change you could also add HTTPS support to Blogger?
I've just blogged about this http://gmailblog.blogspot.co.uk/2008/07/making-security-easier.html and in there I propose the idea of a cloud based service to allow secure access to sites like blogger
Thank u Google for providing all users with this key https feature.
For many, it may be an option, but for me, and many Iranian activists fighting for their freedom from Islamic hardliners ruling Iran, HTTPS is a MUST, a strong, though not unbreakable, wall between freedom activists and Islamic regime who uses expensive deep-packet analysing devices from Nokia-Siemens as well as a cheap equipment from russia and china.
It is also true for Syrian activists trying to inform the world from Asad's crimes against Syrians.
I hope you can extend this feature for blogging services so that bloggers can login to their control panel in a secured more.
HTTPS Does Make difference for our lives... Thank you!
Could you please force HTTPS or blogger and it's about time too for Google Reader.
Post a Comment