Google to enhance gmail and cloud apps security which isn’t that secure, yet

By Partho, Gaea News Network
Wednesday, June 17, 2009

gmail-logo-googleWhat if you thought Gmail is the most secured email service on Earth? There are vulnerabilities in Google’s online service that has come to fore. A group of advocates including 38 computer scientists, law professors and security experts prompted that Gmail is unsecured as the users are not using encrypted HTTPS(Hypertext Transfer Protocol Secure) connection to log into their email accounts. When a user composes email,  documents, spreadsheets, presentations and calendar plans, the sensitive content is transferred to Google’s servers insecurely, enabling unauthorized access to information using right tool.  Prompted by security experts Google announced that it plans to test a secure version of its Gmail service to ensure that the service becomes impregnable.

Google’s new move would be to change the back-end servers that will allow some users to automatically use an encrypted HTTPS connection when they use Gmail. Currently, the users log in Gmail via HTTPS, but after this the web pages are sent without any encryption.

The privacy experts don’t approve this as a feasible method, as this might allow the hackers to access the network in places like café’s with Wi-Fi, where they could hack a Google account using a technique called session hijacking. They might also read the emails containing classified information.

Christopher Soghoian, one of the 38 security and privacy experts to advice the changes to Google, says

If you wanted to steal someone’s identity, the inbox is where it’s at,

Soghoian is a student fellow with Berkman Center for Internet and Society at Harvard University, along with other experts called on Google to adopt HTTPS.

HTTPS offers dual protection, it encrypts e-mail making it harder to read and also provides a way of authenticate the servers. The users can be more sure that they’re really talking to Google and not some phishing site.

The Gmail users can already read their messages via HTTPS. To do this you need to click on the browser connection box at the bottom of the settings page. In this test, the HTTPS are turned on by default. HTTPS can be used to securely connect a part or the entire Web page.

The Google Docs and Calendar users can connect via HTTPS. However, there’s no setting that can make it permanent. To connect to the services the users need to type https:// everytime they connect to these services.

Last year,  Google made it clear that it was not using HTTPS by default as it makes the website too slow. Since the encrypted messages contain more information, HTTPS might slow down Web surfing.

Soghoian introduced the idea at privacy events over the past few weeks that Google should be pressured about SSL(Secure Sockets Layer). Google responded to the situation quickly.

Google Software Engineer Alma Whitten wrote in a blog that the company would move small samples of different types of Gmail users to HTTPS for a trial and to measure the affects on performance of their e-mail. They would test whether it loads fast, is it responsive enough or if there are particular regions, or networks, or computer setups that do particularly poorly on HTTPS.

Now if the test is sucessful, Google might turn on HTTPS by default for all Gmail users.

There are no indications when Google would will begin the testing.

Obviously ,using the HTTPS would slow down the service.Google has to see whether the Gmail users would endure the new inclusions. Google is considering to apply the security test to its other apps like Google Docs and Google Calendar.

Discussion
June 25, 2009: 4:42 pm

This article is misleading. Commercial, educational an non-profit institutions using Google Apps have been able to make HTTPS encryption a default option for all of their services for over a year.
In short, if you’re paying for Google Apps, you (and should!) do this.

YOUR VIEW POINT
NAME : (REQUIRED)
MAIL : (REQUIRED)
will not be displayed
WEBSITE : (OPTIONAL)
YOUR
COMMENT :