Google tightens HTTPS protections in Gmail in light of government snooping
Citing the need to protect users from government cyber-spying, Google has tightened Gmail’s encryption screws by removing the option to turn off HTTPS.
Google first gave people the option of encrypting their Gmail sessions via the HTTPS (Hypertext Transfer Protocol Secure) communications protocol in 2008. Google turned it on by default in 2010 for all users, but allowed them to turn it off manually. Not anymore.
“Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email,” Nicolas Lidzborski, Gmail Security Engineering Lead, wrote in a blog post Thursday.
He highlighted the security benefits of having HTTPS permanently on. “Today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you’re using public WiFi or logging in from your computer, phone or tablet,” Lidzborski wrote.
In addition, all messages sent or received by Gmail users will remain encrypted while moving among Google data centers. That is “something we made a top priority after last summer’s revelations,” Lidzborski wrote, alluding to the press leaks from whistleblower Edward Snowden, the former contractor for the U.S. National Security Agency who was disgruntled with its surveillance methods and practices.
When it announced the availability of HTTPS for Gmail and later when it turned it on by default, Google officials noted that the security boost from using HTTPS would sacrifice performance by increasing latency to a certain degree. It made no mention of that in Thursday’s blog post.
Asked for comment about the security-speed tradeoff of using HTTPS, a Google spokeswoman said the Gmail team has worked hard to mitigate any performance impact, and that at this point the company believes it makes no sense to allow unencrypted HTTP connections. Plus, currently most people use HTTPS, she added.
Lidzborski also revealed in the blog post that Gmail had uptime of 99.978 percent in 2013, which works out to under two hours of downtime for a user during the year.