

Default HTTPS access for Gmail - __
http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html

======
houseabsolute
This whole incident seems to have put the fear of god in them.

~~~
buro9
I like this idea though, indeed I like the idea of the web being https by
default.

Where I find it funny in relation to email is that email passes over the
internet in plain text and without Google adding PGP or something to Gmail the
benefits for this aren't great.

Considering the current incident with China, and the hacking in December.
https for gmail will prevent snooping of gmail, but wouldn't prevent the email
being intercepted if sent to or CC'd anyone on any other domain where the
traffic crossed China (ot it could offer low-hanging fruit in other countries
as relays may not be as secure).

It does help increase intra-Gmail security (as using the web to author would
author it being visible before being sent) but it wouldn't wholly secure the
entire transaction end to end which surely should be the goal.

I'd love to see Google take steps to offer a public key encryption system for
Gmail that could secure the email even as it passed over other systems and to
recipients in potential hot-zones.

~~~
forkqueue
Actually, not all email passes in plain text - a decent chunk (although
doubtless a minority) uses SMTP over TLS.

Many servers have it configured, and if it's available on the destination
almost all MTAs will use it to send mail to other servers, even if they don't
support receipt of mail in this way.

~~~
AndrewDucker
Gmail uses TLS to encrypt SMTP if you're using a client app.

------
siculars
Google... hardening...

This is old news for people who know (or care) about https. But it is new news
in terms of the Goog vs. China cyber war. The winners in all this will most
certainly be Google customers outside of China because Google will continue
hardening their defenses which will make computing with Google safer for the
end user. Will it help users in China? Time will tell...

------
gluegadget
Good that it's still possible to turn it off. In Iran 2-3days before and after
each political event government restricts access to only :80. No IMAP no POP3,
and no :443.

~~~
bdonlan
The login form always uses HTTPS.

~~~
gluegadget
And there's also remember me feature.

------
euroclydon
I guess they put this off mainly because of the performance hit. I found the
following quote regarding HTTP vs HTTPS performance on SO:

 _One point that has been brought up by several others is that SSL handshaking
is the major cost of HTTPS. That is correct, which is why "typical session
length" and "caching behavior of clients" are important.

Many, very short sessions means that handshaking time will overwhelm any other
performance factors. Longer sessions will mean the handshaking cost will be
incurred at the start of the session, but subsequent requests will have
relatively low overhead._

SO Ref: [http://stackoverflow.com/questions/149274/http-vs-https-
perf...](http://stackoverflow.com/questions/149274/http-vs-https-performance)

I wonder which they view as more significant, gmail latency or increased
server load?

~~~
acdha
I'd be surprised if the answer wasn't latency - this kind of server load would
be easy to scale with their engineering resources and they're big on the
competitive advantage of user-perceived performance.

------
lanstein
If only Yahoo had HTTPS available at all after login... Kind of fond of that
address.

------
mjgoins
It's kind of amazing that it wasn't like this from the start. Unsecured coffe
shop wifi + http = everyone in the room can grab your password.

~~~
maukdaddy
No. GMail's login page is always HTTPS so no one in the coffee shop can grab
your password.

However, all the mail is in the clear. So if some crappy website sends your
password via email, then someone can can grab it.

~~~
flogic
Which can is just as bad.

~~~
pwmanagerdied
Bad minus being able to directly sniff your password equals less bad, not just
as bad.

