HTTPS in Gmail

What is the difference between https://mail.google.com and http://mail.google.com ? Answer : one s. :D

The correct answer for the above question can be found in the Official Gmail Blog. Here it is :

  • If you access Gmail using HTTP, your password will be protected from sniffer, but after you have successfully login to Gmail, your email traffic will be in clear-text.
  • But if you use HTTPS, your password and your email traffic will be protected.

Gmail give you those two options because HTTPS needs more resources to encrypt and decrypt the data. Are you feeling secure with HTTPS ?

Recently in Defcon, Mike Perry of Riverbed Technologies, introduced a tool that can be used to automate the cookie stealing process for Gmail, and the likes. The bad news is : eventhough you access Gmail via https://mail.google.com you are still vulnerable to the cookie stealing attack.

Here is a quote from Mike Perry :

Perry said. “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.”

So how do you protect from the attack ?

  • by setting “Always use https” in Gmail

  • use logout button whenever you’re done with the site.

One thought on “HTTPS in Gmail

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s