The correct answer for the above question can be found in the Official Gmail Blog. Here it is :
- If you access Gmail using HTTP, your password will be protected from sniffer, but after you have successfully login to Gmail, your email traffic will be in clear-text.
- But if you use HTTPS, your password and your email traffic will be protected.
Gmail give you those two options because HTTPS needs more resources to encrypt and decrypt the data. Are you feeling secure with HTTPS ?
Recently in Defcon, Mike Perry of Riverbed Technologies, introduced a tool that can be used to automate the cookie stealing process for Gmail, and the likes. The bad news is : eventhough you access Gmail via https://mail.google.com you are still vulnerable to the cookie stealing attack.
Here is a quote from Mike Perry :
Perry said. “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.”
So how do you protect from the attack ?
- by setting “Always use https” in Gmail
- use logout button whenever you’re done with the site.