PSA: https and gmail
Those of you who know me know that I don’t use Gmail for a variety of reasons. But, I know you do. Here’s looking at you, kid.
When you go to http://gmail.com to login, your browser greets you with a happy “this webpage is secure” notification.
And you sign in. Your username and password is sent using an encryption technology called SSL/TLS so that people who see your information go by can’t actually read it.
*
Google then sends you, over the same encrypted connection, a delicious cookie to identify you so that you don’t have to sign in every time you request something from them.
This is all standard practice. But then Google does something sneaky. It redirects you to the non-encrypted version of Gmail.
All subsequent information you retrieve is sent over the internet unencrypted, available for any eavesdropper to see.
*
This is particularly important when you’re browsing over an untrusted network, like the wireless network at Starbucks, the connection you happen to use on a park bench, or even my wireless network when you come to my apartment (where I may or may not log packets).
Now, we all know that you don’t want your correspondence with the new half-orc you met at the Friday Dungeons and Dragons session to be known to the world.
Worse than anyone being able to see everything you send back and forth to Google, the eavesdropper could intercept the delicious cookie, install it in their browser, and impersonate you. They would have complete access to all of your information at Google.
There is a simple fix to avoid this potential embarrassment, however cute the half-orc may in fact be. Instead of going to http://gmail.com, use https://gmail.google.com which will encrypt everything you send and receive to and from Google.
Remember, your love life is counting on it.
* “Alice” is the name used for the unassuming victim of computer security. “Eve” is the typical name for the “eavesdropper.”
Picture of happy baby by cnbyates.
Picture of cookie baby by Jason Trom.
Picture of Eva Longoria by steature.
Picture of Orc Donny by cristajoy42
All are licensed under CC Attribution-Noncommercial 2.0 Generic.
5 Comments »
RSS feed for comments on this post. TrackBack URI
Why does Google redirect you to the unencrypted page? OR, why don’t they just make http://gmail.com redirect to https://gmail.com ?
Hey, it still says 0 comments! I demand my previous comment, as well as this one, to be heard.
I don’t know why they do that. I surmise that it’s because encryption is expensive. For every packet sent back and forth, a non-trivial amount of computation has to take place in order to encrypt it. While your desktop probably has available cycles to do this, they have to do this for all users.
That gets expensive very quickly. There are a lot of variables, but performance impact can be an order of magnitude or more.
While it’s probably cost issues, there are even more problems. First of all, distributing certificates to thousands of internet-facing servers still isn’t perfectly solved. Also, because SSL encrypts *everything*, you have to present the certificate before the browser sends the Host: field. This means you can’t use VHosts for SSL.
That’s all true, but I think those are tangential problems that don’t concern gmail.