Wednesday, July 19, 2006

Encrypt Gmail Traffic

By default, Gmail uses a secure connection (SSL) to check your credentials (username and password), but after that it redirects to a http connection.

Gmail encodes with gzip all the sent/ received data to transfer it faster, but this can be easily unzipped if a network sniffer monitors the traffic.

The https protocol uses more resources on both ends to encrypt and decrypt the traffic, so that's why Google didn't make it the default option.

If you want to encrypt your connection to Gmail, there is a simple option: bookmark https://mail.google.com, and use it instead of gmail.com or install a Firefox extension called Customize Google. The extension also switches Google Calendar to a SSL connection.


This is an useful trick for many sites, including meebo.com or box.net.

Updated: replaced https://www.gmail.com with https://mail.google.com to prevent a warning about the domain name in Firefox.

Related:
Create encrypted volumes
Do you trust your computer?
New features in Gmail

Labels: ,

Encrypt Gmail Traffic by Ionut Alex Chitu
  10 comments ( Post a comment )
#
Anonymous Anonymous said on July 19, 2006 3:55 PM PDT:
I'd rather let people see my emails...



Oh wait, I already let Google keep my emails for billions of years and read them in their spare time.
#
Anonymous Tomv said on July 20, 2006 12:47 AM PDT:
Another approach is to access https://mail.google.com/ in the first place so that you get the login page redirecting you directly through a secure connection.

With Firefox, you type this address once or twice and after some time, it proposes the address to you. (Eg. type 'mail' + down arrow + Enter).
#
Blogger Ionut Alex. Chitu said on July 20, 2006 1:21 AM PDT:
Thanks. I've updated the post.
#
Blogger Barton said on July 20, 2006 1:52 AM PDT:
Weird, Gmail automatically forwards to https:// when logging in. Seems this setting is default.
#
Blogger Ionut Alex. Chitu said on July 20, 2006 1:56 AM PDT:
No, it's not. You have a https when you enter the password, after that it redirects to http://mail.google.com/mail.
#
Blogger Joanna said on August 7, 2007 4:17 AM PDT:
Why isn't this the default behaviour for gmail? I don't just go to gmail off of my bookmarks, I go off of my calendar and google main page etc. I think every way you enter gmail should take you to the encrypted version.
#
Blogger Big D said on September 6, 2007 1:15 PM PDT:
If you use the GMail Notifier for firefox, it uses https:// automatically unless you choose to use "unsecure connections".
#
Blogger Dan Kibler said on April 14, 2008 9:23 AM PDT:
I can't leave this alone as it came up near the top of a google search.

This method will not encrypt your messages as they traverse the internet between google and their final destination. It will only encrpt the traffic between your computer and the google server.

For real security you must encrypt the message at the source and decrypt it at the final destination.
#
Blogger Ionut Alex Chitu said on April 14, 2008 10:35 AM PDT:
@Dan:
The post doesn't say something else. It talks about "encrypting your connection to Gmail".
#
Anonymous Anonymous said on June 28, 2008 6:55 PM PDT:
Will this encrypt from my employer's prying eyes at the office?
Post your comment
Previous posts
From the archive
Subscribe
Google Tips