July 19, 2006

Encrypt Gmail Traffic

By default, Gmail uses a secure connection (SSL) to check your credentials (username and password), but after that it redirects to a http connection.

Gmail encodes with gzip all the sent/ received data to transfer it faster, but this can be easily unzipped if a network sniffer monitors the traffic.

The https protocol uses more resources on both ends to encrypt and decrypt the traffic, so that's why Google didn't make it the default option.

If you want to encrypt your connection to Gmail, there is a simple option: bookmark https://mail.google.com, and use it instead of gmail.com or install a Firefox extension called Customize Google. The extension also switches Google Calendar to a SSL connection.


This is an useful trick for many sites, including meebo.com or box.net.

Updated: replaced https://www.gmail.com with https://mail.google.com to prevent a warning about the domain name in Firefox.

Related:
Create encrypted volumes
Do you trust your computer?
New features in Gmail

13 comments:

  1. I'd rather let people see my emails...



    Oh wait, I already let Google keep my emails for billions of years and read them in their spare time.

    ReplyDelete
  2. Another approach is to access https://mail.google.com/ in the first place so that you get the login page redirecting you directly through a secure connection.

    With Firefox, you type this address once or twice and after some time, it proposes the address to you. (Eg. type 'mail' + down arrow + Enter).

    ReplyDelete
  3. Weird, Gmail automatically forwards to https:// when logging in. Seems this setting is default.

    ReplyDelete
  4. No, it's not. You have a https when you enter the password, after that it redirects to http://mail.google.com/mail.

    ReplyDelete
  5. Why isn't this the default behaviour for gmail? I don't just go to gmail off of my bookmarks, I go off of my calendar and google main page etc. I think every way you enter gmail should take you to the encrypted version.

    ReplyDelete
  6. If you use the GMail Notifier for firefox, it uses https:// automatically unless you choose to use "unsecure connections".

    ReplyDelete
  7. I can't leave this alone as it came up near the top of a google search.

    This method will not encrypt your messages as they traverse the internet between google and their final destination. It will only encrpt the traffic between your computer and the google server.

    For real security you must encrypt the message at the source and decrypt it at the final destination.

    ReplyDelete
  8. @Dan:
    The post doesn't say something else. It talks about "encrypting your connection to Gmail".

    ReplyDelete
  9. Will this encrypt from my employer's prying eyes at the office?

    ReplyDelete
  10. a google on "gmail encryption" brought up this result on the top of the page.....

    While this is certainly necessary, I also request the author to explicitly state that this article does not imply "Encrypting Email" and if possible provide a link to it anywhere if possible.... Thanks....

    ReplyDelete
  11. I want to know if Google bows under governmental pressure like Yahoo did...or will Google keep our emails safe from the prying eyes of communist dictatorships?

    ReplyDelete
  12. While there are a lot of very valid reasons for continuing to use 3rd party encryption software, you do have to applaud Google for making this so incredibly easy. Still, as mentioned, this is not full fledged encryption. While this may be fine for many users, some will need to look elsewhere.

    ReplyDelete

Note: Only a member of this blog may post a comment.