An unofficial blog that watches Google's attempts to move your operating system online since 2005. Not affiliated with Google.

Send your tips to gostips@gmail.com.

July 24, 2008

Force Gmail to Always Use Secure Connection

Gmail rolls out a new option that lets you set the https version as default. If you go to the Settings and select "always use https", Gmail will automatically redirect to the secure version. Until now, you had to manually type https://mail.google.com in the address bar, bookmark the address or use a Greasemonkey script.


"If you sign in to Gmail via a non-secure Internet connection, like a public wireless or non-encrypted network, your Google account may be more vulnerable to hijacking. Non-secure networks make it easier for someone to impersonate you and gain full access to your Google account, including any sensitive data it may contain like bank statements or online log-in credentials. We recommend selecting the 'Always use https' option in Gmail any time your network may be non-secure," explains Google.

Read, for example, David Pogue's post about Wi-Fi eavesdropping. "All Jon needed [to read my mail] was a packet sniffing program; such software is free and widely available. (He used a Mac program called Eavesdrop.) It sniffs the airwaves and displays whatever data it finds being transmitted in the public hot spot."

Https is typically used for sites that deal with sensitive data, so you'll see it when you authenticate to sites like Google or Facebook and when you use your mobile banking account, PayPal, Google AdWords and a handful of similar sites. The benefit is that the connection between your browser and the remote servers is encrypted and nobody could capture the sensitive data.

"We use https to protect your password every time you log into Gmail, but we don't use https once you're in your mail unless you ask for it (by visiting https://mail.google.com rather than http://mail.google.com). Why not? Because the downside is that https can make your mail slower. Your computer has to do extra work to decrypt all that data, and encrypted data doesn't travel across the internet as efficiently as unencrypted data," says the Gmail blog.

In addition to the worse performance, Google also mentions that the mobile application could show errors if you don't enable 'Always use secure network connections (slower performance)' in the app's settings section. If you use Firefox, don't forget to disable the Greasemonkey scripts that redirect Gmail to the secure version and to deactivate the similar option from Firefox extensions like Better Gmail and CustomizeGoogle.

The good news is that you don't need a similar setting for other Google applications if you use the navigation bar: Google automatically links to the secure versions of Google Calendar, Google Docs, Google Reader and Google Sites. If you don't see the new option in Gmail's settings, you have to wait until Gmail enables it in your account.


25 comments:

  1. Https also circumvents http proxies. This can be important because some proxies are set up by anti-virus software and this can interfere with your connection. This is one of the reasons I always use https to log in into Google Docs; in my experience the https connection is far more stable.

    ReplyDelete
  2. I strongly recommend CustomizeGoogle. It is an addon which gives a great deal of additional functionality, including changing the connection to https for all(?) available Google connections, and not just via the navigation bar.

    Give it a look and see for yourself.

    for Firefox: http://www.customizegoogle.com/
    for Opera: http://www.smir.de/cg/

    ReplyDelete
  3. I used to have gmail set for https but for some reason it has been reset. I've also looked repeatedly under "settings" and can not find the option you mention. Perhaps it's because I'm using Firefox for a Mac??? I'll try CustomizeGoogle and see if it works.

    ReplyDelete
  4. Wayne, same for me, but I use Customize Google, it makes it as https:// default. There is another Firefox Extension Secure Login, it helps to login in secure sites. That will be a good one to use also. https://addons.mozilla.org/en-US/firefox/addon/4429

    ReplyDelete
  5. Setting it to always use HTTPS breaks Gmail Notifier...nice

    ReplyDelete
  6. Google Reader isnt using the https connection even though I have disabled firefox addons and set the gmail to always use https

    How do I use it properly ?

    ReplyDelete
  7. From the post:

    "The good news is that you don't need a similar setting for other Google applications if you use the navigation bar".

    If you go to https://mail.google.com, the navigation bar links to the secure versions of the other Google services.

    ReplyDelete
  8. I've noticed that too. (about the Gmail notifier)

    is it still worked on any more?

    ReplyDelete
  9. what about gmail with Google Apps ? when will it be available ?

    ReplyDelete
  10. Anonymous: Gmail as part of Google Apps has always been https-only, at least for my domain.

    ReplyDelete
  11. @ Matt: When I set mine up, I had to specifically request Gmail w/Google Apps to always be https. When asked if I could do this my self in the future they said "No you would need to request it. Maybe they will add a setting somewhere now.

    ReplyDelete
  12. Here is how you fix your GMail Notifier http://www.wikihow.com/Hack-Gmail-Notifier-to-Use-SSL

    Works fine for me.

    ReplyDelete
  13. Matt Passell : I am 100% sure that Google Apps is not https only for my domain and also for some other people ... If just type in
    "Google Apps Discussion Group" the words "force https" then you will see that many other people also want this option ...
    Thanks.
    PS : I have Google Apps Standard Edition

    ReplyDelete
  14. Regarding Google Apps:

    - this option wasn't available in Google Apps
    - it will be available as a user setting
    - in Google Apps Premier Edition, admins will be able to override user settings and select the https version.

    ReplyDelete
  15. Well I tested this several times and I don't think it's a coincidence. For whatever reason activitating this feature causes login problems in my mobile gmail on the blackberry. You normally only have to login once on the blackberry and its always active and refreshing for new mail. But when I turned on the https feature my mobile version wont stay logged in and won't even load most of the time. But sure enough I turn off https on the desktop and my mobile version works fine again. Glitch? or am i losing it?

    ReplyDelete
  16. Ionut Alex Chitu : Thanks for the info!

    Do you know when it will be available to Google Apps ?

    ReplyDelete
  17. Gmail for mobile, fails to work after setting this option :(

    ReplyDelete
  18. @netcraze:
    Go to Settings in the mobile app, select "Always use secure network connections (slower performance)" and then restart the application. This has already been mentioned in the post.

    ReplyDelete
  19. To change Gmail settings on a Blackberry, log on to your Gmail mobile app on the BB, use the Menu key, select More, then Settings, check the appropriate box. Just added "use https", which I had also previously done on the desktop side using Firefox. Now the Gmail mobile app on the BB seems to be working fine, but VERY slow. Will monitor performance to see if I want to keep that.

    ReplyDelete
  20. "Premier Edition administrators can now ensure that users access Gmail, Google Talk, Google Calendar, Google Docs and Google Sites with HTTPS, so data is encrypted as it travels between user web browser and our servers.

    Sign in to the control panel, choose 'Domain settings', check the box for 'Enable SSL' and save your changes."

    ReplyDelete
  21. as a network administrator, is there a way to force all users on my network to use https to access gmail?

    ReplyDelete
  22. Does anyone know if the education/non-profit edition has the ability to force SSL on data just like the Premier Edition?

    ReplyDelete
  23. I cant seem to accept google calendar meeting requests through gmail and have them automatically added to the calendar after activating "always use https".

    does anyone how to resolve this?

    ReplyDelete
  24. thanks for valuable posting, very useful. I guess firewalls in the middle no longger able to log clear text content and escape from network snooping.
    - srihari konakanchi

    ReplyDelete
  25. Having a secure connection for using Gmail makes me feel happy and I'm very much tension free in terms of security and there is very less possibilities of any account being hacked as use of SSL certificates makes my inbox secure.

    ReplyDelete