Comments on: Open letter to Google

By: John

John — Sun, 05 Jul 2009 21:51:53 +0000

You would think those googlers would have thought about this, since they claim to be at the “blleeding edge” of technology. I’ve noticed a lot of websites that have login features still don’t use HTTPS for logins, resulting in “real” email addresses being harvested by spammers. Yahoo used to offer a secure login option a few years back, though I think they moved it to HTTPS permanently. However, if you use chat clients, they may still go over HTTP. I’m using my real email address for this site and am curious to know if this goes over HTTP or HTTPS too…

By: Bill Dennis

Bill Dennis — Fri, 26 Jun 2009 10:51:02 +0000

It’s not just Google – what about Apple’s MobileMe service – http://www.me.com. It has the same issue, but worse – there is no HTTPS option when using the service! So mail, contacts, calendars etc are all coming down over HTTP. Google are streets ahead of Apple here.

By: ab

ab — Wed, 24 Jun 2009 10:55:21 +0000

Addtional attack vectors should be also considered, in order to correctly grasp the threat level.
Even connections on mobile phones may be at risk, according to what is explained and demonstrated in the post “Gmail Hijacking on mobiles” here:
http://www.mseclab.com/?p=160

By: Clive Robinson

Clive Robinson — Thu, 18 Jun 2009 15:00:53 +0000

Just one minor problem,

What sort of load will using HTTPS for all trafic put on Googles servers?

CPU Cycles are not free even on a free service.

By: Richard Clayton

Richard Clayton — Wed, 17 Jun 2009 11:22:57 +0000

Google (in the person of Alma Whitten) has responded to the open letter — in a fairly positive way.

http://googleonlinesecurity.blogspot.com/2009/06/https-security-for-web-applications.html

By: anonymous coward

anonymous coward — Wed, 17 Jun 2009 01:46:33 +0000

It warms my heart that people are working to make things better out there, thank you.

Just another anonymous coward showing there text support for your work.

By: Charles Jennings

Charles Jennings — Tue, 16 Jun 2009 21:32:31 +0000

I question putting the whole blame on Google. I am in no sense defending Google, but wish to educate the – ultimately responsible – end user. With the relatively recent PoC showing how SSL sessions can be hijacked (http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1348473,00.html), it really is up to the end user to know 100% what he/she is doing / looking at. If I wanted to, I could set up a wireless AP on my laptop and act as a wireless relay to a real AP – all the while capturing the “apparent” encrypted traffic as clear-text. – In other words – stay away from public wifi networks. Me – I build ssh tunnel back to my home network and use it as a SOCK5 proxy – that way I have total control over my sessions and their security.

By: RichB

RichB — Tue, 16 Jun 2009 16:41:19 +0000

GMail has an option to enable HTTPS in it’s settings.

However, when you use iGoogle (google.com/ig) and add the GMail gadget, you have to turn off the GMail HTTPS setting for the gadget to work. This is true even if you access iGoogle over HTTPS – it requires the GMail gadget to be accessed over HTTP!