Google Making Gmail More Secure

Gmail users, rejoice!

No, Google's free email service hasn't left beta, a status it has had since it was introduced over five years ago.

Google has begun testing a more secure version of Gmail (Google Mail in the UK and Germany) that uses secure, encrypted HTTP. Although Gmail uses HTTPS when a user logs in, it uses insecure, unencrypted HTTP for everything else. That means WiFi users are susceptible to having their email read by hackers.

The HTTPS protocol encrypts data sent between the user's computer and the server, which means that the WiFi data a hacker sees will be garbled even if your WiFi connection itself isn't encrypted.

Nothing New

Google already offers HTTPS to Gmail users, but it's turned off by default. To enable it, log into Gmail using your favorite browser, click on the Settings link, and scroll to the bottom of the page. I did that with my oldest Gmail account this morning, even though I connect via ethernet instead of WiFi.

Tell Gmail to always use HTTPS.

What is new is that Google will be testing the secure connection for a sampling of users who haven't selected it. Google will be performance testing HTTPS to see if service remains fast enough or degrades under the additional overhead imposed by encrypting the data and verifying a secure connection.

Depending on the results, Google could move more users to HTTPS transparently over time, eventually making it Gmail's default behavior.

Until then, if you ever access Gmail via unencrypted WiFi, I suggest you make sure your account is set to always use HTTPS.

Less Secure

Jeremiah Grossman, chief technology officer at White Hat Security, says that Google is already way ahead of Yahoo and Microsoft, which don't offer HTTPS to their free email users.

Interestingly, Google Docs, Google's free cloud-based word processing and spreadsheet service, and Google Calendar use an unsecured HTTP connection by default and don't offer users the option of always using HTTPS. However, users concerned for security can access these services securely by typing https:// rather than http:// when connecting to Google's servers.

Some Glitches

Using secure Gmail isn't without some drawbacks. In addition to more system overhead due to encryption and decryption, some services are currently incompatible with Gmail via HTTPS:

• If you use iGoogle, a personalized Google page, the Gmail gadget won't work.
• If you use Gmail Notifier with Windows, you need to update the program to work with HTTPS.
• If you use Gmail Mobile versions prior to 1.5, you may experience errors. With version 1.5 or later, you'll need to enable the "Always use secure network connections (slower performance)" option.
• If you use Google Toolbar in your browser (Internet Explorer and Firefox only), you may experience 404 errors. The only solution at present is to not use HTTPS.

My advice is that if you're using Gmail over an unencrypted WiFi connection, you enable HTTPS to protect yourself. Without that protection, it's possible that a hacker could gain full access to your Gmail account.

My Love/Hate Relationship with Gmail

I cut my online teeth a long, long time ago using America On-Line with an SE/30 at work (ComputerLand of Grand Rapids) and a Mac Plus at home. Once I got a "real" Internet account (circa 1996/97), I started using Yahoo Mail - and I still use it for my personal email. I really like the way Yahoo Mail works, although the service has its drawbacks: It can be slow on older hardware, there's no free POP3 access, there's not HTTPS option, and it does a lousy job filtering spam - you get both false positives and false negatives. Still, I'm comfortable with it. I will, however, be more careful when using it via WiFi.

I've been a Gmail user since the first year it was available, and I love its speed, storage space, excellent spam filtering (in my experience, over 99.9% of what goes into the Spam folder is spam, and less than 1% of the mail in the inbox is spam). Gmail has powerful search capabilities, which you'd expect from Google, and it offers free POP3 and IMAP access, so you can use it with your favorite email client.

For all that, Gmail has one feature I don't like and wish I could disable - even temporarily. Gmail only displays messages in threaded or "conversation" mode that collapses emails you've already read. That's just fine most of the time, but it can get horribly messy when several people are responding to a posting on Google Groups, for instance. Although it is possible to delete individual messages from a thread, you don't do it using the Delete button. Instead, you have to expand the message (if it's been read and collapsed), click on the triangle next to the Reply button, and choose Delete this message. Not intuitive or user friendly.

One solution is to use Gmail with a real email client, such as the Mail app that comes with Mac OS X (which, by the way, can access multiple Gmail accounts at once using POP3 or Gmail). That eliminates the headaches of threaded mode, but it would be nicer if Gmail had the option of sorting messages (not just conversations) by date. And that's really the only thing I hate about Gmail.

If you're not a Gmail user, consider it. It's fast. It's free. It's huge (7.8 GB of storage space at present). It's easy to learn. It does a great job filtering spam. There's a Basic HTML view for older hardware. And, as if all of that wasn't enough, you can use it with your favorite email client.

And now you know how to make sure it's secure no matter how you connect to the Internet.