Google: Calm down, scientists, we’re totally making Gmail more secure

June 16, 2009 | Anthony Ha | Comments | |

mailboxMost of my life revolves around Google services — I check my email in Gmail, I write articles in Google Docs, and I schedule appointments in Google Calendar. Of course, sending sensitive information back-and-forth from my computer to Google’s servers has its risks. In fact, a group of experts recently wrote a letter (click here to download the PDF) to the search giant saying it isn’t doing enough to keep its applications secure. Now Google has responded in a blog post about plans to tackle these concerns.

The list of people who signed the letter is quite long, and includes experts from both the corporate and academic spheres. The main complaint focuses on how Google implements “HTTPS,” a protocol for establishing a secure connection. Google offers HTTPS as an option for its major web applications (Gmail, Docs, Calendar), and you can also customize Gmail to log into HTTPS automatically. Still, the default setting is to turn the protocol off, and I’d imagine that many users haven’t heard of it. (I’m ashamed to admit I wasn’t using it regularly until I read this blog post last year exhorting me to do so.)

“Few users know the risks they face when logging into Google’s web applications from an unsecured network, and Google’s existing efforts are little help,” the original letter reads.

Of course, the procedure on many web applications is to use HTTPS on the log in page, but once you’re in to run on standard HTTP. So why just pick on Google? Christopher Soghoian, a student fellow at the Berkman Center for Internet and Society at Harvard, told The New York Times that it’s because of the search giant’s prominence, and because it would be easier for Google to expand its already-existing HTTPS support than for a company like Yahoo or Microsoft to add the feature from scratch.

Google, meanwhile, responds that it will start testing HTTPS more broadly, to see if the cost to speed is too high. “Unless there are negative effects on the user experience or it’s otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users,” the company says. That wording definitely leaves the company room to back out, but hey, there’s a chance that all Gmail users may soon benefit from HTTPS, even if they have no idea what it is.

[photo:flickr/fotographix.ca]

Next Story: Investor virtually sneaks into Second Life’s equity pool
Previous Story: AdWhirl raises $1M for ad platform

Bookmark and Share

Tags:

Photo of Anthony Ha

About the Author, Anthony Ha

Anthony is VentureBeat's assistant editor, as well as its reporter on enterprise technology, cloud computing, and tech policy. Before joining VentureBeat in 2008, Anthony worked at the Hollister Free Lance, where he won awards from the California Newspaper Publishers Association for breaking news coverage and writing. He attended Stanford University and now lives in San Francisco. Reach him at anthony@venturebeat.com. You can also follow Anthony on Twitter.

  • HTTPS would do little to stop most of the scammers and thieves on the 'net. They mostly use phishing and social engineering techniques.Ever heard of someone being scammed because they didn't use HTTPS?