The 38 signatories including security experts, lawyers and privacy advocates have questioned Google in an open letter to explain why it is not making Gmail service more secure and needlessly putting Gmail users at risk.
Google apparently is not using the secure version of the HTTP protocol for privacy protection of its users, leaving them vulnerable to threats from cybercriminals.
- When someone signs in on to Gmail, their login and password are encrypted.
- Then this data goes back and forth using the secure version of HTTP known as HTTPS.
- This secure version is turned off once sign in process is complete.
- Because of this, the risk from cybercriminals increases as they could easily use the unencrypted data passing back and forth to steal ID files called “session cookies” generated when these applications start being used.
Criminals could use the cookies to
- Hijack the account
- Pose as the user himself
- Change the password
- Send false emails
- Abuse owner’s identity
Says Ben Edelman, a signatory of the letter and assistant professor at Harvard Business School:
“As more of us end up using insecure internet access – such as wi-fi in coffee shops, libraries, and so forth – there’s a real risk of session hijacking,”
Enabling HTTPS as a default option:
- It is possible to use HTTPS at all times when signed on to Gmail, Docs, or Calendar.
- However, the option is hard to find and few people would know how to use it.
- Mostly people prefer to stick to default options that are available and end up leaving themselves at risk.
Hence, it is necessary that Google turns on HTTPS by default.
- Google boss Eric Schmidt has responded to this by saying that Google is considering trials of the secure system with a select group of users.
- Google says it wanted to be sure that the user-experience of Gmail would not change by turning this feature on.
- Google fears that by enabling the encryption, the response time would slow down.
Every email service should do more to protect its users online from potential risks. Let’s wait and watch what Google does to ensure more protection for its users.
Share you comments on what you think about this.