Unsafe Gmail email service putting users at risk

The 38 signatories including security experts, lawyers and privacy advocates have questioned Google in an open letter to explain why it is not making Gmail service more secure and needlessly putting Gmail users at risk. Google apparently is not using the secure version of the HTTP protocol for privacy protection of its users, leaving them vulnerable to threats from cybercriminals.

image

The 38 signatories including security experts, lawyers and privacy advocates have questioned Google in an open letter to explain why it is not making Gmail service more secure and needlessly putting Gmail users at risk.

Google apparently is not using the secure version of the HTTP protocol for privacy protection of its users, leaving them vulnerable to threats from cybercriminals.

The Problem

  • When someone signs in on to Gmail, their login and password are encrypted.
  • Then this data goes back and forth using the secure version of HTTP known as HTTPS.
  • This secure version is turned off once sign in process is complete.
  • Because of this, the risk from cybercriminals increases as they could easily use the unencrypted data passing back and forth to steal ID files called “session cookies” generated when these applications start being used.

Possible Threats

Criminals could use the cookies to

  • Hijack the account
  • Pose as the user himself
  • Change the password
  • Send false emails
  • Abuse owner’s identity

Says Ben Edelman, a signatory of the letter and assistant professor at Harvard Business School:

“As more of us end up using insecure internet access – such as wi-fi in coffee shops, libraries, and so forth – there’s a real risk of session hijacking,”

The Solution

Enabling HTTPS as a default option:

  • It is possible to use HTTPS at all times when signed on to Gmail, Docs, or Calendar.
  • However, the option is hard to find and few people would know how to use it.
  • Mostly people prefer to stick to default options that are available and end up leaving themselves at risk.

Hence, it is necessary that Google turns on HTTPS by default.

Google’s Response

  • Google boss Eric Schmidt has responded to this by saying that Google is considering trials of the secure system with a select group of users.
  • Google says it wanted to be sure that the user-experience of Gmail would not change by turning this feature on.
  • Google fears that by enabling the encryption, the response time would slow down.

Every email service should do more to protect its users online from potential risks. Let’s wait and watch what Google does to ensure more protection for its users.

Share you comments on what you think about this.

(Source: bbc)

6 Comments

Gautam June 21, 2009

Login to Gmail > Go to Settings > General Settings > Browser connection > Always use https

Problem solved.

Gmail is offering a solution 😐

Swati June 21, 2009

Yeah, that’s right, but as mentioned, most people around the world, prefer to stick to default options, or else don’t know about this option at all. Hence, for the benefit of all, the plea has been made to ask Google to have HTTPS switched on by default.

Gaurish Sharma June 22, 2009

Gmail is not idiot friendly app :p

Gaurav Agrawal June 22, 2009

It has HTTPS Option,
I am using it since 4 months.

Procedure :
1)Sign in to Gmail.
2)Click Settings at the top of any Gmail page.
3)Set ‘Browser Connection’ to ‘Always use https.’
4)Click Save Changes.
5)Reload Gmail.

Learn More:-
http://mail.google.com/support/bin/answer.py?hl=en&ctx=mail&answer=74765

aby June 22, 2009

Still, it would have been better if it was set as default rather as an offered solution.

Swati July 1, 2009

I agree with Aby