Why You Should Encrypt *All* of Your Google Activities [POC]

By Daniel Miessler on August 9th, 2007: Tagged as Encryption | Google | Privacy | Security

google

Everyone loves Google. They want to be everything to everyone, and they’re getting pretty damn good at it. Once you start using their services it gets easier and easier to migrate more of your life to them. But there’s a slight problem.

Google, like most other similar services, encrypts login traffic but not your content. So the moment you’re signed in they switch to plain-text communications and send everything to you in the open.

This means your mail, the news sources you read, your calendar events — are all able to be read by someone with access to any part of the network between you and Google. This could be your employer at work, the wireless network at your local coffee shop, whatever. This isn’t good.

Here’s an email I just sent myself over the default (unencrypted) connection:

googleemail
And here’s what I captured via tcpdump.

googlesubject
thisisasecret
That’s the whole email there for anyone to see. Luckily it’s easy to fix…
  1. Use Bookmarks for Your Google Services Create bookmarks (or modify them if you already have them) for Gmail, Google Calendar, Google Reader, and iGoogle (your Google homepage) using https instead of http, like so: https://mail.google.com/mail/. Do this for every service that you use at Google.
  2. Don’t Click on Links Within Google to Take You to Your Services If you use their links Google will often take you to the unencrypted version because it’s easier on their servers. Use your links instead to ensure that your sessions are encrypted
The more we depend on Google (or any other monolithic service) the more we need to safeguard the information they have of ours. One way we can help is by demanding (via secure bookmarks and other methods) that they send us our mail, news feeds, calendars, and other information over a secure connection.:

[ Note: This is not a Google-specific problem. Most other services work in exactly the same way. The difference is that Google is so prolific and is becoming very successfully at getting people to use not only their email service but also their calendaring, news reader, instant messaging, their search (with history), etc. It's the all-in-one dynamic that makes it especially important to protect Google traffic. ]





--



87 Comments »

  1. Kenny the IT guy knows my secrets…

    Comment by Uh-oh — 8/9/2007 @ 12:10 pm

  2. When I log in to https://mail.google.com/mail, the links at the top to other Google services are https links. So Step 2 might not be necessary.

    Comment by Tim — 8/9/2007 @ 12:42 pm

  3. Okay, the Calendar and Docs links are https, the others are http. Maybe they’re working oni t.

    Comment by Tim — 8/9/2007 @ 12:43 pm

  4. You should take a look at Customize Google Firefox Add-On. It allows you to force the use of https for all google services.

    Comment by me — 8/9/2007 @ 12:43 pm

  5. Also handy for google privacy is g-zapper http://www.dummysoftware.com/gzapper.html

    Comment by barry — 8/9/2007 @ 12:48 pm

  6. don’t forget the GmailSecure userscript for GreaseMonkey that forces https connections on mail.

    Comment by Allah — 8/9/2007 @ 12:49 pm

  7. Please, if you are using Firefox, install the Greasemonkey extension and then use the script below. Everytime you access the http://mail.google.com/* url, you’ll automagically get redirected to the https:// version.

    http://userscripts.org/scripts/show/1404

    Comment by Kint — 8/9/2007 @ 12:56 pm

  8. “Everyone loves Google.”

    No, I don’t. Anyone who’s ever been in any sort of serious litigation will tell you that Google’s potentially a terrible trap. Who needs their past coming back to haunt them in that way?

    Comment by Scott — 8/9/2007 @ 1:07 pm

  9. In the case of gmail, if you go to https://gmail.com instead of http://gmail.com, it does encrypt everything.

    Comment by rabidsnail — 8/9/2007 @ 1:33 pm

  10. It’s also useful to use Firefox extensions “CustomizeGoogle,” “Better gCal,” “Better gReader,” and “Better GMail,” all of which you can use to force secure connections, even when clicking within google. It’s what I do. Also, with the NoScript extension, forbid scripts from googleadservices.com, adwords.google.com, google-analytics.com and googlesyndication.com.

    Comment by Aerik — 8/9/2007 @ 2:21 pm

  11. All online services are potentially a trap. From simple e-mail to new online applications, only a fool would believe that he has an expectation of privacy. Privacy disclaimers mean nothing when a law can be changed to gain access to any data, encrypted or not.

    Using anything online is like shouting “Fire” at a friend while you’re both alone in a bathroom in a theater. Even if you don’t expect anyone else to hear, it is possible someone will. Same thing with emaiail or online apps…someone may just be listening.

    Never do anything online anywhere, encrypted or not unless you are damn sure it won’t come back to haunt you…

    Comment by The Dog — 8/9/2007 @ 2:42 pm

  12. I used to use this to snoop on instant messenger traffic at work. You’d be surprised who is sleeping with who in the office, and regularly cheating on their wife during lunch breaks.

    Comment by Captain Anonymous — 8/9/2007 @ 3:08 pm

  13. whats the point when congress nonchalantly gives away our rights to bush and alberto gonzalASS? and the telecoms like at&t happily hand info over to the feds? and nothing is done, and no one is punished.

    Comment by ron — 8/9/2007 @ 3:12 pm

  14. To be fair, that “highly-sensitive” email will travel over the rest of the net in plaintext - so what if it makes the final jump in plaintext too? If it was that private, you’d encrypt it with PGP/GPG so that it’s encrypted all the way from sender to recipient.

    Any sensitive data shouldn’t be published online. If you’re going to carry out some highly secret or illegal activity, you don’t put a note in your Google Calendar about it.

    Comment by David Precious — 8/9/2007 @ 3:31 pm

  15. You might want to check out Google Secure Pro.

    http://userscripts.org/scripts/show/5951

    Comment by Kara Sherman — 8/9/2007 @ 3:44 pm

  16. Were you logged in via ssl?

    If not, how is this different than any other email client not using ssl?

    Comment by Matt — 8/9/2007 @ 4:21 pm

  17. Just use this. Encryption done client side so no private data is transferred. http://www.xice.net/sdksamples/webdesktop.html

    Comment by Nick — 8/9/2007 @ 4:52 pm

  18. Whenever I use encrypted for gmail I always got this

    Your browser’s cache is full and may interfere with your experience. “Fix This”

    However, I have cleared the cache and cookies and it still says this.

    Also, when I use encrypted gmail, it will not show the graphics within an html email.

    Comment by Jeff — 8/9/2007 @ 6:13 pm

  19. “like any other legitimate service provider”

    It’s not just Google.

    Comment by josh — 8/9/2007 @ 8:44 pm

  20. Since AJAX is used, the information might still be sent unencrypted even if the webpage was delivered via https. Do the XML requests get sent thru SSL as well if Gmail is accessed via https?

    Comment by kwl — 8/9/2007 @ 9:43 pm

  21. [...] Here is why. [...]

    Pingback by   Encrypt All Your Google Activity by johnta.com — 8/9/2007 @ 10:13 pm

  22. Use greasemonkey scripts!

    Comment by Roy — 8/10/2007 @ 12:33 am

  23. > Using anything online is like shouting “Fire” at a friend while you’re both alone in a bathroom in a theater.

    is this an american thing?

    Comment by lofi — 8/10/2007 @ 1:23 am

  24. >>is this an american thing?

    This American doesn’t know what it means. Maybe he is mixing his metaphors. Sounds like a completely non sequtuir to me.

    Comment by jackson — 8/10/2007 @ 2:07 am

  25. If you’re on a private computer (your own) there really isn’t anything to worry about, except for the ISP.

    Comment by Live TV — 8/10/2007 @ 2:16 am

  26. I don’t know why there’s even an article on this. Anything that’s not encrypted when communicating over the internet is at risk of being intercepted. We all know that. It just takes using a name like Google, or Microsoft, or Yahoo to attach to the article for increased attention. If you want to stay secure, use a VPN, an SSH tunnel, SSL, or any combination thereof for all your communications. Or just stay off of networks that are beyond your control.

    Comment by Rijnzael — 8/10/2007 @ 2:45 am

  27. Or, just use MailSaurus…it’s a free, open source, fully encrypted Ajax-based webmail system. Not only is your entire session encrypted, but all of your email messages are stored encrypted on the server using a unique key for each user. That means even if the server is compromised (or subpoenaed) your messages cannot be read!

    http://www.mailsaurus.com

    Comment by Jim Ryan — 8/10/2007 @ 2:46 am

  28. don’t use google.

    Comment by ben — 8/10/2007 @ 2:46 am

  29. Thanks for the tip, I never stopped to think about whether or not Google supported https. And I have to agree with Rijnzael.

    Comment by TimothyP — 8/10/2007 @ 3:00 am

  30. This applies to every website out there not using https. Even this website. All the data I type in here will also be sent unencrypted. ;)

    Comment by Laurent — 8/10/2007 @ 3:05 am

  31. Hi Guys,

    Just download a plugin for Firefox (you should all be using FF by now!) called Customize Google (http://www.customizegoogle.com/).

    This has an option in to secure all google connections, plus a host of other great features (removing ads etc)

    em22

    Comment by em22 — 8/10/2007 @ 4:02 am

  32. Hi Guys,

    Just download a plugin for Firefox (you should all be using FF by now!) called Customize Google (http://www.customizegoogle.com/).

    This has an option in to secure all google connections, plus a host of other great features (removing ads etc)

    oh, i love people who just blurt out stupid things like “dont use google” - i bet they’re a yohoo’er…

    em22

    Comment by em22 — 8/10/2007 @ 4:03 am

  33. [...] For some more technical information on this, check out dmiessler’s post on the subject. [...]

    Pingback by systemBash » Secure Your Google Apps (Gmail, GDocs, GCal, etc) — 8/10/2007 @ 6:12 am

  34. [...] Källa: DMIESSLER.com [...]

    Pingback by Kryptera din användning av Google at Bloggliv — 8/10/2007 @ 6:12 am

  35. Google just loves to spy doesn’t it……say a big bye bye to big brother tactics

    Use encryption for email, PGP is pretty good http://www.pgpi.org/ and there are several others available.

    Comment by Colin — 8/10/2007 @ 6:22 am

  36. [...] Why you should encrypt All of your Google activities. [...]

    Pingback by the new shelton wet/dry — 8/10/2007 @ 6:26 am

  37. cool, now only Google can read all your mail and searches ?

    Comment by Peter — 8/10/2007 @ 6:43 am

  38. [...] any other legitimate service provider, encrypts login traffic, but not your content…”read more | digg [...]

    Pingback by Joe Szilagyi - writer, information technology person, Seattle person » Uncool: Why You Should Encrypt All of Your Google Activities — 8/10/2007 @ 8:31 am

  39. Good trick to explain the problem! With GMAIL we have a possible solution using HTTPS, but what shall we do with other mail providers? That secure protocol isn’t always available…

    Comment by Maurizio Colleluori — 8/10/2007 @ 8:44 am

  40. [...] Posted by Hypnotick at August 10th, 2007 I just read this article and show how insecure google really is.  It is amazing how insecure they are for instance, when you are actually reading your email the message is displayed in plaintext!  This means that anyone can view your mail over a network this could be especially dangerous at a cafe or other location that offers wifi.  The site offers a solution to the problem.  This is not the first issue to arise from google.  One of the major problems with google is privacy and how they store all kinds of cookies and do a history on searches.  I have found some nice software for the privacy threat which, blocks cookies from google and also will delete all the current cookies google has; When I first used the software I was surprised with the amount of information google had on me.  The program is G-Zipper and you can get it here. [...]

    Pingback by Protecting yourself from google. « Hypnotick — 8/10/2007 @ 8:44 am

  41. >> Using anything online is like shouting “Fire” at a friend while you’re both alone in a bathroom in a theater.

    >is this an american thing?

    Yes. It is an American thing. It’s a funny turn of phrase if you know the background. There was a major freedom of speech case that was decided by the U.S. Supreme Court years ago in which a very learned justice said that freedom of speech doesn’t mean you can yell “fire” in a crowded theater.

    So, I assume lofi means: using encryption for communication about illegal things on line (”shouting ‘Fire’”) is still illegal, but one step removed from public speech (”in the bathroom in a theater.”)

    Comment by Jonas — 8/10/2007 @ 8:44 am

  42. [...] Link [...]

    Pingback by the jackol’s den » Why You Should Encrypt *All* of Your Google Activities - Mikhail Esteves — 8/10/2007 @ 9:02 am

  43. how can i download this tool tcdump? what is its system requirements? please reply thanks…

    Comment by fcukbeat — 8/10/2007 @ 9:08 am

  44. In Windows XP I keep a shortcut in my quick launch folder, for easy clickin’. I use this because the gmail notifier launches in unsecured http:// mode and there’s no way I’ve found to change it.

    Target: “C:\Program Files\Mozilla Firefox\firefox.exe” “https://mail.google.com”

    Start in: “C:\program files\mozilla firefox”

    Icon: http://mail.google.com/favicon.ico

    Comment by Jim — 8/10/2007 @ 9:18 am

  45. [...] a good little article on Digg today about Google and how you should always encrypt your sessions with Google so people [...]

    Pingback by Encrypt Your Google Activities | Blue Lotus Project Security Blog — 8/10/2007 @ 9:18 am

  46. [...] post at dmiessler.com about encrypting your Google traffic.  I am not sure about you, but I use Google [...]

    Pingback by Cohenville » Blog Archive » Encrypt your Google traffic — 8/10/2007 @ 9:20 am

  47. It isn’t fair that you make it sound like google doesn’t willingly permit this use of their services. You assume they revert to non-https because it is easier on their servers. I think your off there, and your off on making it sound like this a hack, rather than a published alternate method.

    Comment by Evan Carroll — 8/10/2007 @ 9:21 am

  48. I thank you for alerting me to this.

    Comment by 10668844 — 8/10/2007 @ 10:04 am

  49. Good advice, as far as it goes. Encrypting our data on its way to Google then decrypting it at Google mostly ensures that they get it safely, but at what point do people start getting concerned that Google has all their data? At what point do we worry that they monitor, mine, and market our data and online behavior? The same people freaking out about the government or Microsoft collecting some of our data are usually the ones who happily give it all to Google.

    If Google cares about our privacy or security, they’ll provide a way for us to encrypt our data when it leaves our system, to be decrypted only when we get it back on our system.

    But, yes, if you really care about your privacy, encrypt your email yourself before using any email system. And do not use Google Docs or any online service for anything sensitive. Onerous task when G and Y! and MS and others make it so easy to hand everything over to them. Hard drives are cheap.

    Comment by bill weaver — 8/10/2007 @ 10:24 am

  50. [...] Fonte: Why You Should Encrypt All of Your Google Activities [POC] [...]

    Pingback by Alenônimo.com.br » Blognônimo » Arquivo » Aumente a segurança dos serviços do Google — 8/10/2007 @ 10:45 am

  51. Awesome! Now we need to figure out how to safeguard Google from our data!

    Comment by X — 8/10/2007 @ 10:45 am

  52. Also, if you want to keep your search history with Google anonymous, make sure you’re not logged in to your Google account (gmail, gcal, etc.) AND use either the BlackBox or Scroogle search redirectors, which anonymize your Google searches by making them from a different IP address than yours.

    Comment by Angus S-F — 8/10/2007 @ 10:52 am

  53. If someone is ON your network and wants your data, you’re going to need a lot more than https. There are tools that will let you view that traffic just as easily as everything else. Fortunately, most people are not that important. No one really cares about your e-mails or IMs as much as you think they do.

    Comment by PENIX — 8/10/2007 @ 10:53 am

  54. [...] 11, 2007 at 12:03 am · Filed under Links Why You Should Encrypt All of Your Google Activities [POC] Google, like any other legitimate service provider, encrypts login traffic, but not your content. [...]

    Pingback by Geekapundit — 8/10/2007 @ 11:03 am

  55. [...] Encrypt Gmail Blog Entry [...]

    Pingback by Encrypt Your gmail !! « Marty Wolfe — 8/10/2007 @ 11:57 am

  56. A very handy article, thanks!

    Comment by Phil Dufault — 8/10/2007 @ 1:08 pm

  57. [...] Full article and source: Dmiessler.com [...]

    Pingback by » And I thought it was just me… > Vincent Arnold — 8/10/2007 @ 4:28 pm

  58. What about fetching gmail content via POP? I believe it is unencrypted too…

    Comment by Anonny Mouse — 8/10/2007 @ 6:46 pm

  59. I use https for gmail, calendar, and picasa, but there’s no way to do it for notebook! grrrrr…

    Comment by Woody — 8/10/2007 @ 7:21 pm

  60. No the POP access is crypted. It uses POP over a secure SSL connection, as https do. You can see it on the help center of Gmail.

    Comment by Matt — 8/10/2007 @ 7:30 pm

  61. [...] Why You Should Encrypt All of Your Google Activities [POC] | dmiessler.com (tags: Google Security Email Gmail Encryption) [...]

    Pingback by links for 2007-08-11 at DeStructUred Blog — 8/10/2007 @ 9:18 pm

  62. [...] Why You Should Encrypt All of Your Google Activities Everyone loves Google. They want to be everything to everyone, and they’re getting pretty damn good at it. Once you start using their services it gets easier and easier to migrate more of your life to them. But there’s a slight problem. Google, like a (tags: digg Security Technology) [...]

    Pingback by Almost, Not Yet - links for 2007-08-11 — 8/11/2007 @ 12:22 am

  63. I don’t think gmail does encrypt your activities if you use a standalone client requiring SSL.

    Comment by Loren — 8/11/2007 @ 1:55 am

  64. [...] os serviços que o Google oferece não são tão seguros quanto poderiam ser. Como reportou o blog dmiessler.com, o GMail (que foi utilizado como exemplo no texto) não criptografa todo o conteúdo transferido [...]

    Pingback by Security Hub » Blog Archive » Sempre use o GMail através do protocolo HTTPS — 8/11/2007 @ 5:31 am

  65. Oh, this certainly scares me. I had better consider on other alternatives if such privacy issue is going to be persist.

    Comment by Keith — 8/11/2007 @ 5:36 am

  66. [...] read more | digg story [...]

    Pingback by Why You Should Encrypt *All* of Your Google Activities « J.O.S.E. — 8/11/2007 @ 9:31 am

  67. [...] read more | digg story [...]

    Pingback by Universe_JDJ’s Blog » Why You Should Encrypt *All* of Your Google Activities — 8/11/2007 @ 9:54 am

  68. [...] Google - a gentle reminder Filed under: Technology — 0ddn1x @ 2007-08-11 20:09:07 +0000 http://dmiessler.com/blogarchive/why-you-should-encrypt-all-of-your-google-activities-poc [...]

    Pingback by Google - a gentle reminder « 0ddn1x: tricks with *nix — 8/11/2007 @ 3:09 pm

  69. [...] Miessler posted an interesting article regarding the encryption of Gmail and other Google services communication. First the article shows [...]

    Pingback by Tips to encrypt Gmail and other Google services communication at DeStructUred Blog — 8/11/2007 @ 4:21 pm

  70. http://googlonymous.com/

    Google Anonymously..

    Comment by Fred Durst — 8/12/2007 @ 2:11 am

  71. [...] Why You Should Encrypt All of Your Google Activities [POC] In short, be sure to use https instead of http when you use Google services. [...]

    Pingback by Security and hacks around the net. « info-ninja — 8/12/2007 @ 5:47 am

  72. Thank the heavens Firefox has a way to avoid this.

    Comment by Doug Woodall — 8/12/2007 @ 12:12 pm

  73. [...] draadloze netwerk dat je gebruikt monitoren, en is niet goed, waarschuwt Daniel Miessler. Miessler laat hier zien hoe hij via tcpdump het verkeer kan onderscheppen en lezen. Als oplossing raadt Miessler aan om [...]

    Pingback by Waarom je al je Google activiteiten moet versleutelen | BLOGT punt NL - www.blogt.nl — 8/12/2007 @ 8:44 pm

  74. Thanks for this powerful tips!

    Comment by fropert — 8/13/2007 @ 5:09 am

  75. [...] be wary on using https instead of http when accessing your personal data on public web services.read more | digg story Bookmark [...]

    Pingback by Why You Should Encrypt *All* of Your Google Activities | Anti-Spyware and PC Security News — 8/13/2007 @ 5:30 am

  76. I agree totally with your article if you use Firefox “hopefully if you use a pc” I recommend a extension that covers most of these issues plus Google analytics: http://www.customizegoogle.com/ I’m more concerned about that side of it check this out http://en.wikipedia.org/wiki/Google_Analytics thanks for the heads up though if I have to use IE I’ll remember to take your advice.

    Comment by Arick — 8/13/2007 @ 2:12 pm

  77. I want to echo the comments that email without encryption is insecure, even if you use https to get it to the mail server. Once it leaves Google/Yahoo!/MSN/your ISP, it’s not encrypted unless you do it yourself. Look into PGP/GPG as another comment said.

    Comment by Tim — 8/15/2007 @ 7:37 am

  78. The fact that email on the Internet is insecure is well known. The point is that when you’re on a network that allows one to easily read network traffic, it presents an especially high risk of being intercepted by those who could take interest in you and/or cause you harm.

    In other words, some trashy network admin (or fellow coffee drinker) having all your email, wherabouts, agendas, news sources, etc. is much more dangerous than having it floating randomly on the Internet.

    Comment by Daniel Miessler — 8/15/2007 @ 8:19 am

  79. don’t forget to grab your FREE Digital Cert from comodo. (they’re a trusted root CA)

    Comment by cryptoman — 8/17/2007 @ 12:30 pm

  80. [...] great post from dmiessler: Everyone loves Google. They want to be everything to everyone, and they’re getting pretty damn [...]

    Pingback by Information Security Awareness & howtos » Encrypt ALL gmail traffic — 9/13/2007 @ 8:00 pm

  81. [...] read more | digg story [...]

    Pingback by Why You Should Encrypt *All* of Your Google Activities « Security News — 10/4/2007 @ 4:15 am

  82. Hello, very nice site, keep up good job! Admin good, very good.

    Comment by Stasigr — 10/29/2007 @ 2:16 pm

  83. Free Razr plus free shipping with activated service plan.Choose from AT&T, Nextel, T-Mobile, Verizon, and more.

    Click here

    Comment by dafodilkemmy — 10/30/2007 @ 2:52 pm

  84. [...] Just came across this article on why you should encrypt all your Google activities. The author notes that Google, like most other [...]

    Pingback by » Blog Archive » Link: Why You Should Encrypt All Your Google — 12/14/2007 @ 4:27 am

  85. [...] Is Your Google Activity Safe? - Daniel Miessler provides some security and encryption tips for those that use Google services [...]

    Pingback by Clever Diversions - 08.13.07 « jdWeblog — 1/20/2008 @ 5:41 am

  86. holdem poker descargar…

    Trackback by set poker — 4/2/2008 @ 8:00 am

  87. no checking account payday loan…

    Trackback by free hindi movie ringtones free hindi song ringtones download — 4/14/2008 @ 7:00 am

RSS Feed For This Post...
This Post's TrackBack URI

Leave a Comment...