This is Why You Should Be Encrypting Your Communications with Google [Traffic Included]
By Daniel Miessler on October 22nd, 2007: Tagged as Google | Information Security | Security
Everyone loves Google. They want to be everything to everyone, and they’re getting pretty damn good at it. Once you start using their services it gets easier and easier to migrate more of your life to them. But there’s a slight problem.
Google, like most other similar services, encrypts login traffic but not your content. So the moment you’re signed in they switch to plain text communications and send everything to you in the open.
This means your mail, the news sources you read, your calendar events — are all able to be read by someone with access to any part of the network between you and Google. This could be your employer at work, the wireless network at your local coffee shop, whatever. This isn’t good.
Here’s an email I just sent myself over the default (unencrypted) connection:
And here’s what I captured via tcpdump.
That’s the whole email there for anyone to see. Luckily it’s easy to fix…
- Use Bookmarks for Your Google Services Create bookmarks (or modify them if you already have them) for Gmail, Google Calendar, Google Reader, and iGoogle (your Google homepage) using https instead of http, like so: https://mail.google.com/mail/. Do this for every service that you use at Google.
- Don’t Click on Links Within Google to Take You to Your Services If you use their links Google will often take you to the unencrypted version because it’s easier on their servers. Use your links instead to ensure that your sessions are encrypted
The more we depend on Google (or any other monolithic service) the more we need to safeguard the information they have of ours. One way we can help is by demanding (via secure bookmarks and other methods) that they send us our mail, news feeds, calendars, and other information over a secure connection.:
[ Note: This is not a Google-specific problem. Most other services work in exactly the same way. The difference is that Google is so prolific and is becoming very successfully at getting people to use not only their email service but also their calendaring, news reader, instant messaging, their search (with history), etc. It's the all-in-one dynamic that makes it especially important to protect Google traffic. ]
--
Appears as if I can’t access Google Notebook over https :(
Comment by Leo — 10/22/2007 @ 4:30 pm
You’re such a linkwhore lately :)
There’s a bunch of firefox extensions you can use to enforce this as well - everything from greasemonkey scripts to full blown extensions.
The downside, of course, is that the HTTPS connections take more resources on both ends, require more CPU time to process, generate more network traffic, etc.
Also, if you’re going to access gmail via SMTP or POP3, SSL is enforced…
Comment by Zhasper — 10/23/2007 @ 9:53 am
I think if someone’s sniffing packets on your network, they’re just a fart away from decrypting if those packets happen to be encrypted.
But Tor is pretty cool.
Comment by j — 10/23/2007 @ 2:42 pm
The Firefox extension Customeize Google has options to autmatically redirect all your Google traffic to the https version. Very useful.
Comment by Maxo — 10/29/2007 @ 3:12 pm