Mobile // Mobile Applications
News
3/22/2014
09:26 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Makes HTTPS For Gmail Mandatory

Google no longer allows Gmail users to turn off HTTPS encryption. The move protects data going between Google's servers and users.

10 Great Google Apps Tips
10 Great Google Apps Tips
(Click image for larger view)

Moving to restore trust in cloud computing services, Google said Thursday that it has made encrypted HTTPS connections mandatory for Gmail.

"Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail's servers -- no matter if you're using public WiFi or logging in from your computer, phone or tablet," Nicolas Lidzborski, Google security engineering lead, wrote in a blog post.

The company turned HTTPS on by default in 2010. From then until now, users were able to disable it -- for the sake of marginal speed gains or compatibility -- but no longer.

Google has long been at the forefront of online security, partially out of necessity, because it is frequently targeted by hackers. It was one of the first online companies to introduce two-step authentication. And it says Google Apps for Government was the first set of cloud computing apps to receive Federal Information Security Management Act (FISMA) certification from the US government. (Microsoft disputed this in 2011, and Google said Microsoft's allegations were false.)

[Take control of your privacy on Google. Read 5 Google Opt-Out Settings To Check.]

Lidzborski wrote that all messages Gmail users send or receive are now encrypted when moving internally. "This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers -- something we made a top priority after last summer's revelations."

The revelations at issue are those that arose from the NSA documents revealed by Edward Snowden. They have called into question the security of cloud computing and have prompted some companies to reconsider their commitment to third-party hosting.

(Source: David Bruce Jr./Flickr)
(Source: David Bruce Jr./Flickr)

Mandatory HTTPS connections might secure data in transit between Google's servers and its customers, but it should not be mistaken for true end-to-end encryption. Google's Gmail algorithms can still read Gmail text to serve ads. And the company can still access Gmail messages if ordered to do so by a court or at its discretion, as Microsoft did recently when it looked through the communications of a Hotmail-using blogger to identify an employee who allegedly leaked Windows source code to the blogger. However, given the outcry over Microsoft taking such action without a court order, it's doubtful Google is eager to avail itself of the access rights it has under its terms of service agreement.

Lidzborski also wrote that Gmail was up and running 99.978% of last year, which works out to an average downtime of two hours for each user during that period.

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bikeamtn
50%
50%
bikeamtn,
User Rank: Apprentice
3/26/2014 | 5:01:39 PM
Re: Change for the better
More info at: MyStolenID org
bikeamtn
50%
50%
bikeamtn,
User Rank: Apprentice
3/26/2014 | 5:00:47 PM
Re: Change for the better
"If there's anything positive to come out of the whole NSA situation."

Yes, it is. The only thing I'd rather of seen, was that my brief on cyber security posted in the Washington Post & NBCnews (after the Boston bombing, Apr 30 2013) wasn't mysteriously deleted which could have altered events like the 110 million (1/2 the US population) becoming victims of the Target Breach (of which I'm one). That was some 30 days before the PRISM story of the 'Washington Post'.
eugenerudenko
50%
50%
eugenerudenko,
User Rank: Apprentice
3/25/2014 | 4:36:14 AM
For the better
I think it's a logical change. Email is a confidential way of communication and it should be encrypted. Not sure if Snowden case has influenced this decision but this step seems natural after introducing encrypted search
Leo Regulus
0%
100%
Leo Regulus,
User Rank: Apprentice
3/24/2014 | 11:42:21 AM
Good decision
I dropped my subscription to Information Week over a year ago due to my continuous disappointment with the quality of content and the total disdain in which management held its readers. 

I am here now as a result of referral from LinkedIn. 

I see that nothing has changed to cause me to retract that decision.  On the contrary, for my purposes, thing have gotten worse. 
Madhava verma dantuluri
50%
50%
Madhava verma dantuluri,
User Rank: Apprentice
3/24/2014 | 12:43:29 AM
USeful
This is a good moce by Google, HTTPS brings more security.
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
3/23/2014 | 7:39:45 PM
Re: Change for the better
It makes you wonder whether or not many of these types of measures would have been put in place had Edward Snowden not leaked all of those documents. 

I think that story has affected many companies in their ability to build confidence about cloud computing. But over time I believe that the story will fade and people will regain that trust. 
Stratustician
100%
0%
Stratustician,
User Rank: Ninja
3/22/2014 | 10:59:03 AM
Change for the better
If there's anything positive to come out of the whole NSA situation, it's nice to see that it's forcing many providers to beef up security standards.  It's nice to see Google taking responsibility for its users security by pushing HTTPs as a standard, as it not only allows for secure use of their service, but it also inherently makes the data shared by users more secure.  This is a great move as many folks are still of the mindset that they can't be bothered to maintain basic security practices, this will make it easy for users to practice safe computing whether conscious of it or not.
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.