Last month, Google rolled out an SSL feature for Gmail to thwart an exploit brought to them a year ago and later publicly presented at the recent Defcon conference, according to Hacking Truths. There was no announcement for the new feature, and it was offered as an option, which I'm willing to bet was largely ignored.
Gmail is a perpetual beta, but should still bear some responsibility for its users' security. If they really did have a year to issue a fix, and left it to an optional "feature" with no explanation to their users, they've pushed that responsibility back to their users without even a basic explanation of the protection it provides. If you click the "learn more" link, the text provided by Google actually sounds like it's discouraging users from enabling the feature, stating:
"Please note that selecting 'Always use https' will prevent you from accessing Gmail via HTTP (Hypertext Transfer Protocol). In addition, it may make Gmail a bit slower. If you trust the security of your network, you can turn this feature off at any time."
More news, commentary, and predictions from The Industry Standard:
Comments
This option is great except for the fact that they do not offer it to those people using the standard (free) version of Google Apps to host email The free GMail service and the Premium Google Apps service both offer this functionality.
What does it mean "If you trust the security of your network..."
Gmail security depends on my network security?
The Gmail blog post announcement of this feature:
http://gmailblog.blogspot.com/2008/07/making-security-easier.html
Post new comment