Google: Calm down, scientists, we’re totally making Gmail more secure

Venture Beat — Tue, 16 Jun 2009 17:44:32 -0400

Most of my life revolves around Google services — I check my email in Gmail, I write articles in Google Docs, and I schedule appointments in Google Calendar. Of course, sending sensitive information back-and-forth from my computer to Google’s servers has its risks. In fact, a group of experts recently wrote a letter (click here to download the PDF) to the search giant saying it isn’t doing enough to keep its applications secure. Now Google has responded in a blog post about plans to tackle these concerns.

The list of people who signed the letter is quite long, and includes experts from both the corporate and academic spheres. The main complaint focuses on how Google implements “HTTPS,” a protocol for establishing a secure connection. Google offers HTTPS as an option for its major web applications (Gmail, Docs, Calendar), and you can also customize Gmail to log into HTTPS automatically. Still, the default setting is to turn the protocol off, and I’d imagine that many users haven’t heard of it. (I’m ashamed to admit I wasn’t using it regularly until I read this blog post last year exhorting me to do so.)

“Few users know the risks they face when logging into Google’s web applications from an unsecured network, and Google’s existing efforts are little help,” the original letter reads.

Why pick on Google when there are many web applications that only use HTTPS on their log in page? Christopher Soghoian, a student fellow at the Berkman Center for Internet and Society at Harvard, told The New York Times that it’s because of the search giant’s prominence, and because it would be easier for Google to expand its already-existing HTTPS support than for a company like Yahoo or Microsoft to add the feature from scratch.

Google, meanwhile, responds that it will start testing HTTPS more broadly, to see if the cost to speed is too high. “Unless there are negative effects on the user experience or it’s otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users,” the company says. That wording definitely leaves the company room to back out, but hey, there’s a chance that all Gmail users may soon benefit from HTTPS, even if they have no idea what it is.

[photo:flickr/fotographix.ca]