Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Editor's Desk: Google security needs HTTPS by default

Security's leading thinkers ask Google to turn on HTTPS by default for Gmail, Docs and Calendar.

Google's credo is "Do no evil." Some of the best security minds in the industry are imploring Google to do the right thing when it comes to the security and privacy of its free email and productivity application offerings.

In case you missed it, 38 security thinkers and researchers wrote an 11-page letter to CEO Eric Schmidt asking him to enable HTTPS encryption on Gmail, Google Docs and Google calendar by default. That list of 38 is a roll call of security pioneers and current thought-leaders, everyone from Gene Spafford, Steve Bellovin, Bill Cheswick and Bruce Schneier to white hats RSnake, Joe Grand and Jeff Moss. They point out that Google's current insecure default settings put the privacy of its cloud-based services users at risk.

"Anyone who uses these Google services from a public connection (such as open wireless networks in coffee shops, libraries, and schools) faces a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet," the letter says.

Already, researchers have successfully developed tools to steal authentication data stored in cookies that are by default sent without encryption to and from Google's servers. Researcher Mike Perry's Cookiemonster debuted at DefCon two years ago as did Robert Graham's Hamster Wi-Fi cookie stealer. Both tools swipe unencrypted authentication data found in cookies and allow the attacker to pose as the victim.

Google has known about these flaws for close to two years now and has released a configuration option that, should a user choose, turn on HTTPS. The group of 38, however, dares you to try to find it in the Settings option of Gmail, for instance (Hint: there are 13 settings on the General screen; HTTPS is the last one and it's under browser connection). Furthermore, there are no encryption options for Docs and Calendar, and the letter intimates that users may think the Gmail protection extends to the other services. Encryption has to be on by default across the board.

Four Things Google Needs to Do
The 38 security experts who co-signed a letter to Google CEO Eric Schmidt made four recommendations:

  1. Place a link or checkbox on the login page for Gmail, Docs, and Calendar, that causes that session to be conducted entirely over HTTPS. This is similar to the "remember me on this computer" option already listed on various Google login pages. As an example, the text next to the option could read "protect all my data using encryption."
  2. Increase visibility of the "always use https" configuration option in Gmail. It should not be the last option on the Settings page, and users should not need to scroll down to see it.
  3. Rename this option to increase clarity, and expand the accompanying description so that its importance and functionality is understandable to the average user.
  4. Make the "always use https" option universal, so that it applies to all of Google's products. Gmail users who set this option should have their Docs and Calendar sessions equally protected.

"A large body of scientific research shows that users overwhelmingly retain default options; thus, unless the security issue is well known and salient to consumers, they will not take steps to protect themselves by enabling HTTPS. To deliver on Google's promises about privacy and security, the company should shift the default option to the more protective HTTPS setting," the letter says.

The letter also slams Google for not better informing its users the risks of sending their docs and cookies in the clear, and also points out that the performance hit from turning on encryption is negligible. Oh by the way, did you know that Google has turned HTTPS on by default in its Google Health, Voice and AdWords and AdSense offerings?

That's what makes their decision not to do so for Docs, Gmail and Calendar so baffling. Web 2.0 apps are supposed to be business enablers, but if individuals and-or businesses start losing personal or corporate information via this avenue, the value proposition of Web 2.0 starts looking pretty thin. Two articles in this issue of Information Security take a deeper dive into Web security: "Controlling Privileged Accounts," looks at the need for privileged access control; and "DNSSEC: Has the Time Come?" looks at some of the advantages and hang-ups around adding security to DNS. Check them out.

In the meantime, do the right thing Google; turn on HTTPS by default, listen to the best minds security has to offer and follow their recommendations (see Four Things Google Needs to Do, above). They know their stuff.

Michael S. Mimoso is Editor of Information Security. Send comments on this column to feedback@infosecuritymag.com.

This was last published in July 2009

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.