If you use Gmail you should enable the SSL feature right now.

The folks over at Wired.com have an entry up on how and why you should enable Gmail’s SSL feature that is worth a read:

Why? Because without it, anyone can easily hack someone’s account and in two weeks it is going to get even easier. Mike Perry, a reverse engineer from San Francisco, announced his intention to release his Gmail Account Hacking Tool to the public. According to a quote at Hacking Truths, Perry mentioned he was unimpressed with how Google presented the SSL feature as less-than-urgent. It is urgent, and here’s why.

The reason why is pretty simple. Without the SSL feature turned on Gmail only uses a secure connection for the initial login and then all session data is sent back and forth unencrypted. The problem with that is your session data includes your login information which kinda defeats the point of having it encrypted during the login. Someone sitting with a packet sniffer looking at your network traffic could snatch that info from the data stream and have full access to your account and all the archived emails. By turning on the SSL feature the entire session will be encrypted from beginning to end.

You can tell if your session is encrypted by looking at the address bar of your browser. If you see HTTPS: at the start of the address while reading your email then you’re encrypted. This feature is turned off by default so if you haven’t specifically turned it on then you’ll want to. You can do that by clicking on the SETTINGS link in the upper right corner of the Gmail screen and on the GENERAL tab (which should be the default that comes up) you scroll down to where it says BROWSER CONNECTION and click on the box for “Always use https.” Then just press Save Changes to update your account. You may need to quit and login to Gmail again to make sure it’s working.

You won’t notice anything different about how Gmail works from before, but you’ll be a little better protected.

8 thoughts on “If you use Gmail you should enable the SSL feature right now.

  1. I only check my gmail account with my email program… I never do it through a browser… Is it something I still need to do? I know nothing about these sort of things. grin

  2. I only check my gmail account with my email program… I never do it through a browser… Is it something I still need to do? I know nothing about these sort of things.

    It might not be a bad idea to set it up in case you ever do use the account over the web, but if you never do, there’s no danger in just using your mail client.  Those use different protocols that are much more difficult to hack, and generally don’t use the web interface.  Somebody might have more info on it than I do though.  I’m about 98% certain that POP3 and/or IMAP are secure against this sort of problem.

  3. Brooks, if you’ve set up your mail client to pull down Gmail then you’re already using SSL. You can confirm it by double checking the settings in your client.

  4. Brooks, if you’ve set up your mail client to pull down Gmail then you’re already using SSL. You can confirm it by double checking the settings in your client.

    Good, that’s what I thought. smile I use Thunderbird for my Gmail accounts, and I was about to ask the same question Brooks did.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.