Monday, January 29, 2007

Secure Access to Gmail and Gtalk

Did you know that Gmail and Google Talk both support TLS encryption (aka SSL), rendering the data you send to and from Google secure and inaccessible to would-be eavesdroppers? Google Talk uses TLS by default, and Gmail will use it if you point your browser at https://mail.google.com (note the "https" instead of "http").

The use of TLS/HTTPS creates a secure channel between your computer and Google's data centers. This is especially important when your computer is connected to a public network, such as a Wi-Fi hotspot; I have been to conferences where people were known to use packet capture software to spy on competitors who were careless enough to communicate over cleartext channels.

I'm glad to see that Google has made security a priority. Moore's Law has made support for TLS fairly cheap from a operational standpoint, so there's really no good reason to not feature it. Let's hope TLS becomes more common in the web world.

Update: I didn't have time to check extensively, but I noticed Google Calendar and Google Docs & Spreadsheets both support TLS access as well.

4 comments:

kofai said...

这样是很好。but,if you must see it:http://www.hackerxfiles.net/viewthread.php?tid=14569

Hugo said...

Hi Justin,

TLS encryption works for Google Docs, however, not for Google Spreadsheets as far as I know. If you open a new spreadsheet, you'll notice the browser switches back to an unencrypted "http" connection.

It's good to learn Google wants to put more focus on security. They apparently have pretty good security in their datacenters, and if SSL becomes adopted across all Google's services this would also guarantee a secure link until the user's computer.
However, I think there is still room for improving the security on the client side. My data on Google Docs & Spreadsheets for example is vulnerable when I am logged in my Google account. Every document is a click away, and there is no way to further protect documents that could be sensitive.
Google understands that some data is more privacy-sensitive than some other data. For example, if you want to look at your search history, you will be asked to re-enter your password even if you are already logged in. I think something similar to be possible for sensitive documents in Google Docs & Spreadsheets.

check this on the subject:
lepetitradiateur.blogspot.com/

Hugo said...

2007-04-25 - Just to update my own comment: I noticed that SSL encryption has now been made available for Google Spreadsheets as well (it was previously only available for Google Docs). They must have updated this at the same time they added charts.

I applaud the change ; though I still think a password encryption feature like the one I suggested (see link above) would be very welcome...

Anonymous said...

I'm concerned the security of e-mail, voice and video from gmail. As I learnt from here that the e-mail from gmail inbox to google sever is as safe as the banks communication. And also, the Gtalk is using the TLS encryption to protect the users. But, I don't know how safe is when I'm using voice and video in Gmail. For instance, when I'm using the voice in Gmail inbox in China, if Chinese government agents can eavesdrop my conversation with my friends. Your reply is very important for me and lots of people in China.

Thank you very much!