Sign up to our newsletter
The latest security news direct to your inbox
Starting today, Gmail will use an encrypted HTTPS connection to check or send email, regardless of what platform users employ to access the service – and there is no longer an opt-out for Gmail users to use a less secure connection instead.
The search giant also announced that all emails will be encrypted while moving internally between Google’s data centres, as reported by IDG News Service.
Writing on the official Google Blog Nicholas Lizborski, Gmail’s Engineering Security Lead writes, “Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you’re using public WiFi or logging in from your computer, phone or tablet.”
Geekwire points out that ordinary Gmail users will not experience a huge difference in the service – Google has supported HTTPS connections since 2008, and turned the service on for all users in 2010. At that point, though, users still had the option of switching it off. Google has removed that option today, Geekwire reports.
Citing concerns about government spying on emails, and referrring obliquely to Edward Snowden, Google’s Lizborski wrote, “In addition, every single email message you send or receive—100 percent of them—is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail’s servers, but also as they move between Google’s data centers – something we made a top priority after last summer’s revelations.”
PC World reported that a Google spokesperson admitted that the additional security afforded by HTTPS was achieved at a cost of a certain amount of latency (ie a slower connection speed). Speaking to PC World, the spokesperson said that Google’s engineers had taken steps to mitigate the effects on speed, and that the company believes it makes no sense to allow any user to continue using an unencrypted HTTP connection.
Author Rob Waugh, We Live Security