Comments on: Force Gmail to use HTTPS

By: Graham Murray

Graham Murray — Tue, 07 Oct 2008 21:13:22 +0000

I didn’t know this was a standard part of gmail and I certainly did not think using it was just a matter of adding an s to the url. I did know that the s denoted a secure connection but not that it was usable with gmail.

Thanks

Much appreciated.
I will use it everywhere now.

Graham

By: What we’re reading, week of 8/25 « VPN Haus

What we’re reading, week of 8/25 « VPN Haus — Mon, 25 Aug 2008 15:43:44 +0000

[...] Network Security Blog… Force Gmail to use HTTPS Martin McKeay explains how users can protect themselves from having Gmail login data stolen when [...]

By: Bozidar Spirovski

Bozidar Spirovski — Thu, 21 Aug 2008 07:14:14 +0000

While this is an excellent tip, the problem becomes a bit more complicated for users which use an aggregation mail service, which is usually their old ISP mail, configured to pull off e-mail from all other e-mail addresses and dump them in a single account.

These services are not new, and the operator rarely bothers to implement anything better then POP3 or HTTP, so all you need to do is set-up an aggregation account and all your passwords will start flying in the open

Bozidar Spirovski
http://www.shortinfosec.net

By: Tom

Tom — Wed, 20 Aug 2008 20:28:39 +0000

The CustomizeGoogle extension for Firefox 3 also one to set each Google service they use to use always use HTTPS. Seems to work pretty good so far.

By: Skye

Skye — Wed, 20 Aug 2008 19:16:13 +0000

Sadly, this feature does not seem to have disseminated to the Apps for Domains / Universities as my student email does not have it yet. But it’s still SSL from beginning to end if you choose to go to https domain, in fact the university explicitly starts off SSL so it never leaves SSL mode.

Yahoo/MSN Mail have SSL on login but all email is plain http, sadly. Though of the two I only use Yahoo mail. So it’s a cool feature that Google added.

By: Martin

Martin — Wed, 20 Aug 2008 19:09:04 +0000

I’ve never been 100% sure that even if you tell it to use https that it’s using it in all cases. I haven’t ever seen it drop to plain HTTP, but I’ll be the first to admit I’m not always watching for that.

I just think it’s a good thing they’ve made this an option, since if you’re like me and you’re reading your email on 3-4 different computers in a day, you want to make sure you’re running on SSL every time. And yes, all those are computers I have control over, one desktop, two laptops and occasionally my wife’s desktop.

Martin

By: Skye

Skye — Wed, 20 Aug 2008 18:56:18 +0000

I’ve been doing this for ages just by going to https://mail.google.com/. It never goes back to HTTP because all of the links don’t have the protocol in them. It’s cool that they made it an option but it was always there for you if you wanted it.