Skip to navigation

Gmail’s bad encryption defaults

Gmail’s webmail service unfortunately defaults to the following behavior: Your login is encrypted, but the page reverts back to unencrypted http after you’re logged in. If you’re in an unprotected wireless network, such as a public hotspot, not only can the e-mails you read and compose be easily read by anyone else on that network, someone can actually hijack your Gmail account that way.

Gmail's unsecured default URL

The fix is easy if you’re a little computer-savvy: manually put in the URL https://mail.google.com (note the “s” in “https://”, and your entire session will be encrypted via SSL. This also works for https://gmail.com, although Firefox will complain about a domain name mismatch. Fine so far. However, if you use yet another URL alias for Gmail, https://googlemail.com, the trick doesn’t work: your Gmail connection now reverts back to unencrypted after login.


I don’t understand why Gmail doesn’t make SSL encryption for the entire session the default. Yes, you can bookmark the secure URL, but if you’re travelling you may well not be on your own computer. And less tech-savvy users like my parents will have to remember to use a special URL instead of being able to just click on the “Mail” link on a Google page. I find Gmail’s choice especially surprising given that in other respects they take the laudable approach of helping out the less knowledgeable user, such as with this alert I found today for a phishing e-mail in my spam folder:

Gmail warning for a phishing mail

Addendum

Gmail has recently added an option for this in the settings (“General Settings”). It’s at the very bottom. You can click to select “Always use https”, and Gmail will default to the secure connection.

Comments are closed.