Google is Not Secure Without a Little s

Have you ever noticed that when you login in to your Google mail account, the server redirects you to the login page and kindly adds a little “s” to th http:// in the address bar, making it https://? Sounds good, that little “s” stands for security. What you may not have noticed is that on some accounts once you are logged in the little “s” disappears, meaning the actual transactions you make on your Google mail account after that are no longer encrypted. Check it out, see whether you get decrypted on your logins.

You could spend an age bookmarking all the various http:// pages you encounter in Google, and manually adding the little “s” to those addresses, but a much simpler solution is to switch to Firefox, if you haven’t already done so and install CustomizeGoogle Firefox Add-On. This allows you to set https:// as default for all Google transactions, forcing their servers to encrypt everything rather than sending your GMails as plain text over the net where every sniffer could read them. Alternatively, if you are already running Greasemonkey to help you customize web pages you visit, then the GmailSecure userscript does something similar. There are other applications that do essentially the same thing, including Better gCal, Better gReader, and Better GMail to add the “s” to your Google URLs and so encrypt your transactions.

Of course, there are always steps in the transaction between you and the chosen recipient of your email where the packets of information may be decrypted and travel as plaintext once again, but this little “s” approach cuts the risk. To be totally secure you need to encrypt your text properly using PGP (pretty good privacy) on the client side, that way there is no possibility of any intervening servers automatically decrypting your text and removing that “s”. Although there are reports of a conflict between the PGP tray and the Firefox NoScript plugin.

To quote from the dmiessler site which apparently first mentioned this issue: “The more we depend on Google (or any other monolithic service) the more we need to safeguard the information they have of ours. One way we can help is by demanding (via secure bookmarks) that they send our mail, news feeds, calendars, and other information over a secure connection.”

Note the phrase “any other monolithic service”. That is an allusion to the fact that Google is not alone in using and dropping the little “s” almost at random while one uses their services. Yahoo, Microsoft, etc are just as bad. You have been warned.

If you’re using Firefox, then the addon CustomizeGoogle will allow you to force the browser to use https:// by default for your Google logins. And, if you’re looking for a universal login for the sites you use, then check out the Sig Figs write-up on OpenID.