Google (finally) enables default "https" access for GMail

Google (finally) enables default "https" access for GMail

Summary: A day after confirming a major security breach by Chinese hackers looking for GMail account information, Google has turned on default "https:" access for its popular Web mail service.


A day after confirming a major security breach by Chinese hackers looking for GMail account information, Google has turned on default "https:" access for its popular Web mail service.

Google had previously added the option for GMail users to "always use https" back in July 2008 but it was turned off by default.

Last June, a group of researchers and academics released an open-letter calling on Google  protect users' communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.

Now comes word that this is indeed happening:

We are currently rolling out default https for everyone. If you've previously set your own https preference from Gmail Settings, nothing will change for your account. If you trust the security of your network and don't want default https turned on for performance reasons, you can turn it off at any time by choosing "Don't always use https" from the Settings menu. Gmail will still always encrypt the login page to protect your password. Google Apps users whose admins have not already defaulted their entire domains to https will have the same option.

This Google page offers additional guidance on keeping your data secure.

Topics: Browser, Collaboration, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • unlike M$ Google cares about security

    and improves it every day!
    Linux Geek
    • Well, Google just proved you wrong

      And Schmidt, Brin and Page should be brought before the World Court and convicted of aiding in the murders of the Chinese activits because they believe that security is something that should not be taken seriously unless it is their own private data.
    • Huh?

      Microsoft has had https:// support by default for their hosted Exchange since it launched...
      • Hotmail

        I think he was referring to Hotmail which has been using certificates that weren't properly signed or were expired as recently as last year. Not sure if that is still the case.
        • No, he's not

          He's not referring to any factual incident. His keyboard is broken and half the keys only type "M" and "$", which is why he injects that string into any random subject from global warming to Michael Jackson.
          • Sad but apparently true

    • How is this an improvement?

      The option was already there, and if you didn't
      know what it was, you obviously had nothing of
      value to hide anyways.
    • unlike M$ Google cares about security

      If google really cared about security why did it take them this long to make "HTTPs" the default for it's users?

      Does anyone really think these compainies care about our information? They only care what we think about them! That's what leads to revenue and bloated stock!
      • Why don't you ask..

        ..Microsoft why they [b]still[/b] haven't made DEP
        and non-admin accounts the default, despite the
        fact that their own followers keep claiming these
        things can make up for some of the huge security
        failings in Windows and IE..

        At least Google is actually making some progress.
        Not going [i]backwards[/i] in security (like MS <a href=>did with Windows 7</a>)
  • Sad to Say

    Google trustingly turned their back to China and got bitten on the backside. Several people may have lost their freedom and possibly their lives. No one in the Google management arena understood what China's government is capable of, these are still the old timers wedded to ultimate power and ultimate control. Just because they have McDonalds and Coca-Cola there does not mean they have fundamentally changed. Google should just excuse themselves and take their ball and bat home. China will not let them have a significant part of the market and having them there gives China the mask they want to show to the world.
    • So...

      So Google is now responsible for the behavior of the government of a communist country that's known for it's Orwellian "big brother" attitude towards it's population? This is [i]their[/i] problem?

      I suppose Google is also responsible for the behavior of every single government in every single country on this planet as well while they're at it? Or perhaps the powers that be in Google ought to be sent to prison because some idiot used Google search to find out ways to make a pipe bomb which they used to blow somebody up?

      Sure the above paragraph sounds absolutely ridiculous but so does these comments blaming Google for the trouble in China or anywhere else for that matter. You notice that no one said a damn thing [i]before[/i] Google announced this? No one was banging their drum and shouting then were they?
  • Gmail has no security and privacy!

    true for all web mails such as hotmail, yahoo, etc. goggle employees, hackers, goverment spy agencies can read your mail. DON'T USE THEM!
    • doh!

      All un-encrypted information passing through the Internet (ie, email, web pages, etc.) is accessible by any individual or group having sufficient funding and desire; that's no secret, is it?

      And standard security protocols normally used (ie, HTTPS - the little 'padlock') are pretty standard so the usual groups interested in this sort of thing (ie, NSA, CIA, KGB, etc.) can monitor if they're really motivated.

      Finally, if one really needs to exchange ?ber-secret information, like those love notes to M at MI6, one needs to utilize a third-party encryption tool at both ends of the communications chain.

      Personally I wouldn't worry, whitenight2010, I doubt any of the parties named in or about this article are interested in your communications. They never seem too interested in my ramblings either. :-))
      • You can have security between server and client but...

        Well just a second here. Let's define 'security'...

        All HTTPS (and browser sessions enabled with SSL) does is encrypt the transmission of data between the two edge points. Certainly this makes it difficult to decode what's inside the packets between those two points.

        But all a user is really doing is encrypting and downloading whatever the user is accessing. If it's an nasty and infected Adobe PDF file, you are still going to get a nasty surprise with unpatched client.

        As for Google's policies and protection of your Data on its servers, that's a different equation and set of problems.
        • The equation is simple;

          the government tell you to do something, you do it
          or disappear. This applies to all companies in the
          U.S.; the only way Google could get around it
          would be to go to another country.
    • You do know..

      ..that this applies to mail services from your ISP
      as well, right? If a company is based in the U.S.,
      and the U.S. government demand access to your
      personal info, they have no choice but to obey.
      It's called freedom to use force against civilians
      based on a hunch. If you don't like it go to
      another country. It's not Google's or any other
      web mail provider's fault.
    • Guess you do not use email ????

      Where do you think your unread mail is kept, and how do you think it gets to your mail server ???
      • What do you mean "how does he think"?

        He doesn't. Windows does it for him. It tells him
        that everything is perfectly safe as long as it
        has a little sticker on it that says Microsoft.
        That the mail just magically appears there, and
        that Google is inferior for not having magic
  • Shouldn't Google have ALREADY

    Had this in place? Really, I think that ALL connections from ANY server to your PC should be encrypted, even on non-banking and non-e-mail websites.

    It's just another way to prevent idiots from hacking into your computer or seeing what you are doing.
    • Google has supported https for GMAIL...

      since gmail was invite only, all you have to do was
      put this url into the browser