Enno asked me yesterday why Googlemail is using clear text HTTP by default – WTF?!
I didn’t want to believe him and tried it out myself – and yes – if you go to http://www.googlemail.com they use SSL only for the initial login and redirect back to clear text directly after that (and I am pretty sure this has changed since I used the web front end the last time…). That means all the XmlHttpRequest calls and everything goes in clear text over the wire. Why are you doing that Google?? I heard you have so many machines – don’t you have some spare CPU cycles to protect your innocent users??
Clear text HTTP connections are easy to eavesdrop (especially over wireless network like in hotels, airports or conferences) and given the way how googlemail works, someone could send “delete” or “send” requests and misuse your mailbox to send away offers for pharmacy, software and the like ;)
Interestingly if you open the login page using SSL – they don’t redirect you back – so as an immediate solution, change your bookmarks to https…Besides that you are getting this annoying “do you want to display secure and non secure items” dialog (which also says a lot about the design) – this seems to work…tsts…Hall of shame!