I can read your Googlemail

Enno asked me yesterday why Googlemail is using clear text HTTP by default – WTF?!

I didn’t want to believe him and tried it out myself – and yes – if you go to http://www.googlemail.com they use SSL only for the initial login and redirect back to clear text directly after that (and I am pretty sure this has changed since I used the web front end the last time…). That means all the XmlHttpRequest calls and everything goes in clear text over the wire. Why are you doing that Google?? I heard you have so many machines – don’t you have some spare CPU cycles to protect your innocent users??

Clear text HTTP connections are easy to eavesdrop (especially over wireless network like in hotels, airports or conferences) and given the way how googlemail works, someone could send “delete” or “send” requests and misuse your mailbox to send away offers for pharmacy, software and the like ;)

Interestingly if you open the login page using SSL – they don’t redirect you back – so as an immediate solution, change your bookmarks to https…Besides that you are getting this annoying “do you want to display secure and non secure items” dialog (which also says a lot about the design) – this seems to work…tsts…Hall of shame!

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s