Gmail goes HTTPS-only, inside and out!

GmailIn a move that will no doubt upset the NSA, Google has announced that it has strengthened security for its many millions of Gmail users.

Computer users have been advised many times to use encrypted HTTPS connections when accessing their online accounts, particularly if using public WiFi hotspots, and back in 2010 Google enabled HTTPS by default for Gmail accounts.

That means no-one can snoop on your messages as they travel through the air, and down wires, between your computer and Google’s servers. Nice one.

Well, now Google has gone one better than even HTTPS by default. Now you cannot turn off HTTPS. It’s always on, all of the time. Which means better security for all of us.

Sign up to our free newsletter.
Security news, advice, and tips.

But there’s more.

Remember how last year it was revealed that the NSA was intercepting private communications and hoovering up information as it travelled between Google’s data centers? This wasn’t on the public internet, this was your data moving inside Google.

By tapping into fibre-optic cables connecting the server farms owned by the likes of Google and Yahoo, the NSA was able to see information as it was sent between them. And, alarmingly, found it easy to intercept the unencrypted information mid-transit.

Here was how the NSA depicted the secret interception in a helpful Post-It note, complete with smiley face, that got leaked by whistleblower Edward Snowden.

Google cloud exploitation

In short, millions of data records were being gathered each day from Yahoo and Google’s internal networks and sent to the NSA’s headquarters.

Well, now Google says it has addressed that issue – ensuring that all messages are encrypted when moving internally as well:

In addition, every single email message you send or receive – 100% of them – is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail’s servers, but also as they move between Google’s data centers—something we made a top priority after last summer’s revelations.

Will it be enough to stop the NSA and others intent on spying on private communications as they travel between Gmail users?

Let’s hope so.

Although one has to fear that it may take years for us to know for sure, dependent on when the next whistleblower decides to reveal what’s being going on in the name of law enforcement and national security.

If you are concerned about people snooping on your email – whether it be the NSA or malicious hackers – maybe it’s about time you considered securely encrypting your messages?

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Gmail goes HTTPS-only, inside and out!”

  1. Arkadeep Kundu

    How can Google be protected by only re-enforcing HTTPS?

    NSA can compromise the RSA algorithm itself.
    In that case, how does encryption help?

    1. Phil · in reply to Arkadeep Kundu

      I seem to remember reading that they were going to implement Perfect Forward Secrecy internally, which makes large scale key cracking rather tougher.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.