https://gmail.com

by Matthew Russell

Up until recently, I had always used GMail by typing http://gmail.com into my browser. At some point, however, I started asking myself questions about security and wondered if an https flavor was available. It turns out that it had been there all along and so began the era of more secure GMail for me.

Given that it's so darn easy to sniff packets these days with tools like ethereal, I recommend you folks update your bookmarks and remember that last 's' as well. It's just plain silly not to.

44 Comments

Kirk
2007-01-05 18:45:54
FYI... this is available for lots of Google services such as the 'ig' homepage, calendar, etc...

2007-01-05 19:07:47
In some/many browsers, just type "gmail" and you'll end up at a https log in page, which takes you to http://mail.google.com, but if you change that page (your Gmail page) to https://mail.google.com etc. it sitll works. Not sure what that means.
Justin
2007-01-05 19:08:17
If you use firefox, you can use greasemonkey http-to-https redirector user script!
machineman
2007-01-05 19:52:49
encryption... tooo slooowwww.....


If you have sensitive data in your email, why on earth are you using a 3rd party web based system in the first place?

ptwobrussell
2007-01-05 20:01:00
@machineman: Personally, I just don't like giving folks the free opportunity to eavesdrop on me, my appointments, whereabouts, etc. -- whether it is *sensitive* data or not. Besides, there's a lot of non-sensitive data that a psyco-stalker type could put together into something more meaningful if they wanted, I'd think. Using https is a freebie, so why not take advantage of it?
ptwobrussell
2007-01-05 20:02:32
@Justin: A quick search turned up what you were referring to: http://diveintogreasemonkey.org/casestudy/gmailsecure.html
Andy Smith
2007-01-05 20:19:30
The Firefox CustomizeGoogle extension has an option to always use HTTPS, and a whole load of other cool features besides.


http://www.customizegoogle.com/

dsjkvf
2007-01-06 01:38:02
and don't forget that Google Notifier does not use encryption when connecting to Gmail / gCal
ptwobrussell
2007-01-06 06:13:16
@dsjkvf: Excellent catch. I didn't think of that. Is that documented somewhere?


I did a quick dump of the strings for the binary and here's what came up:



Goliath-2:/Applications/Google Notifier.app/Contents/MacOS matthew$ strings Google\ Notifier | grep http
https://www.google.com/tools/service/update
http://www.corp.google.com/~oster/Demos/notifier.txt
https://www.google.com/accounts/NewServiceAccount?service=cl
http://www.google.com/googlecalendar/tour.html
https://www.google.com/accounts/NewServiceAccount?service=mail
http://www.google.com/calendar/
http://mail.google.com/mail
http://mail.google.com/a
http://www.google.com/support/calendar
http:
https:
http://mail.google.com/support
httpGetMemo
https
http
httpFetcherWithRequest:
https://www.google.com/accounts
http://t/dacz
httpGetMemo_
httpGetMemo non nil


I may do some tinkering around and see if any of those strings can be edited to point to https:// destinations. I'll also send in a request to Google to provide an option for choosing SSL with Google Notifier.


@Andy Smith: Awesome. Thanks for that link.

xmanoel
2007-01-06 08:49:58
Nice catch!!
I do not want to pretend I am smarter than the rest, but from the very beginning I noticed that GMail could be accessed both by standard HTTP and Secure HTTP. In fact that was one of the reasons that convinced me to move to GMail.


Additionaly, the POP3 of GMail could be also acessed over SSL, so this makes GMail a great choice for people that has to use not fully trustable connections.

ptwobrussell
2007-01-06 11:10:20
@xmanoel: And I would even submit that any connection over http is never "trustable" since anyone with trivial knowledge could sniff and reconstruct the packets using freely available tools out there. When you're viewing a webpage, maybe it doesn't matter...but when communicating with a specific person about a specific topic, I'd always want https "just because".

2007-01-06 11:18:40
http://gmail.com/ and https://gmail.com/ both automatically redirect you to https://www.google.com/accounts/ServiceLogin?service=mail (etc etc)... The point is that even if you use http instead of https, you are always redirected to the same secure login page.
Richard
2007-01-06 12:10:06
@anonymous: yes, the login page is https, but if you hit gmail via http://gmail.com, you're http after you log in, whereas if you hit it via https, you're still https after you log in.
Mike
2007-01-07 04:56:58
Yes, I knew this. However, I usually use a mail client program with GMail -


http://mail.google.com/support/bin/topic.py?topic=1555


- again over SSL, and only go into the web interface periodically in order to clean out the "Sent" folder.

dippie
2007-01-07 16:41:03
Firefox's Gmail Notifier extension (here: https://addons.mozilla.org/firefox/173/) directs you via the secure site by default. I'm not sure if it does the email checks via the secure connection. But at least when you click on it to go to the site, you don't have to bother.
dsjkvf
2007-01-07 23:31:36
@ptwobrussell


thanks, that would be really nice, since their notifier is very handy :).


as for me, i've just inspected it with Little Snitch (http://www.obdev.at/products/littlesnitch/index.html), and blocking 80 port has caused Notifier to stop working (since it couldn't connect). that's why i've assumed that it does not use SSL.


however, looking forward to hear from you (and Google) soon. and thanks once again for your help and ineterst :).

Andrei
2007-01-14 02:33:49
Yes
Richard Albury
2007-01-18 06:22:22
After getting warnings about "the security certificate presented by this website was issued for a different website's address", a search of Gmail's help forum yielded this URL:


https://mail.google.com/mail/s/

Adela Pisar
2007-01-20 19:19:44
Hello, this is a question rather than comment. I saw here you and others deal with gmail very knowledgeably and wonder if I may ask if you and/or others here know whether gmail accepts sending my messages to my list of about 250 names (or a little more) all at once? I tried Yahoo but my friends on my list don't like the idea of having to subscribe, etc. (I don't like them very much either!) I also burned my eyes on listservs' websites trying to find something I can use but I have difficulty understanding all those techi words, etc. If you know of a provider who won't charge an arm and a leg to do my so-called bulk emailing...would you be so very kind as to let me know? I'mjust an individual doing charity work. Thanks ever so very much!!! Adela Pisar, nuevadela2@rcn.com
ptwobrussell
2007-01-20 20:24:15
@Adela: I haven't tried GMail to send to that many people, so I can say one way or the other....but what I will say is that you could get your own mail server from a hosting company for a negligible fee these days. A quick Google search for "email hosting" showed many vendors who will hook you up for ~$5/month.
Matt A
2007-01-30 18:27:10
I contacted the author of the Google Notifier for Mac and asked him about using an SSL connection instead of the usual http used by default. His answer was simple, just set SecureAlways to: 1.

I just switched to Mac, so forgive me if that's not the proper way of setting up the preferences.
Edit your GoogleNotifier file: Library/Preferences/com.google.GmailNotifier.plist
Add a New Sibling called SecureAlways, setup as Boolean and with a value of 1.


I verified with Little Snitch and everything worked fine. Two things you need to know though: the calendar notifier uses port 80 and the link to your inbox is still using http.


But, well, you can now check on your inbox using SSL.


Matt

ann
2007-02-12 22:50:15
its a nice thing to use
guns
2007-02-13 20:13:36
The tip by Matt about adding a 'SecureAlways' string to the plist file works solidly. For me and my girlfriend, the link to the gmail inbox is also over ssl (blocking port 80 on my router confirms this). I've been getting leery of using gmail notifier recently, so this comes as a relief, because the interface is simple and slick.


The developers are likely holding off on this option as a preference because of the increased overhead of the https protocol. I'm sure the bandwidth adds up pretty quickly for a site like google.

spdd
2007-03-14 19:21:36
html:/groupt gmail@yahoo.com/
hile/pp.spdd@aol.com/"yellow"/bllu carch 1260p
code:/machelen "USA" COIOUGGIERO@bOSTLK US.COM
robert
2007-03-15 08:31:08
I can't connect gmail to mail. Can you tell me what i need to do to get a connection?
Highplace
2007-04-03 08:30:23
TOP TIP


Pull down the Notifier menu (either Calendar or Gmail), hold down Command and Option, and click Preferences on the menu. You'll see a hidden settings editor. Enter 'SecureAlways' in the Key field (upper and lower case must be entered as shown) and 1 in the Value field, then click Set. Quit Notifier and start it up again. From now on all connections with both Gmail & Gcal will be https. Enjah

imparare
2007-04-15 01:12:23
Interesting comments.. :D
Summer Anderbery
2007-05-28 14:44:27
I believe this one applies "Unless each man prodiuses more than he receives, increases his output, there will be less for him than all the others", doesn't it?
Estefani Ragne
2007-06-14 02:06:47
This one makes sence "One's first step in wisdom is to kuesstion everything - and one's last is to come to terms with everything."
MANJUNATH
2007-07-03 08:38:32
how to access my gmail account without useing gamil website.Because it blocked in my office.
nicholaspaul
2007-07-09 10:36:29
MANJANUTH: The other way to check Gmail is to configure your email client to retrieve it.
When checking mail in a browser that will actually let you, go to Settings, click on the Forwarding and POP tab, then the Configuration Settings link will give you instructions on setting up your email client. Just make sure that POP is enabled.
nicholaspaul
2007-07-09 10:48:59
Another thing - I found that the tip for making the Notifier secure (using SecureAlways) only work with the Google Notifier, not the Gmail notifier.
Kt
2007-10-15 10:09:35
HElP - I changed my password at night - forgot it in the morning! Don't know how I managed that only to say that my short term memory must be going (quicker than I thought.) Does ANYONE have a clue how I can get back into my gmail account without a password? I have tried EVERYTHING - I need a hacker. Never thought I'd promote this concept but here I am. Can anyone help me?
bhaskar
2007-11-24 01:10:04
his good
not bad
Waliman
2007-12-13 21:08:31
Mba lis gi ngapain ni imel nyampe ga?
Puneet
2007-12-28 00:11:03
How does Gmail SSL Login works ???
Britta
2008-01-10 07:16:04
I recently downloaded the GMail application on my cell phone... any issues with security there I should be aware of?


Thanks for the tips on the https://mail.google.com, I just heard about it from a friend last night.

KyiKyi May
2008-02-05 00:17:40
Hello.
Iwould like to contact with my friend using this mail.
sandra sword
2008-02-18 10:23:56
I got gmail and then deleted it because of all the "junk" mail. still getting like 25 a day. I want it to stop , NOW.
sandra_sword1@verizon.net
systeman24
2008-03-01 11:01:17
systeman24@gmail.org
abdul
2008-03-12 08:44:21
Plz Send Me your Web Pictures And Vidio Plzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
marilyn berkey
2008-04-18 09:29:41
just hoped to find another way to get into my account. Have tried several attempts and think my computer is stuffed full of spam. Not sure what to do.
Salvador C. Garza
2008-05-21 20:21:42
I cannot access my account. It appear a message: "The name of the user and the "contrasenia" do not coincide"
Assadullah
2008-07-10 05:06:57
i would like to joine with gmail.com staff in Afghanistan