A collection of some of the top names in the security community has sent a letter asking Google to force users of its online applications to use secure connections by default. And Google has responded quickly, saying that it is investigating the possibility of enabling HTTPS connections by default for users of Gmail, Google Calendar and other applications.
In a letter sent Tuesday to Google CEO Eric Schmidt, a group of 37 security researchers, executives and academics asked the company “to increase users’ security and privacy protection by enabling by default transport-level encryption (HTTPS) for Google Mail, Docs and Calendar…” Google enables this option by default on some of its other technologies, including Google Voice and Google Health.
The letter, signed by Steve Bellovin, Bruce Schneier, Ron Rivest, Jon Callas, Jeff Moss, Robert Hansen, Eugene Spafford and others, says Google’s existing security options are not good enough and expose users to unnecessary risks.
“People who use multiple Google services are at particular risk – and Google does not offer them a way to protect themselves adequately. The “always use https” preference in Gmail helps Gmail users (at least those who locate it) safeguard their information. However, this preference only applies to Gmail sessions. When those users login to Docs and Calendar, their information again flows over the public Internet without the protection offered by HTTPS encryption,” the letter says.
In a response to the letter posted on Google’s Online Security Blog, Alma Whitten says that Google is looking into whether enabling HTTPS connections by default is a viable choice. The technology is already there, it’s just a question of whether it will have an adverse effect on users’ experience with Google’s services, Whitten says.
“We know HTTPS is a good experience for many power users who’ve already turned it on as their default setting. And in this case, the additional cost of offering HTTPS isn’t holding us back. But we want to more completely understand the impact on people’s experience, analyze the data, and make sure there are no negative effects. Ideally we’d like this to be on by default for all connections, and we’re investigating the trade-offs, since there are some downsides to HTTPS — in some cases it makes certain actions slower,” she wrote.
“We’re planning a trial in which we’ll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their email. Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS?”