Keep your Gmail transmissions secure

When I mentioned in a post last week that I forward select messages from my office Microsoft Exchange account to Gmail, several people claimed that this puts the company's data at risk.

I failed to point out that the information in the messages was not at all sensitive: no invoices, strategic plans, credit-card numbers, customer records, etc.

But what if I had needed to access private information from this account on a system other than Outlook? Assuming that no company can be trusted, how could I use Gmail without worrying about security?

One part of the problem was addressed when Gmail began supporting HTTPS connections. Well, Google claims that Gmail has always supported HTTPS, but you had to add the "s" to the URL prefix manually to access the encrypted version of the service, and log in at "https://mail.google.com," not "https://www.gmail.com." (Note that Google Calendar also supports HTTPS.)

Now Gmail lets you encrypt all your connections to the service via a simple settings change. To secure your e-mail transmissions, click Settings in the top-right corner of the main Gmail page, scroll down to "Browser connection" at the bottom of the window, select "Always use https," and click Save Changes. The next time you open your Gmail in-box, the transmissions will be encrypted.

Make all your Gmail connections encrypted by choosing "Always use https" in Gmail's Settings dialog.

(Credit: Google)

The Gmail Help Center states that encrypting connections may slow down your page loads, but this is a small price to pay to secure your e-mail link, especially when you're computing in the great outdoors, whether using your own laptop or a public PC.

But does this truly secure your data? There are several Firefox add-ons that encrypt messages and attachments sent and received via Gmail. One of these is Gmail S/MIME by Richard Jones and Sean Leonard. Gina Trapani's Better Gmail includes encryption among many other useful Gmail enhancements.

Even these measures won't be sufficient to convince some people to trust Gmail specifically or Google generally. Nearly all of my remote connections to the office servers are made over a VPN link. When in doubt--even a little bit of doubt--encrypt.

[fuzzyBSc]

Your email isn't really secure unless you encrypt it at the source using a Public Key Infrastructure or similar. SMTP itself is generally cleartext. Your secure network sends email over an possibly-encrypted link to a server that is hopefully either a google server or a server at your ISP. It may forward it on, etc. Encrypting your access to your mailbox doesn't help if someone has already intercepted your mail before it reached the mailbox as it passed from server to server.

The potential security problem doesn't end when the mail arrives at google's servers. Anything you can access through the gmail web interface (http or https) is likely also to be accessible to a subset of google's staff. Hopefully they are all good people, but how do you go about rating the risk of a bad apple?

[restoration85]

Quote: "Anything you can access through the gmail web interface (http or https) is likely also to be accessible to a subset of google's staff. Hopefully they are all good people, but how do you go about rating the risk of a bad apple?"

Along that same kind of fear is the ability for a small group of network admins in a large company having access to workers' email. Often admins of a HRIS also have access to email. At some point individuals must trust that others are doing their job and accept the possibility of some privacy invasion.

[toddmw]

Strangely, when you use Google Apps for your domain, you don't get the option.

[shirgall]

Because you get https by default. You'd only need this option to disable it.