Not many know, but the users of the well known free Mail service of Google have some potential security problems each time they use the service. The biggest problem is the fact that the checkbox “Stay signed in” is activated by default.

Fig. 1: "Stay signed in" is a potential security risk.

And, no wonder why since this is makes the life of a regular user very easy, because it implements the concept “Single Sign On”. This means that you have to log in one time and then never again, for all Google Services and websites (Adwords, Analytics, Picasa, etc.). But this convenience feature comes with a drawback: If you enable it on a public computer once, anybody will be able to access your account even after you left. This option installs some cookies on the computer, enabling the browser to access the services without further user interaction, at any point in time.

Don’t “stay signed in” if you’re on a public computer

The other potential security problem is the fact that by default, the Gmail service is functioning on a non encrypted HTTP connection. Only the password is sent via a HTTPS connection and then the entire communication is sent unencrypted. Again, this is for the same convenience as before: The user downloads the static part of the browser once and then never again (except for the time when Google updates the web software).

You may not know, but if you’re in a public WiFi and read your Gmail on a non encrypted connection, the data is flying in plain text, theoretically allowing anybody to intercept your communication. With an encrypted connection, you can be sure that no one is going to be able to see anything you’re writing. The drawback of using everything encrypted is a small decrease of the speed. But, this disadvantage cannot be compared with the huge security benefits it brings.

In order to configure Gmail to always use HTTPS, log in to Gmail, go to Settings, General, and at the bottom of the page find the options for “browser connection”. Select “Always use https” and don’t forget to click “Save changes”.

Fig. 2: Set the default to use https to secure your connection to Gmail.

Google is currently planning a trial program to ask the “customers” if they feel any difference between the non secure and secure mode of the Gmail. If the results are encouraging, the secure connection will be enabled by default for all users.

If you are not using the Web interface of the Gmail but the IMAP/POP3 functionality, you must select always that the secure version of these protocols.

Sorin Mustaca
Manager International Software Development