Friday, September 28, 2007

Using SSL/HTTPS for Gmail and Google Apps

Today, I was thinking about Google Apps and wondering whether it used SSL to encrypt email. Now the Gmail POP/SMTP facilities use encryption for any data transferred between the mail client and Google’s mail servers, so I would have thought it natural that SSL was used to encrypt any email sent via the web interface as well. As it turns out though, that isn’t the case; firing up my trusty copy of Fiddler, I sent an email to myself using the Google Apps web interface and monitored the resulting HTTP exchange. This is the result (this is the POST request transcript - the relevant bits are in bold).

The same applies to Gmail itself. I know for most people this is a non-issue as email is generally insecure (as it gets transmitted unencrypted from mail server to mail server). I was thinking about local malicious users or sysadmins viewing the email I am sending or receiving. There are quite a few cases I can think of when I’d like to know local sysadmins can’t read my mail: a public internet cafe (in China for example, or another country free speech not a given), a corporate VPN, a non-encrypted (or WEP-encrypted) WiFi hotspot, etc… 

With Gmail, the solution is to access Gmail via https://mail.google.com rather than http://mail.google.com. In this case, a secure session is maintained throughout and all communication between Gmail and the browser is encrypted.

With Google Apps, the solution is to log in using a URL like this:


However, I couldn’t get https://mail.mydomain.com to forward to the above, which is a shame as it’s my main gateway to Google Apps (and others’ too I suspect - and therefore possibly a minor security issue for sysadmins administering domains using Google Apps…).

posted by Nick at 3:50 pm - filed in Uncategorized  

1 Comment »

  1. [...] Using SSL/HTTPS for Gmail and Google Apps. [...]

    Pingback by LlamaLabs » Archive » Notes on Google Apps Premier — August 12, 2008 @ 7:45 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment