Today, I was thinking about Google Apps and wondering whether it used SSL to encrypt email. Now the Gmail POP/SMTP facilities use encryption for any data transferred between the mail client and Google’s mail servers, so I would have thought it natural that SSL was used to encrypt any email sent via the web interface as well. As it turns out though, that isn’t the case; firing up my trusty copy of Fiddler, I sent an email to myself using the Google Apps web interface and monitored the resulting HTTP exchange. This is the result (this is the POST request transcript - the relevant bits are in bold).
The same applies to Gmail itself. I know for most people this is a non-issue as email is generally insecure (as it gets transmitted unencrypted from mail server to mail server). I was thinking about local malicious users or sysadmins viewing the email I am sending or receiving. There are quite a few cases I can think of when I’d like to know local sysadmins can’t read my mail: a public internet cafe (in China for example, or another country free speech not a given), a corporate VPN, a non-encrypted (or WEP-encrypted) WiFi hotspot, etc…
With Gmail, the solution is to access Gmail via https://mail.google.com rather than https://mail.google.com. In this case, a secure session is maintained throughout and all communication between Gmail and the browser is encrypted.
With Google Apps, the solution is to log in using a URL like this:
However, I couldn’t get https://mail.mydomain.com to forward to the above, which is a shame as it’s my main gateway to Google Apps (and others’ too I suspect - and therefore possibly a minor security issue for sysadmins administering domains using Google Apps…).