June 18, 2009 | By Richard Esguerra

Google Considering More HTTPS, Other Services to Follow?

Earlier this week, privacy and security researchers urged Google to improve the security of Gmail, Google Docs, and Google Calendar by enabling the more secure HTTPS encryption by default. As it stands, all users currently log in to Google services over HTTPS. However, most conduct the remaining bulk of their online business with Google -- reading and sending email, editing spreadsheets, and recording appointments -- over HTTP, an unsecure method that gives unfettered access to attackers interested looking at your communications.

Google responded promptly to the letter, saying in a blog post that they are planning tests to investigate the performance trade-offs involved with always-on HTTPS for Gmail, and that the additional cost of processing HTTPS connections would not keep them from implementing it across the board. EFF would like to applaud Google's efforts to offer better privacy defaults to its Gmail users, and we also urge them to prioritize these trials in order to expedite the widespread public implementation of always-on HTTPS. Users should come to expect HTTPS from far more online communication services -- from webmail, to social networking, and even web search. With constant improvements in technology and decreasing computing costs, every provider ought to accelerate efforts to support HTTPS for a wider variety of online communication.

In Surveillance Self-Defense, EFF encourages webmail users to always use HTTPS, whether through browser plugins like CustomizeGoogle for Gmail, or by activating an "always use https" setting, if available. But research has shown that many users don't change the default settings given to them in an application or service. A paper on group calendar software reported that around 80% of the users maintained the default access settings for their calendar -- whether the default was extremely permissive or more privacy protective. For something as important as the security of private email communications, it's clear that encryption should be the default. Users should have strong protection right out of the starting gate for webmail and other online applications.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

You might need a drink after reading about August's Stupid Patent of the Month attacking the Internet of Things: https://eff.org/r.bpl9

Aug 31 @ 12:42pm

New story from the @ap: People are filming the cops more often. They're also getting arrested for it more often. https://eff.org/r.6ig

Aug 31 @ 12:29pm

Excessive copyright terms led to an orphan works crisis. @USTradeRep, don't let the TPP undermine critical fixes. https://eff.org/r.updq

Aug 31 @ 11:44am
JavaScript license information