Why You Should Encrypt *All* of Your Google Activities [POC]

By Daniel Miessler on August 9th, 2007: Tagged as Encryption | Google | Privacy | Security

google

Everyone loves Google. They want to be everything to everyone, and they’re getting pretty damn good at it. Once you start using their services it gets easier and easier to migrate more of your life to them. But there’s a slight problem.

Google, like most other similar services, encrypts login traffic but not your content. So the moment you’re signed in they switch to plain-text communications and send everything to you in the open.

This means your mail, the news sources you read, your calendar events — are all able to be read by someone with access to any part of the network between you and Google. This could be your employer at work, the wireless network at your local coffee shop, whatever. This isn’t good.

Here’s an email I just sent myself over the default (unencrypted) connection:

googleemail
And here’s what I captured via tcpdump.

googlesubject
thisisasecret
That’s the whole email there for anyone to see. Luckily it’s easy to fix…

  1. Use Bookmarks for Your Google Services Create bookmarks (or modify them if you already have them) for Gmail, Google Calendar, Google Reader, and iGoogle (your Google homepage) using https instead of http, like so: https://mail.google.com/mail/. Do this for every service that you use at Google.
  2. Don’t Click on Links Within Google to Take You to Your Services If you use their links Google will often take you to the unencrypted version because it’s easier on their servers. Use your links instead to ensure that your sessions are encrypted

The more we depend on Google (or any other monolithic service) the more we need to safeguard the information they have of ours. One way we can help is by demanding (via secure bookmarks and other methods) that they send us our mail, news feeds, calendars, and other information over a secure connection.:

[ Note: This is not a Google-specific problem. Most other services work in exactly the same way. The difference is that Google is so prolific and is becoming very successfully at getting people to use not only their email service but also their calendaring, news reader, instant messaging, their search (with history), etc. It's the all-in-one dynamic that makes it especially important to protect Google traffic. ]

Older Comments
  • http://googlonymous.com/ Fred Durst

    http://googlonymous.com/

    Google Anonymously..

  • http://googlonymous.com/ Fred Durst

    http://googlonymous.com/

    Google Anonymously..

  • Pingback: Security and hacks around the net. « info-ninja

  • http://www.spywarebiz.com/ Doug Woodall

    Thank the heavens Firefox has a way to avoid this.

  • http://www.spywarebiz.com/ Doug Woodall

    Thank the heavens Firefox has a way to avoid this.

  • http://www.spywarebiz.com Doug Woodall

    Thank the heavens Firefox has a way to avoid this.

  • Pingback: Waarom je al je Google activiteiten moet versleutelen | BLOGT punt NL - www.blogt.nl

  • http://www.rezalfr.org/francois.ropert fropert

    Thanks for this powerful tips!

  • http://www.rezalfr.org/francois.ropert fropert

    Thanks for this powerful tips!

  • http://www.rezalfr.org/francois.ropert fropert

    Thanks for this powerful tips!

  • Pingback: Why You Should Encrypt *All* of Your Google Activities | Anti-Spyware and PC Security News

  • Arick

    I agree totally with your article if you use Firefox “hopefully if you use a pc” I recommend a extension that covers most of these issues plus Google analytics: http://www.customizegoogle.com/ I’m more concerned about that side of it check this out http://en.wikipedia.org/wiki/Google_Analytics thanks for the heads up though if I have to use IE I’ll remember to take your advice.

  • Arick

    I agree totally with your article if you use Firefox “hopefully if you use a pc” I recommend a extension that covers most of these issues plus Google analytics: http://www.customizegoogle.com/ I’m more concerned about that side of it check this out http://en.wikipedia.org/wiki/Google_Analytics thanks for the heads up though if I have to use IE I’ll remember to take your advice.

  • Arick

    I agree totally with your article if you use Firefox “hopefully if you use a pc” I recommend a extension that covers most of these issues plus Google analytics: http://www.customizegoogle.com/ I’m more concerned about that side of it check this out http://en.wikipedia.org/wiki/Google_Analytics thanks for the heads up though if I have to use IE I’ll remember to take your advice.

  • Tim

    I want to echo the comments that email without encryption is insecure, even if you use https to get it to the mail server. Once it leaves Google/Yahoo!/MSN/your ISP, it’s not encrypted unless you do it yourself. Look into PGP/GPG as another comment said.

  • Tim

    I want to echo the comments that email without encryption is insecure, even if you use https to get it to the mail server. Once it leaves Google/Yahoo!/MSN/your ISP, it’s not encrypted unless you do it yourself. Look into PGP/GPG as another comment said.

  • Tim

    I want to echo the comments that email without encryption is insecure, even if you use https to get it to the mail server. Once it leaves Google/Yahoo!/MSN/your ISP, it’s not encrypted unless you do it yourself. Look into PGP/GPG as another comment said.

  • http://dmiessler.com/ Daniel Miessler

    The fact that email on the Internet is insecure is well known. The point is that when you’re on a network that allows one to easily read network traffic, it presents an especially high risk of being intercepted by those who could take interest in you and/or cause you harm.

    In other words, some trashy network admin (or fellow coffee drinker) having all your email, wherabouts, agendas, news sources, etc. is much more dangerous than having it floating randomly on the Internet.

  • http://dmiessler.com/ Daniel Miessler

    The fact that email on the Internet is insecure is well known. The point is that when you’re on a network that allows one to easily read network traffic, it presents an especially high risk of being intercepted by those who could take interest in you and/or cause you harm.

    In other words, some trashy network admin (or fellow coffee drinker) having all your email, wherabouts, agendas, news sources, etc. is much more dangerous than having it floating randomly on the Internet.

  • http://dmiessler.com Daniel Miessler

    The fact that email on the Internet is insecure is well known. The point is that when you’re on a network that allows one to easily read network traffic, it presents an especially high risk of being intercepted by those who could take interest in you and/or cause you harm.

    In other words, some trashy network admin (or fellow coffee drinker) having all your email, wherabouts, agendas, news sources, etc. is much more dangerous than having it floating randomly on the Internet.

  • http://www.comodo.com/ cryptoman

    don’t forget to grab your FREE Digital Cert from comodo. (they’re a trusted root CA)

  • http://www.comodo.com/ cryptoman

    don’t forget to grab your FREE Digital Cert from comodo. (they’re a trusted root CA)

  • http://www.comodo.com cryptoman

    don’t forget to grab your FREE Digital Cert from comodo. (they’re a trusted root CA)

  • Pingback: Information Security Awareness & howtos » Encrypt ALL gmail traffic

  • Pingback: Why You Should Encrypt *All* of Your Google Activities « Security News

  • http://iligan.nu/ Stasigr

    Hello, very nice site, keep up good job! Admin good, very good.

  • http://iligan.nu/ Stasigr

    Hello, very nice site, keep up good job! Admin good, very good.

  • http://iligan.nu Stasigr

    Hello, very nice site, keep up good job! Admin good, very good.

  • http://digg.com/gadgets/Get_Free_Razr dafodilkemmy

    Free Razr plus free shipping with activated service plan.Choose from AT&T, Nextel, T-Mobile, Verizon, and more.

    Click here

  • http://digg.com/gadgets/Get_Free_Razr dafodilkemmy

    Free Razr plus free shipping with activated service plan.Choose from AT&T, Nextel, T-Mobile, Verizon, and more.

    Click here

  • http://digg.com/gadgets/Get_Free_Razr dafodilkemmy

    Free Razr plus free shipping with activated service plan.Choose from AT&T, Nextel, T-Mobile, Verizon, and more.

    Click here

  • Pingback: » Blog Archive » Link: Why You Should Encrypt All Your Google

  • Pingback: Clever Diversions - 08.13.07 « jdWeblog

  • Pingback: set poker

  • Pingback: free hindi movie ringtones free hindi song ringtones download

  • Sake

    Do not visit: http://www.mailsaurus.com IT IS A TROJAN Downloader website. Reported by Kaspersky.

  • Sake

    Do not visit: http://www.mailsaurus.com IT IS A TROJAN Downloader website. Reported by Kaspersky.

  • Sake

    Do not visit: http://www.mailsaurus.com IT IS A TROJAN Downloader website. Reported by Kaspersky.

  • Pingback: cool free games on the internet

  • TomB

    Good-day,

    There is an easier way: In your google account
    click on setting
    click on the general tab
    Under Browser connection: click on “Always use https”

    TomB

  • TomB

    Good-day,

    There is an easier way: In your google account
    click on setting
    click on the general tab
    Under Browser connection: click on “Always use https”

    TomB

  • http://profiles.google.com/jp.lowkey83 JP O

    Awesome!

Older Comments

Top

Popular

Information Security / Technology

Politics

Philosophy & Religion

Technology & Science

Culture & Society

Miscellaneous

Arguments

Projects

Collections

Twitter

What I'm Reading

Favorite Books and Essays

Top Blog Categories

Inputs