Why You Should Encrypt *All* of Your Google Activities [POC]

By Daniel Miessler on August 9th, 2007: Tagged as Encryption | Google | Privacy | Security

google

Everyone loves Google. They want to be everything to everyone, and they’re getting pretty damn good at it. Once you start using their services it gets easier and easier to migrate more of your life to them. But there’s a slight problem.

Google, like most other similar services, encrypts login traffic but not your content. So the moment you’re signed in they switch to plain-text communications and send everything to you in the open.

This means your mail, the news sources you read, your calendar events — are all able to be read by someone with access to any part of the network between you and Google. This could be your employer at work, the wireless network at your local coffee shop, whatever. This isn’t good.

Here’s an email I just sent myself over the default (unencrypted) connection:

googleemail
And here’s what I captured via tcpdump.

googlesubject
thisisasecret
That’s the whole email there for anyone to see. Luckily it’s easy to fix…

  1. Use Bookmarks for Your Google Services Create bookmarks (or modify them if you already have them) for Gmail, Google Calendar, Google Reader, and iGoogle (your Google homepage) using https instead of http, like so: https://mail.google.com/mail/. Do this for every service that you use at Google.
  2. Don’t Click on Links Within Google to Take You to Your Services If you use their links Google will often take you to the unencrypted version because it’s easier on their servers. Use your links instead to ensure that your sessions are encrypted

The more we depend on Google (or any other monolithic service) the more we need to safeguard the information they have of ours. One way we can help is by demanding (via secure bookmarks and other methods) that they send us our mail, news feeds, calendars, and other information over a secure connection.:

[ Note: This is not a Google-specific problem. Most other services work in exactly the same way. The difference is that Google is so prolific and is becoming very successfully at getting people to use not only their email service but also their calendaring, news reader, instant messaging, their search (with history), etc. It's the all-in-one dynamic that makes it especially important to protect Google traffic. ]

Older Comments
Newer Comments
  • Jim

    In Windows XP I keep a shortcut in my quick launch folder, for easy clickin’. I use this because the gmail notifier launches in unsecured http:// mode and there’s no way I’ve found to change it.

    Target: “C:Program FilesMozilla Firefoxfirefox.exe” “https://mail.google.com”

    Start in: “C:program filesmozilla firefox”

    Icon: http://mail.google.com/favicon.ico

  • Jim

    In Windows XP I keep a shortcut in my quick launch folder, for easy clickin’. I use this because the gmail notifier launches in unsecured http:// mode and there’s no way I’ve found to change it.

    Target: “C:\Program Files\Mozilla Firefox\firefox.exe” “https://mail.google.com”

    Start in: “C:\program files\mozilla firefox”

    Icon: http://mail.google.com/favicon.ico

  • Pingback: Encrypt Your Google Activities | Blue Lotus Project Security Blog

  • Pingback: Cohenville » Blog Archive » Encrypt your Google traffic

  • http://www.evancarroll.com EvanCarroll

    It isn’t fair that you make it sound like google doesn’t willingly permit this use of their services. You assume they revert to non-https because it is easier on their servers. I think your off there, and your off on making it sound like this a hack, rather than a published alternate method.

  • http://www.evancarroll.com EvanCarroll

    It isn’t fair that you make it sound like google doesn’t willingly permit this use of their services. You assume they revert to non-https because it is easier on their servers. I think your off there, and your off on making it sound like this a hack, rather than a published alternate method.

  • http://evancarroll.com Evan Carroll

    It isn’t fair that you make it sound like google doesn’t willingly permit this use of their services. You assume they revert to non-https because it is easier on their servers. I think your off there, and your off on making it sound like this a hack, rather than a published alternate method.

  • http://www.horizonplastics.ca/ 10668844

    I thank you for alerting me to this.

  • http://www.horizonplastics.ca 10668844

    I thank you for alerting me to this.

  • http://bweaver.net/ bill weaver

    Good advice, as far as it goes. Encrypting our data on its way to Google then decrypting it at Google mostly ensures that they get it safely, but at what point do people start getting concerned that Google has all their data? At what point do we worry that they monitor, mine, and market our data and online behavior? The same people freaking out about the government or Microsoft collecting some of our data are usually the ones who happily give it all to Google.

    If Google cares about our privacy or security, they’ll provide a way for us to encrypt our data when it leaves our system, to be decrypted only when we get it back on our system.

    But, yes, if you really care about your privacy, encrypt your email yourself before using any email system. And do not use Google Docs or any online service for anything sensitive. Onerous task when G and Y! and MS and others make it so easy to hand everything over to them. Hard drives are cheap.

  • http://bweaver.net/ bill weaver

    Good advice, as far as it goes. Encrypting our data on its way to Google then decrypting it at Google mostly ensures that they get it safely, but at what point do people start getting concerned that Google has all their data? At what point do we worry that they monitor, mine, and market our data and online behavior? The same people freaking out about the government or Microsoft collecting some of our data are usually the ones who happily give it all to Google.

    If Google cares about our privacy or security, they’ll provide a way for us to encrypt our data when it leaves our system, to be decrypted only when we get it back on our system.

    But, yes, if you really care about your privacy, encrypt your email yourself before using any email system. And do not use Google Docs or any online service for anything sensitive. Onerous task when G and Y! and MS and others make it so easy to hand everything over to them. Hard drives are cheap.

  • http://bweaver.net bill weaver

    Good advice, as far as it goes. Encrypting our data on its way to Google then decrypting it at Google mostly ensures that they get it safely, but at what point do people start getting concerned that Google has all their data? At what point do we worry that they monitor, mine, and market our data and online behavior? The same people freaking out about the government or Microsoft collecting some of our data are usually the ones who happily give it all to Google.

    If Google cares about our privacy or security, they’ll provide a way for us to encrypt our data when it leaves our system, to be decrypted only when we get it back on our system.

    But, yes, if you really care about your privacy, encrypt your email yourself before using any email system. And do not use Google Docs or any online service for anything sensitive. Onerous task when G and Y! and MS and others make it so easy to hand everything over to them. Hard drives are cheap.

  • X

    Awesome! Now we need to figure out how to safeguard Google from our data!

  • Pingback: Alenônimo.com.br » Blognônimo » Arquivo » Aumente a segurança dos serviços do Google

  • X

    Awesome! Now we need to figure out how to safeguard Google from our data!

  • Angus S-F

    Also, if you want to keep your search history with Google anonymous, make sure you’re not logged in to your Google account (gmail, gcal, etc.) AND use either the BlackBox or Scroogle search redirectors, which anonymize your Google searches by making them from a different IP address than yours.

  • Angus S-F

    Also, if you want to keep your search history with Google anonymous, make sure you’re not logged in to your Google account (gmail, gcal, etc.) AND use either the BlackBox or Scroogle search redirectors, which anonymize your Google searches by making them from a different IP address than yours.

  • Angus S-F

    Also, if you want to keep your search history with Google anonymous, make sure you’re not logged in to your Google account (gmail, gcal, etc.) AND use either the BlackBox or Scroogle search redirectors, which anonymize your Google searches by making them from a different IP address than yours.

  • http://www.antigamer.com/ PENIX

    If someone is ON your network and wants your data, you’re going to need a lot more than https. There are tools that will let you view that traffic just as easily as everything else. Fortunately, most people are not that important. No one really cares about your e-mails or IMs as much as you think they do.

  • http://www.antigamer.com/ PENIX

    If someone is ON your network and wants your data, you’re going to need a lot more than https. There are tools that will let you view that traffic just as easily as everything else. Fortunately, most people are not that important. No one really cares about your e-mails or IMs as much as you think they do.

  • http://www.antigamer.com PENIX

    If someone is ON your network and wants your data, you’re going to need a lot more than https. There are tools that will let you view that traffic just as easily as everything else. Fortunately, most people are not that important. No one really cares about your e-mails or IMs as much as you think they do.

  • Pingback: Geekapundit

  • Pingback: Encrypt Your gmail !! « Marty Wolfe

  • http://www.dufault.info/ Phil Dufault

    A very handy article, thanks!

  • http://www.dufault.info/ Phil Dufault

    A very handy article, thanks!

  • http://www.dufault.info Phil Dufault

    A very handy article, thanks!

  • Pingback: » And I thought it was just me… > Vincent Arnold

  • Anonny Mouse

    What about fetching gmail content via POP? I believe it is unencrypted too…

  • Anonny Mouse

    What about fetching gmail content via POP? I believe it is unencrypted too…

  • Anonny Mouse

    What about fetching gmail content via POP? I believe it is unencrypted too…

  • Woody

    I use https for gmail, calendar, and picasa, but there’s no way to do it for notebook! grrrrr…

  • Woody

    I use https for gmail, calendar, and picasa, but there’s no way to do it for notebook! grrrrr…

  • Woody

    I use https for gmail, calendar, and picasa, but there’s no way to do it for notebook! grrrrr…

  • Matt

    No the POP access is crypted. It uses POP over a secure SSL connection, as https do. You can see it on the help center of Gmail.

  • Matt

    No the POP access is crypted. It uses POP over a secure SSL connection, as https do. You can see it on the help center of Gmail.

  • Matt

    No the POP access is crypted. It uses POP over a secure SSL connection, as https do. You can see it on the help center of Gmail.

  • Pingback: links for 2007-08-11 at DeStructUred Blog

  • Pingback: Almost, Not Yet - links for 2007-08-11

  • Loren

    I don’t think gmail does encrypt your activities if you use a standalone client requiring SSL.

  • Loren

    I don’t think gmail does encrypt your activities if you use a standalone client requiring SSL.

  • Loren

    I don’t think gmail does encrypt your activities if you use a standalone client requiring SSL.

  • Pingback: Security Hub » Blog Archive » Sempre use o GMail através do protocolo HTTPS

  • http://www.neohide.com/ Keith

    Oh, this certainly scares me. I had better consider on other alternatives if such privacy issue is going to be persist.

  • http://www.neohide.com/ Keith

    Oh, this certainly scares me. I had better consider on other alternatives if such privacy issue is going to be persist.

  • http://www.neohide.com Keith

    Oh, this certainly scares me. I had better consider on other alternatives if such privacy issue is going to be persist.

  • Pingback: Why You Should Encrypt *All* of Your Google Activities « J.O.S.E.

  • Pingback: Universe_JDJ’s Blog » Why You Should Encrypt *All* of Your Google Activities

  • Pingback: Google - a gentle reminder « 0ddn1x: tricks with *nix

  • Pingback: Tips to encrypt Gmail and other Google services communication at DeStructUred Blog

  • http://googlonymous.com/ Fred Durst

    http://googlonymous.com/

    Google Anonymously..

Older Comments
Newer Comments

Top

Popular

Information Security / Technology

Politics

Philosophy & Religion

Technology & Science

Culture & Society

Miscellaneous

Arguments

Projects

Collections

Twitter

What I'm Reading

Favorite Books and Essays

Top Blog Categories

Inputs