Gmail has announced it is to add HTTPS by default for checking and sending email, after adding it to its service in 2010.
In a blog, Nicolas Lidzborski, Gmail security engineering lead, said that today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers, regardless of device or connection.
He said: “Every single email message you send or receive – 100 per cent of them – is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail’s servers, but also as they move between Google’s data centres – something we made a top priority after last summer’s revelations.”
It was reported in November that the US NSA had tapped into the private links that connect Google and Yahoo data centres around the world.
Commenting, Professor Fred Piper, told IT Security Guru that he felt that any step in a secure direction was a good thing, but said that he doubted that this would solve all dilemmas. “If they turned it into a business advantage it would be very interesting, I’m not convinced that the populous care,” he said.
“Is it a good move, I think so. Does it solve the problem? I don’t think there is any doubt that this is a step in the right direction. Would it make any difference at all? I am not sure. I’ve never yet seen security provide a market advantage for anybody. Gmail say that this is transparent to the user and they have tried to improve security, and that should be a good thing.”
Brendan Rizzo, technical director EMEA at Voltage Security, said: “With this announcement, Google has shown their willingness to protect their users’ emails at every point on the Google network. This is a very positive move which aids those who do not already have a data-centric email encryption solution in place to protect messages over the entire journey from the sender to the recipient.
“Google has always provided the option for encrypting the link to their webmail service, but this announcement has now completed the evolution from being an option only enabled by the security conscious, to one that will protect the end-user whether they know what SSL is or not.”