June 16, 2009

HTTPS security for web applications



A group of privacy and security experts sent a letter today urging Google to strengthen its leadership role in web application security, and we wanted to offer some of our thoughts on the subject.

We've long advocated for — and demonstrateda focus on strong security in web applications. We run our own business on Google Apps, and we strive to provide a high level of security to our users. We currently let people access a number of our applications — including Gmail, Google Docs, and Google Calendar, among others — via HTTPS, a protocol that establishes a secure connection between your browser and our servers.

Let's take a closer look at how this works in the case of Gmail. We know that tens of millions of Gmail users rely on it to manage their lives every day, and we have offered HTTPS access as an option in Gmail from the day we launched.
If you choose to use HTTPS in Gmail, our systems are designed to maintain it throughout the email session — not just at login — so everything you do can be passed through a more secure connection. Last summer we made it even easier by letting Gmail users opt in to always use HTTPS every time they log in (no need to type or bookmark the "https").

Free, always-on HTTPS is pretty unusual in the email business, particularly for a free email service, but we see it as an another way to make the web safer and more useful. It's something we'd like to see all major webmail services provide.

In fact, we're currently looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.

We know HTTPS is a good experience for many power users who've already turned it on as their default setting. And in this case, the additional cost of offering HTTPS isn't holding us back. But we want to more completely understand the impact on people's experience, analyze the data, and make sure there are no negative effects. Ideally we'd like this to be on by default for all connections, and we're investigating the trade-offs, since there are some downsides to HTTPS — in some cases it makes certain actions slower.

We're planning a trial in which we'll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their email. Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS?

Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users. We're also considering how to make this work best for other apps including Google Docs and Google Calendar (we offer free HTTPS for those apps as well).

Stay tuned, but we wanted to share our thinking on this, and to let you know we're always looking at ways to make the web more secure and more useful.

Update @ 1:00pm: We've had some more time to go through the report. There's a factual inaccuracy we wanted to point out: a cookie from Docs or Calendar doesn't give access to a Gmail session. The master authentication cookie is always sent over HTTPS — whether or not the user specified HTTPS-only for their Gmail account. But we can all agree on the benefits of HTTPS, and we're glad that the report recognizes our leadership role in this area. As the report itself points out, "Users of Microsoft Hotmail, Yahoo Mail, Facebook and MySpace are also vulnerable to [data theft and account hijacking]. Worst of all — these firms do not offer their customers any form of protection. Google at least offers its tech savvy customers a strong degree of protection from snooping attacks." We take security very seriously, and we're proud of our record of providing security for free web apps.

Update on June 26th: We've sent a response to the signatories of the letter. You can read it here.

39 comments:

  1. The option to turn HTTPS always on does not seem to be available in Gmail for Google Apps.

    ReplyDelete
  2. I am a huge fan of always-on https for Gmail. One problem I have run into, however, is the incompatibility of the official Gmail iGoogle gadget (even when accessing iGoogle via https). This is a minor inconvenience, however, to keep other roommates, hotel guests, Starbucks customers, etc. out of my email.

    ReplyDelete
  3. It's a shame that Google is still not forcing users to be on a SSL connection! In Europe there is a law that requires that all privacy related information is send over a secure connection (SSL).

    See for more information about this law the in the Netherlands:

    http://www.networking4all.com/en/ssl+certificates/legal+obligations/

    http://english.justitie.nl/themes/personal-data/

    ReplyDelete
  4. I'm commenting just to second Matt's complaint about not being able to access Gmail from iGoogle. I switched to "always on" a while back for just the reasons you mentioned (thank you for providing the option when other services don't!), and I don't think I noticed any difference at all in performance. It's just that I wish I could see a little more from the gadget...

    Keep up the good work, and I look forward to having the option in other apps!

    ReplyDelete
  5. Yeah, i 'd like to have a https compatible gmail gagdet for igoogle too!!

    ReplyDelete
  6. It would be quite interesting to know how many power users there are: How many SSL-only sessions are there (as a percentage of all daily sessions, for example)?

    ReplyDelete
  7. @salsawizard ask your administrator, he/she can force https to all users with a single option

    ReplyDelete
  8. Expanding https is an excellent idea, and I echo the above pleas to get your iGoogle gadget in line with this approach.

    Default https for Wave sounds prudent too...

    Regards,
    John

    ReplyDelete
  9. Another vote for updating the iGoogle gadget.

    ReplyDelete
  10. Including HTTPS by default sounds great.... a first step... However I am looking for some more. If you want your services to be really great for security minded people you might want to consider the option to encrypt the mails you send with Gmail. You have the tools like FireGPG however it would be great, in my opinion, if you enable encryption from within the web frontend of Gmail.

    I guess this is not considered by Google because it can have a negative effect on scanning the messages for placing adds?

    I wonder if people inside google labs are thinking about inserting a option like this?

    Hope you can comment on this.

    Regards,
    Johan Louwers.

    ReplyDelete
  11. I was thrilled when Gmail offered forced https for free Google Apps account and I turned it on immediately. But I think the authors of the letter are right that most people don't know enough to turn it on, so having it on by default makes sense. Users experiencing a slower Gmail is vastly more preferable to users experiencing their account being stolen, and then subsequently shut down by Google automatically after it is abused.

    I would like it even more if there was a simple way to do two-factor authentication.

    I have recently been reading about Yubikey, which seems simpler to use than most other methods for two-factor authentication. It would be great if Google supported and widely publicized their support for Yubikey and/or some other very simple two-factor authentication method.

    ReplyDelete
  12. I believe the SSL option in Google Apps for your Domain is not on the users' side as in the gmail account. You gotta ask your administrator (or do it yourself) to enable it in the google apps control panel under Domain Settings > General > SSL. That would enable it for all apps under your domain, which is pretty cool. The speed and responsiveness seems the same to me so far.

    ReplyDelete
  13. In update to my previous post about the legal security obligations in The Netherlands I want to reffer you to the link below with the European directives to the protection of personal data:

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

    http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML

    (46) Whereas the protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorized processing; whereas it is incumbent on the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected;

    ReplyDelete
  14. The web is not restricted to desktop browsers and mobile clients play an important role. Given the fact that couple of mobile browsers behave weirdly on a HTTPS connection, we need an unified approach to web security where both HTTP and HTTPS protocols are taken into consideration

    ReplyDelete
  15. you should keep HTTPS as default and give the NO HTTPS option for who thinks i'ts slower.

    and i don't know if is HTTPS, but sometimes gmail stops, then i can't send e-mails or delete them, and there's nothing i can do for fixing it up, just waiting.
    also you guys could focus more on your apps than in HTTPS. there's a lot of good apps, but some of them, like the Twitter for google desktop, that aren't so good...

    ReplyDelete
  16. Thanks to everyone who educated me on the SSL issue for Google Apps. I found the SSL option in the admin page on the Domain Settings tab and enabled it. I have say, though, that was the last place I would have looked at without help. Thanks!

    ReplyDelete
  17. The multiple-file upload Flash control from Google Labs does not obey the use-https-only setting. Please fix this.

    ReplyDelete
  18. Not forcing HTTPS is terrible for a company that has so many people using its services! Not to mention this was on the google security blog... I mean, modifying content over HTTP is so easy a caveman can do it! A simple ettercap filter, understanding of your target, and some simple thinking outside of the box can easily allow me to manipulate the DOM of the client-side user and basically gives me control over the site client-side. I even recently wrote a blog post about how to do this. Then if we can get one of the services, same domain policy sucks for you guys, that's talking on a normal HTTP session to force a connection to your typically TLS'ed service, then I have access to that as well. End being, you need to force HTTPS for all of your services.

    ReplyDelete
  19. Use https generated from CUDA libraries or some other GPU powered source of squinchy crypto maths to do this on the cheap... :)

    ReplyDelete
  20. If you enhance SSL support, please consider supporting SSL gzip compression (RFC 3749). Unlike HTTP level compression, it will also affect the HTTP headers. Yes, hardly a browser supports it, but you have Chrome, might add it and finally give this feature the propagation it deserves.

    ReplyDelete
  21. Even though SSL should always be enabled, users are free to choose and I really like that. It's the Google way.

    ReplyDelete
  22. It should be noted that the Firefox add-on «CustomiseGoogle» provides the user with a simple method to enable https not only for Gmail, but for Google Docs and Google Calendar as well. That said, I think it would be a great step forward if Google were to be make https the default setting for each of these applications. But it should also be noted that while doing so would offer a higher level of protection against someone else logging in to one's account (assuming that one hasn't spread one's password around), it does nothing to enhance the security of the contents. For that we need encryption, which I hope Google will also consider offering....

    Henri

    ReplyDelete
  23. Given some of the odd and absurd requests in these comments, I doubt anyone from Google will read this far down, but I'll post anyways.

    Why isn't this letter being sent to all web mail providers? If Google is ahead of the others, why are Google's attempts labeled inadequate? If you care about encrypting, you'll add the S to your URL. If you don't care, why should anyone else.

    ReplyDelete
  24. Joe, isn't the point about making the services provided by Google even better and more secure for all users - even the less security-conscious ? As to why anyone else should care, aside from the milk of human kindness, which admittedly doesn't always flow unhindered, the presence of unsecured users on a network tends to make all users less secure. Thus even enlightened self-interest would argue for our supporting such a step on the part of Google. And surely it's in Google's own enlightened self-interest both to be and to be perceived as a more secure provider of web services ?...

    Henri

    ReplyDelete
  25. This comment has been removed by a blog administrator.

    ReplyDelete
  26. This comment has been removed by a blog administrator.

    ReplyDelete
  27. We also run our business on Google Apps. Our administrator has enabled https for all apps, but the personalized start page is still just http. It's a nice start page, and I'd be happy to make it my home page at work, but since I can't get a secure connection to it, I don't use it at all.

    ReplyDelete
  28. I notice that the article did not address using SSL to protect the basic Google Search and the search box in iGoogle pages. Both of these appear to be available at HTTPS URLs but the search feature doesn't really work.

    Basically, entering a search at https://www.google.com/ig simply bounces you back to the http://www.google.com/ homepage.

    That's pretty lame, for a company so proud of its engineering.

    ReplyDelete
  29. Have to agree with the ScalablePower here - surely Google can see to it that searches are always conducted from a page protected - to the degree that this constitutes a protection - by SSL ?...

    Henri

    ReplyDelete
  30. Does the https serve to secure the whole page, including Chat, Video and Voice? I'm sorry if I sound naive, but when I log into Gmail in Internet Explorer, with https option always-on enabled, the following happens:
    The page loads without chat, there comes this Internet Explorer warning which says "There are some elements in the page which are not secure", then when I say "That's ok", the chat loads up only then. I don't want my chats to be sniffed!

    Rammy

    ReplyDelete
  31. The scalable Power is the best feature in Google. Thanks for the info..

    bloggers

    ReplyDelete
  32. I was just shocked when I saw that friends and mine project was not encrypted, and that we had to manually https://docs...
    It would be very good that all the future Google applications use ssl encryption.

    ReplyDelete
  33. Ok i agree this is good for security purpose, but now in my office we have facing one of major issue with this, we had blocked Gmail through firewall software, but now its not blocking from any firewall....
    anyone have any solution now how we can block G mail at office with HTTPS.

    Rajesh

    ReplyDelete
  34. There is a problem with the offline feature and Google Calendar. It silently reverts to insecure HTTP if offline is enabled making eavesdropping easy. This is bad as the user is asking for secure HTTPS but gets insecure HTTP without notice.

    ReplyDelete
  35. I wonder how long it will be before Googles SSL Encryption becomes the default. Though I may not be an expert, but does this include self-signed certificates or just those from leading authroities such as VeriSign and GeoTrust etc? I've also heard of mainpulations of Comodo to, so I guess my thought is how secure are the secure results in the https search? I also agree about the iGoogle update too.

    ReplyDelete
  36. Any change you could also add HTTPS support to Blogger?

    I've just blogged about this http://gmailblog.blogspot.co.uk/2008/07/making-security-easier.html and in there I propose the idea of a cloud based service to allow secure access to sites like blogger

    ReplyDelete
  37. Thank u Google for providing all users with this key https feature.
    For many, it may be an option, but for me, and many Iranian activists fighting for their freedom from Islamic hardliners ruling Iran, HTTPS is a MUST, a strong, though not unbreakable, wall between freedom activists and Islamic regime who uses expensive deep-packet analysing devices from Nokia-Siemens as well as a cheap equipment from russia and china.
    It is also true for Syrian activists trying to inform the world from Asad's crimes against Syrians.

    I hope you can extend this feature for blogging services so that bloggers can login to their control panel in a secured more.

    HTTPS Does Make difference for our lives... Thank you!

    ReplyDelete
  38. Could you please force HTTPS or blogger and it's about time too for Google Reader.

    ReplyDelete

You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.