In a few of my other blog posts I have already used the example of Gmail and https to improve security. But I feel with the recent improvements Google introduced that it is time to emphasize security and email again.
Sources: Official Gmail Blog https & login history
Previous: My Blog Posts : Improving Online Security & Secure Browsing Using FireFox
In this (pretty big, but please read it) blog article I want to go into a few new options to improve your gmail security. Starting with using https, followed by login history.
Using https with Gmail – Always
Ok, so what’s the deal here? Well, very simple. If you connect from your computer to a web site, and get information back from the web site it usually is done over http and not over https. The difference is that the s stands for secure socket layer (SSL).
The latter (https) means that, unlike just http, that the connection is secure, encrypted and authenticated. This means that the data between the computer and web site is no longer just plain text. A quick security example is that when you’re at an internet cafe, or using wifi, that the data you’re transmitting can’t be sniffed or snooped on by others. When they look at the data it is garbled, like sH3Xf$#Fw9fsZ24 instead of “your bank account password”; I am sure you can imagine this being a big deal as you don’t wish to share your online banking password with others.
The same goes for email. If you log in to your online email client (cloud computing, using your browser to connect to an online application, such as Google, Hotmail, or Yahoo’s email service) which contains your contacts, emails, etc online – somewhere in the cloud. Sure, not all the email is privacy sensitive, but that does not mean you should be lacks about it. Identity Thefts, Social Engineering, War Driving, etc were and are still very popular. You might not be aware of the consequences, .. the abusive users are.
So back to Gmail and https.
Google Email posted in their official Gmail Blog (see source link above) that they’ve always supported https but people weren’t always clear if this was temporary, just for the login, or just always. Now they have introduced a new option which allows you to choose to optionally use https, or always.
Yes, encrypting and decrypting on the fly requires resources, but come on .. who doesn’t have one or more cpu’s with one or more cores and over 1 GB of ram. The argument of it being a tiny tad slower over usability, sense of security and actually not having to worry about that level of security; that doesn’t weight against it any more in my book. From my experience it’s certainly neglectable.
Read up on the gmail blog entry, go to your gmail account and take the step to browse over https – always.
A new policy / behaviour you can now learn yourself: If the web site supports https, Use It! This does not just apply to gmail, but to usenet, paypal, torrent sites, twitter, etc.
Using and Checking Gmail Login Session History
Not only is browsing over https important, but logging out of your account is too. And usually (like me) you just close the tab/browser and move on. Sometimes when you are at a friends’ place or some other location and you come home you go ‘uh oh , .. let’s hope they don’t go check and auto login to Gmail using my account’, also, because I am used clicking [x] remember me.
This new option now allows you to quickly glance at the open sessions and let’s you log them out remotely if needed. Very nice.
A few basic rules with cloud computing and online accounts is to only click [x] remember me if you are at a secure location where you know others will not be accessing your system. And of course, to use the logout option to ensure that others can’t abuse any open sessions.
Unfortunately convenience and what you’re used to sometimes makes you forget. This new option helps you clean up afterwards. A big difference with the previous https option that I talked about, and I want you to understand it. Using https can help you prevent before anything happens. This security option is to help you clean up afterwards, while damage might have been done.
A new policy / behaviour you can now learn yourself: Once you are logged into the Gmail web site, check the footer and check the session history. If you do not recognize an IP address you can take action.
Taking The First Step
Now that you are aware of the security options, the risks, and what you can do, here is some information about what you can do right now to make you feel more secure about your online email, when you are using Gmail.
Go to gmail, turn on https – always, and check your session history. Then change your password to a long and hard to guess randomized and unique password. Make sure you have an offline copy of this password in a secure location.
If anybody in the past gained access to your account, they are now blocked out. And any [x] remember me and other tricks will expire now that you’ve got a new password set. Plus, it’s always good to rotate between passwords once in a while.
Also, check back to my blog (bookmark it!) for more security tips and information to help you improve your online behavior, and of course, bookmark the gmail blog so you are informed or future news and security improvements – so you’re always on top of things.