Before Gmail released the ability to automatically encrypt your Gmail connections, your browser/server interactions went something like this:Of course, for 36.2% of all Making Light readers, this information is news on the order of “water is wet.” (54.9% of those are about to post a comment explaining why Gmail is a Bad Thing no matter how you use it.) This post is a public service for the remaining 63.8%, none of whom deserve to have their personal information hijacked.
Your Browser: Hey there Gmail, I want in. Here’s my encrypted login.
Gmail Servers: Hey there, browser. I see your encrypted login fits what I have here. If you want to keep talking to me, I will need to see proof of your login, but don’t bother encrypting it for me. Here is your unencrypted email.
Your Browser: Great. I want to read this particular email, my Gmail login is: email@example.com and my password is: monkeylove. My name is John Hanks Doe and my social security number is 123-45-6789.
Gmail Servers: Sure, here you go. I see you are leaving for vacation with the house unlocked this weekend. Say, is this your credit card information?
Guy packet sniffing your wi-fi from Starbucks: Cool!
It’s a little more complex than that (and a little less goofy and dramatic), but the theory is sound. Using encryption at login only is the equivalent of setting up a toll booth in the desert.
Gina “Lifehacker” Trapani’s Firefox extension Better Gmail forces Firefox to always use https for Gmail, and includes a nice set of other user-choosable Gmail-related enhancements and conveniences. Of course, to encrypt your Gmail sessions, all you have to do is preface Gmail’s URL with “https” rather than “http”, or turn on “always use https” from the “Browser Connection” settings of your Gmail account.
In conversation the other day, Cory Doctorow, a guy who keeps his mail on his own machine, remarked that in fact his anti-webmail stand doesn’t actually matter all that much; if I use Gmail and hundreds of his other correspondents use Gmail, in effect he’s using Gmail too. It’s a good point, and it gets at the way that good computer security practices aren’t just a matter of autonomous individuals choosing whether or not to fortify their personal castles. Bad security is like cholera in the water supply; it affects everyone.