Page last updated at 10:46 GMT, Friday, 19 June 2009 11:46 UK

Google tackled on e-mail security

Log-in screen, BBC
Session hijacking could put personal details at risk

Google has been asked to explain why it is not making its Gmail e-mail service more secure.

In an open letter to Google boss Eric Schmidt, security experts, lawyers, and privacy advocates ask why Gmail users are "needlessly" being put at risk.

The 38 signatories want Google to start using the secure version of the HTTP protocol to protect Gmail users.

In response, Google said it was considering trials of the secure system with a select group of users.

Secure session

"As more of us end up using insecure internet access - such as wi-fi in coffee shops, libraries, and so forth - there's a real risk of session hijacking," said Ben Edelman, a signatory of the letter and assistant professor at Harvard Business School.

When users sign on to Gmail, their login name and password are encrypted as the data passes back and forth using the secure version of HTTP known as HTTPS.

However, said Mr Edelman, this is turned off once sign-on is completed. A similar system works for Google Docs and Calendar.

The risk, he said, was from hi-tech criminals who snoop on the unencrypted data passing back and forth to steal ID files called "session cookies" generated when these applications start being used.

Mr Edelman said that using the cookies could let a criminal pose as a user. In Gmail's case, this could mean they might send e-mails in the owner's name, abuse their identity, change a password, or hijack an account.

Laptop in coffee shop, AP
As data moves to the cloud more people will be at risk

"It's a frightening prospect," said Mr Edelman.

The open letter pointed out that Google used HTTPS to protect the data of users of its Health and Voice applications.

While Google does make it possible to use HTTPS all the time when signed on to Gmail, Docs, or Calendar the option was so hard to find that few would use it, suggested the letter.

It pointed out that most users retain default options and were likely to be leaving themselves at risk.

"...unless the security issue is well known and salient to consumers, they will not take steps to protect themselves by enabling HTTPS," said the letter.

If Google took the step to turn on HTTPS all the time, the risks would be removed.

In response, Google said it was looking into whether it made sense to use HTTPS all the time in Gmail. But, it said, before it did so it wanted to be sure that the average user experience of Gmail was not markedly changed by turning it on.

It feared that enabling the encryption would slow down response times as data was scrambled and unscrambled on a PC and Google's mail servers.

"We're planning a trial in which we'll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their e-mail," said Google.

Mr Edelman said it was not just Google that was putting users at risk. Every webmail company faced the same problem and should do more to protect the its users .

He said it was a problem that would get more acute as services move towards so called "cloud computing".

"Many of the systems we have built for authentication and session maintenance assume no man-in-the-middle attack," he said.

Print Sponsor

'Open cloud' plan sparks dissent
30 Mar 09 |  Technology
Coping with the malware deluge
20 May 09 |  Technology
Easy login plans gather pace
22 Feb 09 |  Technology
The message and the movement
31 Mar 09 |  Technology
Alarm sounded over wi-fi networks
27 Jan 09 |  Technology
Watching the hi-tech detectives
17 Nov 08 |  Magazine

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Sign in

BBC navigation

Copyright © 2020 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.

Americas Africa Europe Middle East South Asia Asia Pacific