Session hijacking could put personal details at risk
Google has been asked to explain why it is not making its Gmail e-mail service more secure.
In an open letter to Google boss Eric Schmidt, security experts, lawyers, and privacy advocates ask why Gmail users are "needlessly" being put at risk.
The 38 signatories want Google to start using the secure version of the HTTP protocol to protect Gmail users.
In response, Google said it was considering trials of the secure system with a select group of users.
"As more of us end up using insecure internet access - such as wi-fi in coffee shops, libraries, and so forth - there's a real risk of session hijacking," said Ben Edelman, a signatory of the letter and assistant professor at Harvard Business School.
When users sign on to Gmail, their login name and password are encrypted as the data passes back and forth using the secure version of HTTP known as HTTPS.
However, said Mr Edelman, this is turned off once sign-on is completed. A similar system works for Google Docs and Calendar.
The risk, he said, was from hi-tech criminals who snoop on the unencrypted data passing back and forth to steal ID files called "session cookies" generated when these applications start being used.
Mr Edelman said that using the cookies could let a criminal pose as a user. In Gmail's case, this could mean they might send e-mails in the owner's name, abuse their identity, change a password, or hijack an account.
As data moves to the cloud more people will be at risk
"It's a frightening prospect," said Mr Edelman.
The open letter pointed out that Google used HTTPS to protect the data of users of its Health and Voice applications.
While Google does make it possible to use HTTPS all the time when signed on to Gmail, Docs, or Calendar the option was so hard to find that few would use it, suggested the letter.
It pointed out that most users retain default options and were likely to be leaving themselves at risk.
"...unless the security issue is well known and salient to consumers, they will not take steps to protect themselves by enabling HTTPS," said the letter.
If Google took the step to turn on HTTPS all the time, the risks would be removed.
In response, Google said it was looking into whether it made sense to use HTTPS all the time in Gmail. But, it said, before it did so it wanted to be sure that the average user experience of Gmail was not markedly changed by turning it on.
It feared that enabling the encryption would slow down response times as data was scrambled and unscrambled on a PC and Google's mail servers.
"We're planning a trial in which we'll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their e-mail," said Google.
Mr Edelman said it was not just Google that was putting users at risk. Every webmail company faced the same problem and should do more to protect the its users .
He said it was a problem that would get more acute as services move towards so called "cloud computing".
"Many of the systems we have built for authentication and session maintenance assume no man-in-the-middle attack," he said.