I am sure given the audience of this blog that many of you are already forcing Gmail to use SSL, especially if you are on a public computer or wifi network. At the recent DefCon conference a “reverse engineer” Mike Perry presented a tool to hack into unsecured gmail communications on the same network. He plans to release this tool to the public within the next couple of weeks.
According to the announcement and another report on webmonkeys, the reason for this release is that Google has updated the Gmail service to allow users to force connections to SSL without always specifying https when browsing to the site, but not forcing it to on as default. Forgive me if this seems like a fatuous reason to take this type of action, reminiscent of the type of justifications used by kidnappers, “if your loved ones finger happens to get cut off and mailed to you its your fault for not sending me money”. Not meant to imply Perry was after money but to compare the justifications.
The idea that releasing a tool like this is somehow a noble act that demonstrates how one man can stand up to the indifference of a major corporation does not hold any water. Google gmail is a free service for most users, and whether or not it would be better if it was SSL encrypted doing so for everyone would increase the cost of providing that free service. Even if there was an obligation for them to enable SSL, not doing so is no justification for releasing a tool to the world that can only be used for malicious reasons. If Google responds to this by forcing all connections to SSL then they should be highly praised for taking the moral high ground, but people need to stop complaining about things they get for free.
Mike Perry, I don’t know whether you are after fame, money, a job or just a smug sense of self satisfaction. There is no justifiable reason for knowingly releasing this tool to the world and doing so with full knowledge of the consequences makes you little better than those that will use it for ill. If you take this action you will deserve the contempt of the geek community whether you receive it or not.
Use https://mail.google.com or turn on the “Always use https” setting in your gmail properties.
Gmail Hosted doesnt let you force the use of HTTPS yet :(