Why HTTPS is (always) good for you

Even when it comes to e-mail, g-mail, any-mail… and more, including in the cloud Imagine your attic has an extra door that you share with a nosy neighbor. Usually it stays closed (the door, of course). Closed doesn't (always) mean locked. Because neither you nor the neighbor has the key. You assume that your neighbor doesn't sneak in your house, but how would you be able to tell if you are down in the living and the upstairs door is open (not locked)?

This is pretty much the principle that led to the HTTPS (Hyper Text Transfer Protocol Secure) - to protect you and your data from nosy people (not necessarily limited to your neighbors).

HTTPS stands for the use of an ordinary HTTP over an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) connection. When a user connects to a Web site via HTTPS, the Web site encrypts the session with a digital certificate, and establishes a secured connection which makes it impossible for a third party to eavesdrop.

Why should that be so important? Coming back to the nosy neighbor, would you like to have him in upstairs when you call at the bank to check your balance and have to go through that procedure where you recite you name, address, card number, password and so on? Probably not. HTTPS is the protocol you would like to use when you check your e-banking and e-commerce account or when you purchase goods and services on-line. But what about e-mail?

Google, for instance, doesn't think that you need https:// by default for the entire e-mail session - meaning all the time you spend on-line for reading or writing e-mails - but only when you log in to your account: "We use https to protect your password every time you log into Gmail, but we don't use https once you're in your mail unless you ask for it".

In the same blogpost, Gmail Team motivated that "https can make your mail slower. Your computer has to do extra work to decrypt all that data, and encrypted data doesn't travel across the internet as efficiently as unencrypted data. That's why we leave the choice up to you".

One can tell if they are connected to a secure website if the website URL begins with https:// (instead of http://) and displays a padlock icon to indicate that the website is secure, as it also displays https:// in the address bar.

Ideally, you should always turn this option on, even for e-mail. Or, if you prefer, to change the locker to that attic door and thus make sure that the nosy neighbor is confined to his own quarters.

When you write, read, send and receive e-mails over an unencrypted connection, chances are that you also send some sensitive content. However, in the absence of a secured connection, the data that gets to and from the Gmail's servers in clear could easily be intercepted by a thir party and your session hijacked.

Same principles apply for the so-called in the cloud applications from Google, like Google Docs and Google Calendar. Think about the nosy neighbor getting his fingers on your sales report or... your hot dates calendar : D

So, to permanently enable this feature in Gmail, follow the steps below:

1. Sign in to Gmail.

2. In the upper-right corner of the page, choose Settings.

3. In the Browser Connection category, check the option Always use https.

4. Click Save Changes.