Sunday, August 17, 2008


Making security easier

From the day we launched, Gmail has supported something called https. Https keeps your mail encrypted as it travels between your web browser and our servers, so someone sharing your favorite coffee shop's public wifi can't read it. Your bank and credit card websites use this same protocol to protect your financial data. Typically, free webmail services don't support https, but from the beginning we wanted to build a product so solid you could run a company on it -- we developed Gmail by running our own google.com mail on it -- so security is something we took seriously right from the start.

We use https to protect your password every time you log into Gmail, but we don't use https once you're in your mail unless you ask for it (by visiting https://mail.google.com rather than http://mail.google.com). Why not? Because the downside is that https can make your mail slower. Your computer has to do extra work to decrypt all that data, and encrypted data doesn't travel across the internet as efficiently as unencrypted data. That's why we leave the choice up to you.

We care about your security today just as much as we did when we launched, which is why we're constantly working on improvements like the recently launched last account activity and remote sign out. Today, we're making it even easier for you to use https to protect your mail every time you access it. We've added an option to Settings to always use https. If you don't regularly log in via unencrypted wireless connections at coffee shops or airports or college dorms, then you might not need this additional layer of security. But if you want to always use https, then this setting makes it super easy. Whenever you forget to type https://mail.google.com, we'll add the https for you. If you already have the https URL bookmarked, using this setting will ensure you access your account via https even when you don't use your bookmark. Any http link to Gmail (for example, the one at the top of Google.com) will be automatically redirected to https.


We're in the process of rolling this feature out to all Gmail and Google Apps users, so check back in your Settings menu if you don't see it right away. In the meantime, you can go directly to https://mail.google.com right now if you're nervous about snoops. (Or https://mail.google.com/a/example.com if your Google Apps domain is example.com.) Google Apps Premier Edition admins will also be able to select SSL connections for their users via a new preference in the control panel we'll be rolling out shortly.

P.S. Some products that connect to Gmail, like Google Toolbar, are not yet compatible with https. We're working to identify issues like this and get them fixed, so visit your product's Help Center if you encounter problems after enabling this setting. In particular, check out this Gmail Help Center page if you use the Gmail mobile app, as you may initially hit an error when you try to use it (we're working on a fix).