Professors gang up on Google over security

 

Gallery

By Matthew Sparkes

Posted on 17 Jun 2009 at 09:19

A group of influential researchers have urged Google to tighten security around its web services.

The collection of complainants include BT security guru Bruce Schneier and University of Cambridge Fellow Richard Clayton.

"Customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection face a very real risk of data theft and snooping, even by unsophisticated attackers," warns an open letter the group sent to Google CEO, Eric Schmidt.

"Few users know the risks they face when logging into Google's web applications from an unsecured network, and Google's existing efforts are little help," it adds.

Although Google offers HTTPS encryption in GMail, the feature is not active by default. Most users are unaware of the risks involved in unsecured communication online, and GMail's design makes it hard for people to learn, says the group.

Google responded quickly to the criticism, explaining in a blog post that it is looking at ways of rolling out encryption to all users - a feature that most other free webmail services lack entirely.

"Free, always-on HTTPS is pretty unusual in the email business, particularly for a free email service, but we see it as an another way to make the web safer and more useful," writes software engineer, Alma Whitten.

"We're planning a trial in which we'll move small samples of different types of Gmail users to HTTPS to see what their experience is, and whether it affects the performance of their email. Does it load fast enough? Is it responsive enough? Are there particular regions, or networks, or computer setups that do particularly poorly on HTTPS?"

To turn on HTTPS login to GMail, click on settings in the top-right, and scroll to the bottom of the page. The last option on the page allows you to set GMail to always use HTTPS, no matter where you login from.