Tuesday, January 19, 2010

Google enables https by default - Finally!

A day after the beginning of the Google-China soap opera (still ongoing of course) and the reported mail hacks, came the news that Google was making Gmail more secure by enabling https access by default (reported here and here). While https access has been available to users since at least beginning of 2007 (earliest reference I found, check here), you had to go into settings to turn it for default use or use a different URL to login. The funny part is that even last year, privacy advocates had asked Google to enable it by default.

On a personal note, I had enabled this sometime in 2008 I believe, when they introduced a setting to switch and choose the more secure option.

Google says that the switchover was planned since six months and was NOT related to the China issue and reportedly wouldnt have prevented the attacks.

Sam Schillace, an engineering director at Google Apps, said the shift to default HTTPS was not prompted by the attacks and, to the best of his knowledge, would not have averted them. The move had been in the works for some six months, during which time Google engineers did extensive testing and made numerous technical fixes to enable a smooth transition.

However, the announcement itself was prompted by the attack news. “The Gmail team decided, why wait?” he said. “We want our users to be as safe as we can make them be.”

- from Nytimes Blogs

The funny part? If this was 'completely unrelated' to the China issue and Google had planned it all along implies that Google was pretty much prepared for the transition. Indeed, the above comment mentions that it was in process for about 6 months, with 'extensive testing and technical fixes'.

However, if you look at the bottom of the announcement page (here), you see that multiple applications from Google itself, including Gmail Notifier, Gmail for mobile, Google Toolbar, offline Gmail and the iGoogle email widget are all having incompatibilities/issues with the https default setting. Now if this was planned in advance, I dont think it would have been too difficult for Google to simply push out updates for these products. All that was needed was a check to switch to https inside the app automatically if it detected that the user account was configured as such!

Bottomline: While it may have been under consideration, this was clearly a sudden decision without the 'extensive' testing that is Google's trademark. Why they dont they just admit it? Dunno...

Posted by Jasnoor Gill at 00:30
Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)