Monday, August 11, 2008

Gmail security hole you can easily plug

I was going to go into all sorts of detail outlining a security hole in Gmail login and how hackers can use it, but I'd basically be re-hashing what others have already said. If you really need to know the how and why I'd recommend reading these two posts:
The bottom line is you should always use a secure login when you sign on to Gmail. You can do this manually by typing "https://" instead of "http://" when entering the url for Gmail. The "s" makes it secure. If you're like me you're a bit lazy and probably won't remember to do this anyway, so I recommend going into your settings and making Gmail do this by default.

Login to Gmail and click on "Settings" in the top right corner:
In the settings window (General tab) scroll all the way down and click the circle next to "Always use https" and then click "Save Changes"
Then you never have to worry about it again. As an added bonus, I noticed that when I logged into Blogger to write this post it also gave me a secure login by default. Now I have to see if there's an easy way to make this the default in Google Apps Education Edition.


Rob Butler said...

Unfortunately if you run Google Apps for domains for your email (which I do) then you are out of luck since this setting hasn't been added yet (features like this and IMAP support typically take a few months to make it over to Google Apps).

One solution if you are a firefox user is to use Greasemonkey and Better Gmail2 which has a setting to force a https connection. This is what I do. Of course it doesn't help if you use another browser, then you have to remember to do it yourself.

Steve said...

I hadn't been over to the Google App side yet to check this out. Thanks for the heads up.

Hopefully they'll fix this soon. It's easy to convince other teachers to change one setting. It's a bit tougher to get them to switch browsers and add plugins.

Steve said...

This appears to be rolling out for Apps users. I just clicked the setting in our Education edition to force SSL. But, it's not available in my standard edition sites yet.