I apologize up-front if this question has been addressed in the past, but I noticed something interesting with Gmail this morning. It seems that when you log into Gmail, the default connection for user validation is via SSL, however, once your Inbox is loaded, the connection is relegated to ordinary http://. If you change the URL prefix to https://, it seems to reconnect to your Inbox via SSL and then retain the SSL connection for the remainder of the session. This behavior is the same regardless if you are using Firefox or IE.

Given that I frequently connect to my Gmail account via public wireless access points, this is very concerning to me. I looked in the Gmail settings and there does not seem to be an option to force SSL as the default for every session. Therefore my questions to the group are:

1) Am I an idiot and have missed something very obvious here?

2) Is there some other secure messaging solution being used by Gmail over http:// or should I assume that anyone sniff my e-Mail information while connected?

3) How can I force Gmail to maintain an SSL connection every session?

Thanks for any insight you are willing to share.

well.. I checked it out.. and..
if you go to gmail via https://gmail.google.com (won't work if you go via https://www.gmail.com ) it will stay https:// even when you are logged in.. however.. checking my connections shows I am connected to gmail via port 80 anyway..
as they're some sort of frames in it..
so don't guess that even entering https after you logged in won't help you..
I NEVER use public places to check my mail and stuff like that.. wouldn't recommend it either.. only do it if you don't have a choice!

Serhat

What are you worried about exactly?

Even if Gmail was HTTPS from you to the server, what do you think happens after Gmail has to send your email somewhere?

It's bounced endlessly and openly around the internet till it gets to whereever it has to go.

I don't know if Gmail supports PGP, but what could you be doing that's so secretive that you're worried about this?

Serhat - Thanks for the info, it seems when you use gmail.google.com Google uses https for authentication and http for everything else, I assume to save resources. https://gmail.google.com retains the secure session as you describe. I guess my surprise was in that Google didn't maintain a secure session once logged in regardless if you entered the site via http or https. Yes, I may be a bit naive in assuming that this would be done by default.

linux_dude - Thanks for your comments as well, however, I think you missed my point. I use my gmail account for both personal mail as well as for file storage as do many others I know in the business. I'm surprised that you had such a narrow view of what data actually exists in the typical Gmail account. Though I don't keep very sensitive files in the account, on principle I did not want any "skiddies" having a free peak.

Thanks again Serhat, I appreciate your feedback and insight.

I can tell you what I am worried about, The fact that you view gmail as simply an email system. I believe that it has become pretty aparent that gmail is being used as a storage system as well. Perhaps instead of taking such a combative stance you should take a minute to understand the reasoning behind someone's question.

Okay, I don't know why YOU'RE that hostile but maybe it's time to loosen the tinfoil hat and reread what the thread starter is worried about.

Someone getting a warrant 10 years from now to search through all his spam for pr0n and \/i@gra pills isn't what he's worried about, instead it's someone grabbing live wifi traffic about what email he's sending/receiving.

Like I said, Gmail probably doesn't support PGP so why not setup a VPN to your home computer if you're that worried, then ANY traffic over open Wifi points is secure.

Another thing, whole sessions aren't in SSL because SSL requires more CPU overhead, so authentication credentials are done in SSL and then it's cleartext for the rest. Same goes for alot of other webmail providers and alot of other protected areas, such as some chessy banks :-).

BTW: Unless you physically control the server, why do you assume ANY email service you have ever used deleted ANYTHING of yours?

I also found that when you try to login to gmail it uses ssl but right after it authenticates you it changes to a non ssl environment. You can fix this by aborting loading the non encrypted page and change http to https it will load ur email box with ssl (not sure if that stops the server from sending the unencrypted front page). You can also use the link that i discovered below and not even worry about that.



I found this link by doing the above method then, copying the address url once I was in my mailbox, signing out, then entering that copied address. It would then forward me to the address above that solves your issue