Spicy News @ Express Speed.

We love Gmail, the web-based mail service that is run by the folks at the Google search engine. I have tons of space and a pretty snappy email viewer that is free and doesn’t have tons of graphic ad banners competing for my reading attention (text ads don’t seem to bother me as much).
The one thing that I don’t like about most web-based email applications like Gmail, Hotmail, and Yahoo!Mail (among others) is that usually only the login phase of my email session is encrypted and protected from prying eyes. After I have confirmed who I am, usually by proxying to some Secure Sockets Layer (SSL) enabled server, I am dumped to a non-SSL-encrypted inbox where I, and anyone sniffing my network, can read my mail in the peace of the harsh glow of my laptop screen.
That’s a crock! Sure, I want my login credentials protected. That keeps out all the crazies from messing with my account. However, I don’t want just anyone knowing the ingredients of dear Aunt Elma’s Lemon Drop Snappies. That’s sacred stuff.
By default, Gmail is the same.
A typical login session for most users goes something like this…
We type http://gmail.google.com into the Location Bar of our favorite web browser.
We are then taken to an SSL encrypted page where we can put in our login credentials. Some email services only encrypt part of the page, but Gmail does the whole thing. No matter, the effect is the same.
When we click the Sign In (Login, Logon, BeamMeUP) button, our credentials are wrapped in encrypted garbage and verified against the authentication service. If all is well, we are dumped into a non-encrypted page that gives us access to our email.
The problem with this setup is that all the surfing that we do within our email account from this point on is completely in the clear and easily snapped from the air waves for those of us that increasingly use WiFi (though, unprotected wired networks, like those in some hotels, are also at risk). Anything that we read is potentially able to be read by anyone else.
Some see this as an overreaction. After all, who cares about our email and, besides, isn’t that hard to do?
Actually, email is ripe with useful information like passwords confirmation messages to various online accounts including accounts that might store your credit card information. Also, it is incredibly easy to sniff unencrypted network (including WiFi) traffic. Combine the two with opportunity, say at a WiFi enabled coffee shop or hotel) and you have the makings for disaster.
Luckily, an undocumented (as far as I can tell), hack makes it possible to not only login securely but also encrypt all of the traffic between your web browser and the Gmail servers.
And the hack is to simply type in your browser’s location bar:

https://gmail.google.com

You’ll notice the “s” that I put into the address. This is common stuff now, so no big surprise. You see it every time you order something from Amazon.com or work with your bank.
However, there is a difference.
Normally, when you connect to Gmail, you connect to the default http://gmail.google.com and are immediately redirected to a secure login page whose address begins with https://www.google.com/accounts/ServiceLogin? and somewhere in the middle contains continue=http%3A%2F%2Fmail.google.com.
It looks to me like this is Google’s login proxy. Furthermore, the continue address (those %3A and %2F’s are just the encoded forms of the “:” and “/”) indicates where we will be dumped upon successfully logging in, mail.google.com, and what protocol we will be using, the unencrypted http . And if you login, that is exactly what happens.
Now let’s try going to https://gmail.google.com.
We notice that we are once again redirected to a secure URL that begins with https://www.google.com/accounts/ServiceLogin? >but this time, if we scroll over the continue address has changed. It now reads https%3A%2F%2Fmail.google.com or https://mail.google.com. So once we’re successfully logged in, we are redirected to the secure version of Gmail inbox.
A simple change that makes all the difference. I just make a bookmark to https://gmail.google.com in my Firefox web browser’s Bookmark Toolbar to make always accessing Gmail in a secure fashion easy.
Now, I don’t know why Google doesn’t make this an option on the login page and why they don’t mention it in their help pages. It does work though. No need to pay for a service that does this for you, just use this tip.
Have fun and good luck.

Popularity: 2% [?]