In response to an open letter from dozens of noted security analysts, Google this week said it intends to more broadly turn on security features in its Gmail application by default.
The internet giant also said it was considering how to extend the protection by default to other applications, including Google Docs and Google Calendar.
The six-page open letter to Google CEO Eric Schmidt was signed by 37 researchers and academics in computer science, information security and privacy law. Specifically, they asked Google to protect users by enabling “industry standard transport encryption technology (HTTPS)” for Google’s most popular web applications.
Without a persistent encrypted connection, users can open themselves up to snooping and data theft, even by untrained hackers who can use freely available tools on the internet to perpetrate their attacks, the letter said.
In response, Alma Whitten, a software engineer with Google’s Security & Privacy Teams wrote in a blog Tuesday that the internet giant would consider the researchers’ recommendations.
“We’ve long advocated for — and demonstrated — a focus on strong security in web applications,” Whitten said. “In fact, we’re currently looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.”
Google currently allows its Gmail users to opt in for always using HTTPS. Meanwhile, users of Docs and Calendar can login to a protected session by typing HTTPS into their address bars.
But any move to having users automatically protected with the protocol is unlikely to happen immediately.
“We’re planning a trial in which we’ll move small samples of different types of Gmail users to HTTPS to see what their experience is,” Whitten wrote, “and whether it affects the performance of their email.”
Whitten added that Google is considering how to “make this best work with other apps,” such as Docs and Calendar.
Whitten’s sentiments echo a section of the open letter to Google pointing out that users of Microsoft’s Hotmail, Yahoo Mail, Facebook and MySpace also are vulnerable to data theft and account hijacking.
Google’s response seems to be meeting with positive reaction, at least in some sectors.
“Google’s rapid response is pretty good,” Christopher Soghoian, student fellow at the Berkman Center for Internet & Society at Harvard University and author of the open letter, told SCMagazineUS.com in an email. “I hope that executives from Yahoo, Microsoft and Facebook follow Google’s lead voluntarily, and spare me the effort of coordinating similar letters to their CEOs too.”