Gmail SSL connection

Borrels · Jan 5, 2010

Hey security & Gmail experts,

Is it possible to turn off the Gmail requirement to have a SSL connection to the mail server when connecting via Outlook? I see there is an option in the GMail settings for 'browser connection', but is this only relevant for webmail access or also when using an email client?

How big is the risk of doing the above if the account is always accessed from a home connection i.e. no wi-fi packet sniffers? It is not like all ISP's require SSL to connect to their mail servers.

DBoy_25 · Jan 5, 2010

This is setup server side to force the HTTPS and not HTTP. If this was through a browser you can just back space the S but I don't really know through Outlook. I work for VeriSign inc.

warwickw · Jan 6, 2010

Why would you want to turn it off, Outlook supports it, it is after all secure?

Borrels · Jan 6, 2010

warwickw said:
Why would you want to turn it off, Outlook supports it, it is after all secure?

True. I tested it with Outlook, as that is my email client, but I would like to know as not all emailing programs necessarily support SSL.

Borrels · Jan 6, 2010

DBoy_25 said:
This is setup server side to force the HTTPS and not HTTP. If this was through a browser you can just back space the S but I don't really know through Outlook. I work for VeriSign inc.

When using Gmail through a browser, I noticed that the login screen has HTTPS but it switched back to HTTP as soon as you're logged in and you're starting to browse your inbox. Does that mean your login credentials are secure but not the contents of your mails?

sn3rd · Jan 6, 2010

DBoy_25 said:
This is setup server side to force the HTTPS and not HTTP. If this was through a browser you can just back space the S but I don't really know through Outlook. I work for VeriSign inc.

What exactly do you do there? That statement makes me think you make the coffee

Borrels said:
When using Gmail through a browser, I noticed that the login screen has HTTPS but it switched back to HTTP as soon as you're logged in and you're starting to browse your inbox. Does that mean your login credentials are secure but not the contents of your mails?

The full connection is secure.When you contact the server, a handshake process occurs in which a public key is verified (using digital certficates that are signed by a Certificate Authority like Verisign) and used to decrypt the contents of messages containing keys, cipher details, etc. This information is then used for the actual data transfer.

When you put your login details in, the connection has already been secured. In fact, the connection should be secured when any part of the page loads (in a good browser, that is).

sn3rd · Jan 7, 2010

dequadin said:
Not entirely true. Google will always use a secure connection for your account login page, but not necessary for your your GMail - you have to specify. So your username/password is secure, but I can read your email with wireshark Which is what Borrels is talking about.

Apparently they decided not to secure GMail by default because of performance concerns.

I can't get GMail webmail to not use SSL :-/

sn3rd · Jan 7, 2010

dequadin said:
Settings->General

Browser connection:

Always use https

Don't always use https

D'oh !

Gmail SSL connection

Borrels

Senior Member

DBoy_25

Active Member

warwickw

Expert Member

Borrels

Senior Member

Borrels

Senior Member

sn3rd

Expert Member

sn3rd

Expert Member

sn3rd

Expert Member