In July of this year, Google finally gave webmail users a way to make sure that Gmail always used SSL – the protocol that encrypts connections to prevent hijacking. Through a flip of switch in Gmail’s settings, users could rest assured that their email was at least less vulnerable, if not totally secure from hackers. However, Gmail is not the only Google-based web application where you may be storing personal data. Your files stored in Google Docs should be protected, too. But are they?
Who Has Secure Docs?
For many users of Google Docs, that answer is “no.” According to Google’s Help Topic on SSL as well as their Google Apps Edition comparison guide, SSL is a feature only made available to users of Google Apps Premier and Education Editions. However, in some informal testing on our part, it appears that users of Google Apps for Your Domain were given that option as well, despite the fact that their Google Apps edition clearly reads “Standard.” For everyone else, though, Google Docs remains an unencrypted HTTP session.
In a business or educational setting where Google Docs is being used, your I.T. admin has probably turned on SSL for you by activating the feature that forces SSL sessions for all users. If they have not, though, you can still switch on SSL for yourself, says Google, but their help documentation fails to explain how that can be done. All the documentation says is that “your users can enable HTTPS when necessary.”
What they probably mean is that anyone can type in “https” when entering in the URL for a Google Apps service in the address bar of their browser. Since your average internet user doesn’t think about these sorts of things, though, that’s probably not the best solution in terms of security.
While we hope that any I.T. admin in a corporate setting knows well enough how to enable a basic security feature such as this, it would still make us more comfortable if these sorts of things were enabled by default. The only reason to not enable SSL is because it can slow down your connection to Google services. Still, in the event of network issues, I.T. admins could temporarily disable this feature to speed up access for their users. But Google hasn’t chosen to make security the default – they’ve chosen speed.
Outside of Google Apps, everyday users of Google Docs don’t have an option in their Google Docs settings to force the service to always use SSL. Like those with a neglectful I.T. admin, these Docs users would have to remember to type in the “https” prefix if they want to use a secure connection.
SSL Implemented Haphazardly
Manually typing in “https” is all well and good, but let’s face it – most users won’t ever know to do this and those of us who do know won’t remember. Not only is this process laborious, it’s inefficient, too. For example, those who want to take advantage of the Gmail Calendar and Docs widgets, which allow for one-click access to other Google services from within Gmail, would have to forfeit a secure connection in order to do so. The only recourse would be to not use the widgets at all, and that certainly disrupts our workflow.
However, if you’ve enabled SSL within your Gmail settings, connections to your other Google services will also be encrypted if you use the navigation bar at the top left of your Gmail…but only if you use the navigation bar. Even when signed into your Google account, typing in “docs.google.com,” “calendar.google.com,” or using the Gmail widgets will still take you to the HTTP site.
At Least They Have SSL…
What’s really unfortunate about this potential security issue is the fact that Google is actually leading the way among webmail and web app providers when it comes to offering SSL to its users. Although other free webmail services from Yahoo, Microsoft, and AOL, for example, may authenticate you upon login via HTTPS, they drop down to unencrypted mode immediately after the authentication is completed.
However, it could be argued that those other services are not claiming to be a secure replacements for business use. Since Google promotes Apps as a web-based alternative to expensive desktop software, many people mistakenly assume that means Google services are, in general, “pretty much” secure for personal use, too. Apparently, that’s only true to a point.
It’s also worth pointing out that nothing, not even SSL, can keep a determined hacker out of your account. As ZDNet reported at the beginning of the year, even SSL can’t keep blackhats from hijacking your session through the use of “sidejacking,” a trick that enables hackers to take control of any Web 2.0 app that relies on saved cookie information. (There have also been other reports of Google Docs security issues, but we couldn’t reproduce the problem.)
Providing SSL to everyone is the least Google could do. And to the other webmail/web app providers out there: it’s time you followed suit.
