GMail's dirty little not-so-secret – It's not always Encrypted

So, this is not something new. In fact, it’s been written about a million times, but I thought I’d share with those who read here, in case they’ve missed it.

When you read your gmail, you typically head to http://www.gmail.com and provide your login and password. If you’ll notice, this page is secured with SSL. Whether firefox or IE, you’ll see that little lock/key icon that indicates you’re on an encrypted SSL connection, and your username/password is secured.

What you may or may not have noticed is that once you’ve logged in, your no longer on an SSL connection. That’s right, if you’re on an unecrypted wireless connection (see how easy it is to sniff wireless here), or on a network that is easily sniffed (such as your work), your gmail account is pretty much fair game from that point forward.

Using a packet sniffer (I use Fiddler2 from Microsoft), I was able to read my contacts list, and all of my latest e-mails without any difficult whatsoever. Why Google would have done this originally, I have no idea. maybe performance? Compatibility? Really who knows.

Google realized the error of their ways, and offered a solution:

After much protest from the online community (I myself had never noticed the defect until recently, shame on me) Google enabled the ability to make sessions 100% SSL, so that both your credentials and your e-mail remain encrypted through an SSL connection. But It’s not the default setting.

Again, that makes no sense. Who cares though. Open up your Gmail account, up in the top-right hand corner, select “Settings”, and scroll to the bottom until you see:

Enable “Always use https” and save your settings. On the next page load (You can click your inbox to force it) your gmail will reinitialize, and you’ll be on an SSL connection.

I really have no idea why this is not the default option for Gmail. While I’m appreciative that my credentials are secured, it’s lame that my contacts and e-mail itself is exposed.

Thoughts?