According to a BBC news report, webmail services such as Google Mail are being quizzed on how safe the web-based session system really is for transient visitors.
In an open letter from concerned privacy advocates, lawyers and security experts Google has been asked why it doesn’t implement secure HTTP for all of its mail service.
The secure HTTP connection, known as HTTPS, is used for logging in and out of the service, but once inside it reverts back to the standard HTTP unencrypted connection.
Experts fear that with the increase in cloud computing and desire to be online wherever we go using internet cafés and WiFi hotspots will leave users of Google Mail, along with other webmail services, open to a "middle-man" attack that involves the interception and spoofing of authenticated session browsing cookies and could provide the intruder with full account access.
In response, “we’re planning a trial in which we’ll move small samples of different types of GMail users to HTTPS to see what their experience is, and whether it affects the performance of their e-mail,” said Google.
To be fair, if your security conscious (read: healthily paranoid) you can enable HTTPS for the whole of your Google Mail, Calendars and Documents by going into Settings>General>Browser Connection>Always use HTTPS.
The issue here clearly isn’t the option being available, it’s about the option becoming the norm given that most of the 113million GMail users probably won’t even know that their email sessions have been unsecured thus far, let alone actually hunt out the setting themselves to rectify it.