Earlier this week, privacy and security researchers urged Google to improve the security of Gmail, Google Docs, and Google Calendar by enabling the more secure HTTPS encryption by default. As it stands, all users currently log in to Google services over HTTPS. However, most conduct the remaining bulk of their online business with Google -- reading and sending email, editing spreadsheets, and recording appointments -- over HTTP, an unsecure method that gives unfettered access to attackers interested looking at your communications.
Google responded promptly to the letter, saying in a blog post that they are planning tests to investigate the performance trade-offs involved with always-on HTTPS for Gmail, and that the additional cost of processing HTTPS connections would not keep them from implementing it across the board. EFF would like to applaud Google's efforts to offer better privacy defaults to its Gmail users, and we also urge them to prioritize these trials in order to expedite the widespread public implementation of always-on HTTPS. Users should come to expect HTTPS from far more online communication services -- from webmail, to social networking, and even web search. With constant improvements in technology and decreasing computing costs, every provider ought to accelerate efforts to support HTTPS for a wider variety of online communication.
In Surveillance Self-Defense, EFF encourages webmail users to always use HTTPS, whether through browser plugins like CustomizeGoogle for Gmail, or by activating an "always use https" setting, if available. But research has shown that many users don't change the default settings given to them in an application or service. A paper on group calendar software reported that around 80% of the users maintained the default access settings for their calendar -- whether the default was extremely permissive or more privacy protective. For something as important as the security of private email communications, it's clear that encryption should be the default. Users should have strong protection right out of the starting gate for webmail and other online applications.