« Google search links may not be what you think
Put a little bling in your life »

Even encrypted Web-based email is in danger of wireless eavesdropping

Here’s some more unpleasant news about Internet security. If you use Web-based email programs such as Gmail on a wireless connection, even encoding by SSL isn’t as secure as once thought. George Ou writes about the problem at ZDNet:

What’s really sad is the fact that Google Gmail is one of the “better” Web 2.0 applications out there and it still can’t get security right even when a user actually chooses to use SSL mode. Other applications like Microsoft’s MSN/Hotmail and Yahoo don’t even have SSL modes. The fact that they use SSL mode for first time authentication and sign-in is irrelevant because they all drop down to unencrypted mode right after the user authenticates.

In other words, if you use an email program at a public wireless hot spot, assume that everything can be read by someone else in the neighborhood. Actually, I assume that any email that I send, wired or wireless, is subject to being read by strangers. If something is really confidential, don’t use email to send it.

This entry was posted on Thursday, January 31st, 2008 at 2:19 pm and is filed under Email, Privacy, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Responses to “Even encrypted Web-based email is in danger of wireless eavesdropping”

  1. dean Says:
    February 1st, 2008 at 12:14 am

    “If something is really confidential, don’t use email to send it.”

    I’m surprised that encryption hasn’t caught on, which is capable of significantly improving the situation. Perhaps it simply reflects the technically unsophisticated audience. PGP was understandably more difficult to use, but digital certificates from Verisign and Thawte make the process very simple. Thawte, now owned by Verisign, has offered free digital certificates (personal use) for years.

    http://www.thawte.com/secure-email/personal-email-certificates/index.html

    The link is near the bottom of the page. Verisign’s digital certificates are $19.95 per year, hardly an unsurmountable sum for those that really need it.

    http://www.verisign.com/products-services/security-services/pki/pki-application/email-digital-id/index.html

  2. Vic Says:
    February 1st, 2008 at 10:44 am

    I agree that there are encryption methods that can make email pretty secure. Both the sender and the recipient have to know how to use them and my remark was addressed to the average user.