Chrome encrypts Gmail whether you want it or not

Google is a big target for those who want to pry into others' e-mail accounts. The company's browser work is designed to make Gmail harder to hack.

Stephen Shankland principal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science Credentials
  • I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
Stephen Shankland
5 min read
Google Chrome logo

Google, which has found Gmail to be a target of hacking attempts from China, has modified Chrome so the browser always encrypts connections with the e-mail service.

Google already changed Gmail to use encryption by default, a mode indicated by the "https" at the beginning of a browser address bar that means outsiders sniffing network traffic can't read your e-mail. People could still get to the unencrypted version by typing "http://gmail.com," but no more, for Chrome.

"As of Chromium 13, all connections to Gmail will be over HTTPS. This includes the initial navigation even if the user types 'gmail.com' or 'mail.google.com' into the URL bar without an https:// prefix," Google programmers said on a blog post yesterday. They said that approach defends against sslstrip-type attacks, which can be used to hijack browsing sessions.

The technology used to enforce the encryption is called HSTS, which stands for HTTP Strict Transport Security and which lets a browser specify that a Web site may only be used over a secure HTTP connection. HTTP, or Hypertext Transfer Protocol, is the standard that governs how Web browsers communicate with Web servers to retrieve a Web page.

The moves dovetail with Google's attempt to make security a prominent selling point of its browser. By improving Chrome's security, the company stands to benefit directly by making its own services less vulnerable and indirectly by making the Web a safer place for people to spend personal and professional time.

Google is a prominent target. It has disclosed attacks on Gmail it said appeared to come from China--some in 2009, and more this year. To try to make attacks harder, it's added two-factor authentication to Gmail, which requires a code from a person's mobile phone as well the ordinary password.

Most people don't appreciate the measures Google is taking to secure Chrome and its browser-based operating system, Chrome OS, argues Sundar Pichai, Chrome's senior vice president, in an interview at Google I/O, pointing to measures such as running plug-ins such as Flash and a PDF reader in a sandbox, using a verified boot process with Chrome OS, and making Chrome OS's file system encrypted.

Chrome also is the vehicle for other Google ambitions, for example to speed up the Web. Among aspects of that effort are an HTTP improvement called SPDY; a new ability to preload selected search results pages so they display much faster when a person actually clicks on the links; technology called Native Client designed to run Web-app software much faster; and the WebP image format that Google argues is faster than JPEG.

It's not just about making the Web faster and safer, though. When people use Chrome to perform a Google search, the company doesn't have to share any resulting search-ad revenue with other browser makers such as Mozilla.

The HTTPS-only access to Gmail isn't the only security move Google is making.

Google also is trying to ensure that no users of Chrome and Gmail will be vulnerable to a problem that reared its head in March when an affiliate of a New Jersey company called Comodo was hacked, apparently by an Iranian.

Comodo and its affiliate issue digital certificates that browsers use to establish encrypted connections to Web sites, but the attack produced fake encryption certificates for Yahoo, Skype, Google, and Mozilla. The Comodo issue is leading browser makers to rethink certificate technology.

Now, for some sites including Gmail, Chrome only can obtain certificates originating only from a short list of providers, not from the hundreds available on the global Internet. That list includes Verisign, Google Internet Authority, Equifax, and GeoTrust, according to a blog post by Adam Langley, a Google programmer. He adds that the list is visible in Chrome's source code.

In the longer run, there's another significant security move on the horizon: Google is rebuilding Chrome atop its Native Client technology, gradually making more parts of the browser execute in a more secure "sandbox" whose isolation from other computing resources makes it harder for attackers to take over a computer through a browser-based attack.

That move will begin with Chrome's PDF reader, but it won't be switched on until Google is confident of the technology, Pichai said.

A close cousin of security is privacy, for example in the case where a government might want to see if a dissident has visited a particular Web site. Browser makers are working to extend beyond today's private-browsing modes that don't leave traces on a computer to private-browsing modes that don't leave traces on servers, either.

For example, Chrome, Firefox, and Internet Explorer all are getting a technology to delete local stored objects (LSOs), which in practice means it's harder for Web sites to keep track of users through "evercookies." Standard cookies are text files that can be deleted by browser users, but with Adobe's Flash Player, other plug-ins, and new HTML storage techniques, there are more ways for Web browsers to store that data even when ordinary cookies are deleted.

Evercookies are an overt way to track people. But there are subtler fingerprints a browser leaves behind that can help identify who's using a browser, as the Electronic Frontier Foundation's Peter Eckersley documented last year in his Panopticlick report (PDF.)

Chrome is based on the WebKit browser engine project that's also the foundation of Apple's Safari. Now WebKit engineers are evaluating the idea of "tracking-resistant browsing" that reduces that fingerprint.

One example, described in the WebKit documentation of the tracking-resistant browsing, concerns the user-agent string--the text a browser sends a Web server to describe its version number, compatibility, and operating system. Differences between different people's user-agent strings means that a each carries enough information to narrow it down to about one in a thousand randomly selected browsers.

Even a thousandth of the total number of Web browsers is a huge number, of course, but there are plenty of other ways to narrow down a search: time zone, installed plug-ins, fonts, and screen resolution, and more.

It's not clear yet how much appetite there is for obscuring these fingerprints, though.

"I'm skeptical that doing these things will provide anything more than window dressing, but I certainly don't want to discourage you from trying," said WebKit programmer Adam Barth in a comment. He requested more information: "I'd like to see us make tracking harder...I'd just like us to understand what we're buying and what we're paying for it."