Gmail and SSL

 | January 27, 2009 9:05 PM


Previously I had reported on the Gmail Account Hacking Tool and how I thought the threat was overblown.  I said that I would not use SSL with Gmail as recommended because I thought it would affect the performance.

Well soon after that article my security friend sent me an email and convinced me to always use SSL with Gmail.  I have been using SSL with Gmail for several months and have not noticed a performance difference.  I would recommend you do the same.

Packet sniffing is a real problem.  Email harvesters are constantly searching and sniffed packets for email addresses, Session ID’s, and other personal identifiable information (PII) for spamming purposes.

Even if you have secure wifi, that’s only secure the connection between your laptop, and our home router.  From the house to google, it’s unencrypted.  So, an SSL connection would carry from your laptop to a server regardless of the communication medium.

So, what about SSL performance slowing down my network connection, it’s negligible.  There’s only MAYBE a noticeable performance hit the first time you make an HTTPS connection between your browser and a webserver.  This is noticeable, because there’s key generation, certificate exchange, certificate verification, key exchange, etc.  This only happens the first time. Every time your browser goes back, it just uses the same SSL encryption key every time.  You don’t have to do this initial SSL handshake unless your close your browser, or go back a day later.

What about encryption algorithms eating up CPU cycles.  Encrypting a packet of data is not the bottle neck.  Current algorithms on 2 year old CPU’s can encrypt close 7-10MB/second.  Far far faster than any DSL or Cable modem connection.

What about encryption algorithms eating up CPU cycles on the webserver.  With advance networking equipment, hardware based SSL acceleration and load balancing keeps server response times low, and is common practice.

How big a deal is packet sniffing?  All proxy servers/fire walls, and network address translators (NATs) can look at network packets passing through them.  There are probably 3 to 6 of them between you and gmail.  If the connection between you and a webserver is over SSL, these network junctions can not view or tamper with your packets. They simply act as pass-through points.  There is logging capability built into these servers from some vendors.  For an attacker who is trying to sniff data, these are likely targets for hacking.

One Response to “Gmail and SSL”

TC wrote a comment on January 29, 2009


Care to comment?