This has probably been shown a ton through forums and news articles but I wanted to make sure to reemphasize the need for security with Gmail. Gmail is great, there is no doubt about it, and I love and use it every day. Though you need to be aware that, while logging into the interface at Gmail’s website initially starts with SSL and HTTPS authentication for the password, you are immediately dropped out to a plain text HTTP session during your time logged in.

After the initial login, secured, the system uses a session based tracking method for making sure you are … who you say you are. This is also so you don’t have to keep entering your password for every click in the interface. While on the surface it seems reasonable to only need security logging in since the password itself is secure. However, anyone sniffing your network traffic can grab the session based data in transit as it isn’t encrypted. It is then trivial for an attacker to use your session data and enter your account without authentication. From there, they can read your mail and wreck all kinds of havoc on your account.

This is why it is important to setup HTTPS when using Gmail. Once logged into Gmail:

• Go to Settings
• Next to “Browser connection”, click the radio button next to “Always use https”
• Click “Save Changes” below
• Log out then log back in

This will now make your entire session through secured HTTPS transmissions, from the password exchange to the session exchange.