Improvement to GMail security

2008-07-26

in Geek stuff, Internet matters, Security

Array of cheeses

Much to my delight, GMail has added an ‘Activity on this account’ feature. It is located down at the bottom of the inbox page, where it lists the time of last account activities. Clicking ‘Details’ leads to a pop-up showing the last five instances of account access, the form of access (browser, POP, IMAP, etc), and the IP address.

This is a big security advance. Previously, anyone who knew your GMail password could access your account at will, with no way for you to know. They could even be logged in at the same time as you, with no sign on your machine that this was happening. This is also addressed by the new feature, which includes an option to log out all other accounts.

GMail users should definitely take a peek at this information from time to time, especially if they are in the habit of using their account from shared or public computers. Given (a) how much information the accounts store and (b) how easily searchable they are, any attack that gains access to your GMail account could have serious consequences.

Report a typo or inaccuracy

{ 11 comments… read them below or add one }

Mark July 26, 2008 at 1:39 pm

They also added an option to read your mail over a https connection:
http://blogoscoped.com/archive/2008-07-25-n17.html

Both very welcome changes!

Anon July 27, 2008 at 5:35 pm

For greater security, consider adding encryption to GMail.

Milan July 27, 2008 at 7:35 pm

Mark,

I have been using – and appreciating – the HTTPS version for some time. For considerably longer, the login page has used SSL.

Anon July 27, 2008 at 7:57 pm

In response to your photo:

The Cheese Shop sketch, Monty Python

Milan August 12, 2008 at 11:27 am

Incidentally, I suggested that Google implement this system back on January 6th, 2007.

Milan August 12, 2008 at 11:28 am
R.K. August 19, 2008 at 11:59 am

GMail has added another security feature.

Under ‘settings’ you can now turn on “Always use https.” Here is one attack that helps defend against.

Milan July 17, 2009 at 10:32 am

Google now allows you to recover your GMail password using a text message sent to your mobile phone. While obviously not infallible, such a system seems much better than password recovery questions like the infamous ‘mother’s maiden name.’

They also have a page with tips on account security.

. January 13, 2010 at 9:59 pm

Gmail Moves To HTTPS By Default

“Although Gmail has long supported HTTPS as an option, Gmail announced their decision yesterday to switch everyone to HTTPS by default: ‘We initially left the choice of using it up to you because there’s a downside: https can make your mail slower since encrypted data doesn’t travel across the web as quickly as unencrypted data. Over the last few months, we’ve been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.’ I wonder if this has anything to do with the reports of Chinese users having their accounts hacked? ‘Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,’ said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail’s servers.”Although Gmail has long supported HTTPS as an option, Gmail announced their decision yesterday to switch everyone to HTTPS by default: ‘We initially left the choice of using it up to you because there’s a downside: https can make your mail slower since encrypted data doesn’t travel across the web as quickly as unencrypted data. Over the last few months, we’ve been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.’ I wonder if this has anything to do with the reports of Chinese users having their accounts hacked? ‘Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,’ said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail’s servers.”

. March 25, 2010 at 9:38 am

Gmail hijack detection tool
By Cory Doctorow on security

Google has launched a new Gmail tool that uses some clever auto-sleuthing to predict when your account has been hijacked and warn you about it before some illiterate crook can send all your friends emails saying that you’ve been arrested in Jamaica and need! cash! fast!

. February 13, 2011 at 6:54 pm

Advanced sign-in security for your Google account
2/10/2011 08:30:00 AM

Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples (like the classic “Mugged in London” scam) that demonstrate why it’s important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information.

Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers a few months ago, we’ve developed an advanced opt-in security feature called 2-step verification that makes your Google Account significantly more secure by helping to verify that you’re the real owner of your account. Now it’s time to offer the same advanced protection to all of our users.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Previous post:

Next post: