Google is putting millions of users at risk of fraud from hackers and needs to enable encryption by default on its most popular web apps, including Gmail and Google Docs, a gaggle of security researchers told the search giant Tuesday in an open letter.

At issue are the current default settings for Google's popular web applications. The settings use the secure "HTTPS" protocol only for logging in, and fall back to unencrypted browsing thereafter. If a user doesn't know how to force Google to use HTTPS full time, he's vulnerable to a host of nasty hack attacks when using an open or badly secured network, particularly a public Wi-Fi spot.

Most of the web's cloud computing applications leave users just as vulnerable to having their e-mail and social networking accounts hijacked, the letter admits, but the collection of security professionals is leaning on Google to take a leadership role.

"Few users know the risks they face when logging into Google’s Web applications from an unsecured network, and Google’s existing efforts are little help," the letter reads. "As a market leader in providing cloud services, Google has an opportunity to engage in genuine privacy

and security leadership, and to set a standard for the industry."

The 37 signatories to the letter (.pdf) include the country's top encryption and security experts, ranging from Ron Rivest – the inventor of some of the most popular encryption tools – to Rsnake, one of the net's most agile good-guy hackers. The posse seems to have been called together by Christopher Soghoian, a computer researcher, programmer and privacy provocateur.

The letter notes that Google locks down other applications, such as Google Voice, Health, AdSense and AdWords, by running all their traffic – not just the login – via the https protocol. That's how banks run their sites, since that encrypts the communication between a user's browser and company's servers, making it virtually impossible for a hacker to get at the data in transit. That's important, given how often people use open and untrusted wireless connections that can easily be snooped on.

Currently, Google's web apps do require users to log-in via https, but after that, most users check their email, read their documents and look at their calendars "in the clear." That means any ne'er-do-well with the brains to install WireShark or Linux can sit in a cafe, using their packet sniffer to check, read, and look along with them. Even worse, a clever attacker can "side-jack" the user's cookie and actually log-in to those services at the same time the user is in them. From there they can edit and delete your documents, scour your email for sensitive data and even send out mail under your name.

Google responded Tuesday morning, saying that it is already ahead of the pack by even offering HTTPS, and that the company is looking into whether it would make sense to turn it on as the default for all Gmail users.

"Free, always-on HTTPS is pretty unusual in the e-mail business, particularly for a free e-mail service," Google engineer Alma Whitten wrote Tuesday morning on Google's security blog. "It's something we'd like to see all major webmail services provide."The company is planning a trial where small samples of different types of Gmail users will be shifted to a default HTTPS to see how fast things load, how happy users are and what networks or computer setsups fair badly, according to Whitten.

"Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users," Whitten wrote, noting that the extra cost associated with the computing power needed for encyrption was not holding the company back.For right now, the security problems can largely be solved currently by into Google's options and changing the "Browser Connection" setting from 'Don't always use HTTPS ' to 'Always use HTTPS.' Firefox users can also use the Customize Google extension to fix the problem for many Google applications, and others can force Google to use HTTPS for a particular session by going directly to a Google HTTPS address, rather than being redirected there. (Note, the last solution doesn't stop so-called sidejacking attacks unless users also change the Google account SSL option).

So why hasn't Google switched on HTTPS for all accounts?

Well, according to Google's own post, the default to HTTP was made for speed and user experience reasons. HTTPS sessions involve a lot more computation on both sides of the transaction, and that also means more load on Google's servers – which easily translates into larger expenses for the company. And that's good enough security for users of a secure wireless or a wired network, unless there's an intruder in the network or someone is spying on all of an ISPs' internet traffic.

The letter's signatories say Google engineers can solve any technical problems with always using https.

"Google’s engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense – we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs, and Calendar work equally well in order to enable encryption by default.

Shorter version of the letter: What do we want? H T T P S! When do we want it? Now.

UPDATE: This post has been updated Tuesday morning to include comment from Google.

Photo: An Enigma machine, a sophisticated encryption tool used by Germany in WWII. English codebreakers managed to reverse-engineer the system, leading to much havoc for the German navy. Flickr/Kevin Bocek

See Also: