Lately, I have been using Google Apps for some of my work. Started off with mail, moved to calendar, and then to docs. The hardest part of this before today was getting used to the limited capabilities within Google Docs. Today, I realized the that Google Apps has a huge security hole it it that scares the hell out of me.
There is no configuration option (that I or others have found) to force all interactions with Google Apps to be secure!
Sure, Google Apps will encrypt your password as you login in. But if you are passing sensitive information via GMail, or storing sensitive information in Google Docs, all that information will be passed over the internet in the clear! Google Apps lacks a configuration option to “encrypt all access to Google Apps”. (I’m letting the security aspect of encrypting the data on the Google servers to slide for now…one thing at a time.)
Sure, you can manually change every Google App’s URL to be encrypted (to use https), but expecting users to do this is a fallacy, users are the weakest link of the security network…they will forget and information will be passed unsecured. And some people will say that “encrypting everything is too much over head”, but that is the smallest price to pay for security. Most people don’t think of security until it is too late. If Google wants Apps to be taken as a serious service, then this is a needed price to pay.
If you are a corporate user of Google Apps, send Google a message that this hole needs to be filled! Even if you’re not a corporate user, but are a user that takes their security seriously…send the message!
In the mean time, make sure you install one of the following plug-ins in your web browser:
- Firefox: The CustomizeGoogle Add-On – https://addons.mozilla.org/en-US/firefox/addon/743
- Internet Explorer: The CG4IE utility (CustomizeGoogle for InternetExplorer) – http://www.cg4ie.com/
I now use the Firefox add-on on every computer I use. When configured properly, it will automatically change all the URLs going to Google Apps to encrypt them (to use https). I disabled all the other features of the plug-in (which I didn’t see value in).
These add-ons are not a solution to this problem. Again, they require action by the user and can also be disabled by the user (remember: weakest link in the security chain!). Google needs to add the previously described feature to Google Apps ASAP in order to provide adequate security to the users of Google Apps.