Defcon 2007 was a great demonstration that HTTPS logins give everybody a false sense of security. The hacker convention revealed that dozens of people unknowingly gave up their GMail account info through a cookie exploit. Many people also used Gmail in the clear (HTTP) rather than encrypted (HTTPS). The resulting privacy breaches were pretty brutal.

Lesson #1: Always use HTTPS for your entire Gmail session, not just the login. Update your bookmarks accordingly: https://mail.google.com/mail/

Lesson #2: If you use the Google Toolbar, as I do, be sure to edit the Gmail button so that it always uses HTTPS. Here’s how:

(Note: The image to the right (click to enlarge) is a screenshot of several dialogs as they appear in the Firefox Google Toolbar. There are some cosmetic differences from the IE Google Toolbar, but the steps are the same.)

1. Click the “Settings” button on your Google Toolbar and select “Options”. This will bring up a Google Toolbar Options dialog.
2. Select the “Buttons” tab at the top, then select the Gmail button in the Custom Buttons list.
3. Click the “Edit” button on the right, then click the “Use Advanced Editor” link in the window that pops up.
4. A new browser window will open, displaying the XML specification for the Gmail button. Scroll about half-way down until you see these elements:<search>http://mail.google.com/mail/ … </search>
<site>http://mail.google.com/?source=navclient</site>
<feed refresh-onclick=”true” … >http://mail.google.com/mail? …</feed>
5. Change each instance of “http” to “https” in those elements.
6. Click “Save to Google Toolbar” and close all of the open windows, choosing “OK” until everything is closed again.

Now any time you press the Gmail button, you’ll be using HTTPS for the entire session. Like Gandalf says, “Keep it secret, keep it safe.”