Google seems to have discovered the benefits of using SSL to encrypt HTTP traffic. In a blog post on the Gmail blog, Engineering Director Sam Schillace explains that Google has finally started valuing security over latency, and enabled HTTPS by default.
Gmail has always been using SSL to encrypt the authentication credentials sent from the login page. However, past the login page and accessing messages, all communication has been in the clear. Users have been accessing their messages over an unencrypted session. Users could choose to use SSL for the entire session, but since encryption would make Gmail slower, Gmail did not use it by default.
The latest change means the entire session will be encrypted by default.
If you haven’t enabled SSL for the entire session before, you may see more latency when accessing Gmail. Encrypting data requires more resources. As Schillace comments in the post:
Over the last few months, we’ve been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.
To Gmail’s credit, it’s the only free web email provider that appears to be offering the use of SSL for the entire session. Microsoft’s Live Mail and Yahoo Mail offer SSL-encrypted login pages, but there’s no option to use SSL for the entire session. It’s about time they follow suit.