Much to my delight, GMail has added an ‘Activity on this account’ feature. It is located down at the bottom of the inbox page, where it lists the time of last account activities. Clicking ‘Details’ leads to a pop-up showing the last five instances of account access, the form of access (browser, POP, IMAP, etc), and the IP address.
This is a big security advance. Previously, anyone who knew your GMail password could access your account at will, with no way for you to know. They could even be logged in at the same time as you, with no sign on your machine that this was happening. This is also addressed by the new feature, which includes an option to log out all other accounts.
GMail users should definitely take a peek at this information from time to time, especially if they are in the habit of using their account from shared or public computers. Given (a) how much information the accounts store and (b) how easily searchable they are, any attack that gains access to your GMail account could have serious consequences.
They also added an option to read your mail over a https connection:
http://blogoscoped.com/archive/2008-07-25-n17.html
Both very welcome changes!
For greater security, consider adding encryption to GMail.
Mark,
I have been using – and appreciating – the HTTPS version for some time. For considerably longer, the login page has used SSL.
In response to your photo:
The Cheese Shop sketch, Monty Python
Incidentally, I suggested that Google implement this system back on January 6th, 2007.
See also: Is someone else using my GMail?
GMail has added another security feature.
Under ‘settings’ you can now turn on “Always use https.” Here is one attack that helps defend against.
Google now allows you to recover your GMail password using a text message sent to your mobile phone. While obviously not infallible, such a system seems much better than password recovery questions like the infamous ‘mother’s maiden name.’
They also have a page with tips on account security.
Gmail Moves To HTTPS By Default
“Although Gmail has long supported HTTPS as an option, Gmail announced their decision yesterday to switch everyone to HTTPS by default: ‘We initially left the choice of using it up to you because there’s a downside: https can make your mail slower since encrypted data doesn’t travel across the web as quickly as unencrypted data. Over the last few months, we’ve been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.’ I wonder if this has anything to do with the reports of Chinese users having their accounts hacked? ‘Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,’ said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail’s servers.”Although Gmail has long supported HTTPS as an option, Gmail announced their decision yesterday to switch everyone to HTTPS by default: ‘We initially left the choice of using it up to you because there’s a downside: https can make your mail slower since encrypted data doesn’t travel across the web as quickly as unencrypted data. Over the last few months, we’ve been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.’ I wonder if this has anything to do with the reports of Chinese users having their accounts hacked? ‘Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,’ said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail’s servers.”
Gmail hijack detection tool
By Cory Doctorow on security
Google has launched a new Gmail tool that uses some clever auto-sleuthing to predict when your account has been hijacked and warn you about it before some illiterate crook can send all your friends emails saying that you’ve been arrested in Jamaica and need! cash! fast!
Advanced sign-in security for your Google account
2/10/2011 08:30:00 AM
Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples (like the classic “Mugged in London” scam) that demonstrate why it’s important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information.
Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers a few months ago, we’ve developed an advanced opt-in security feature called 2-step verification that makes your Google Account significantly more secure by helping to verify that you’re the real owner of your account. Now it’s time to offer the same advanced protection to all of our users.