Previously I had reported on the Gmail Account Hacking Tool and how I thought the threat was overblown.  I said that I would not use SSL with Gmail as recommended because I thought it would affect the performance.

Well soon after that article my security friend sent me an email and convinced me to always use SSL with Gmail.  I have been using SSL with Gmail for several months and have not noticed a performance difference.  I would recommend you do the same.

Packet sniffing is a real problem.  Email harvesters are constantly searching and sniffed packets for email addresses, Session ID’s, and other personal identifiable information (PII) for spamming purposes.

Even if you have secure wifi, that’s only secure the connection between your laptop, and our home router.  From the house to google, it’s unencrypted.  So, an SSL connection would carry from your laptop to a server regardless of the communication medium.

So, what about SSL performance slowing down my network connection, it’s negligible.  There’s only MAYBE a noticeable performance hit the first time you make an HTTPS connection between your browser and a webserver.  This is noticeable, because there’s key generation, certificate exchange, certificate verification, key exchange, etc.  This only happens the first time. Every time your browser goes back, it just uses the same SSL encryption key every time.  You don’t have to do this initial SSL handshake unless your close your browser, or go back a day later.

What about encryption algorithms eating up CPU cycles.  Encrypting a packet of data is not the bottle neck.  Current algorithms on 2 year old CPU’s can encrypt close 7-10MB/second.  Far far faster than any DSL or Cable modem connection.

What about encryption algorithms eating up CPU cycles on the webserver.  With advance networking equipment, hardware based SSL acceleration and load balancing keeps server response times low, and is common practice.

How big a deal is packet sniffing?  All proxy servers/fire walls, and network address translators (NATs) can look at network packets passing through them.  There are probably 3 to 6 of them between you and gmail.  If the connection between you and a webserver is over SSL, these network junctions can not view or tamper with your packets. They simply act as pass-through points.  There is logging capability built into these servers from some vendors.  For an attacker who is trying to sniff data, these are likely targets for hacking.

Related posts:

1. Gmail Account Hacking Tool
2. Setting up Gmail with Apple Mail
3. Windows is unable to connect to the selected network

Mike Perry is going to release a Gmail Account Hacking Tool which will allow hackers to get into anyone’s Gmail account.

After reading the article and another article I think the threat is overblown.  If you check your email in private on a wired or secure wireless network you are fine.  In public if you use https://gmail.com you will be fine.  Always using SSL for Gmail seems to be overdoing it and could slow the performance of Gmail.

I have one security friend who will probably disagree with me.  And maybe he can convince me because this article about someone who lost his domain because his Gmail account was hacked is quite sobering.

Related posts:

1. Gmail and SSL
2. Setting up Gmail with Apple Mail
3. Empty Your Inbox