Gmail has refined a fix to its online address book Tuesday to automatically add email contacts by usage, but allow more manual organizational control by user. The release is slowly rolling out to all accounts.
The fix refines a previous one where it would automatically sort previously used email addresses into a “Suggested Contacts” group. If you continually used addresses more than five times, addresses would be automatically added to your “My Contacts” group.
The previous fix would offer a checkbox to turn off auto-adding from the Suggested Contacts group entirely. This option has been turned on, thus turning auto-adding off, for everyone. Furthermore, all contacts auto-added to the My Contacts group have been returned to the Suggested Contacts group permanently. The only contacts in your My Contacts group should be those you’ve manually added. However, addresses in both the Suggested Contacts and My Contacts groups will still auto-populate in the “To” field when addressing an email.
It’s a minor fix, but one that addresses a common complaint and a growing need for a reputable address book in the cloud. As more people start syncing their iPhones and other devices to Google contacts and ultimately caring about how it looks, the more it becomes depended on as a primary address book source. What was once an add-on afterthought to Gmail is now, arguably, a feature many rely on.
Google’s products are mass market. It cannot afford to completely ignore a browser with as much market share as IE6 — according to one recent study, its share is still around 25 percent. What Google did is a little different. Because it’s a giant company with a lot of pull, it had Microsoft make the changes. Gmail engineers did not have to make a bunch of IE6-specific code tweaks. Instead, the tweaks are in IE6 itself.
One would assume these performance changes could benefit other applications as well, so this move is a boon for all. Of course, the fixes require users to install an update. The same group that has been ignoring the calls to upgrade to IE7 may ignore this request, too.
Let’s talk security and why you should take advantage of Gmail’s recent SSL feature, and why you might want to be careful using other non-SSL webmail services.
But first, make sure your connection is secured using SSL.
How do you know a connection is secured by SSL? The handy “s” after “http” will tell you. For example, https://mail.google.com is encrypted while http://mail.google.com is not. You can force an encryption by adding the “s” yourself, or by turning on “Always use https” from the Browser Connection settings of your Gmail account.
Why? Because without it, anyone can easily hack someone’s account and in two weeks it is going to get even easier. Mike Perry, a reverse engineer from San Francisco, announced his intention to release his Gmail Account Hacking Tool to the public. According to a quote at Hacking Truths, Perry mentioned he was unimpressed with how Google presented the SSL feature as less-than-urgent. It is urgent, and here’s why.
Before Gmail released the ability to automatically encrypt your Gmail connections, your browser/server interactions went something like this:
Your Browser: Hey there Gmail, I want in. Here’s my encrypted login.
Gmail Servers: Hey there, browser. I see your encrypted login fits what I have here. If you want to keep talking to me, I will need to see proof of your login, but don’t bother encrypting it for me. Here is your unencrypted email.
Your Browser: Great. I want to read this particular email, my Gmail login is: firstname.lastname@example.org and my password is: monkeylove. My name is John Hanks Doe and my social security number is 123-45-6789.
Gmail Servers: Sure, here you go. I see you are leaving for vacation with the house unlocked this weekend. Say, is this your credit card information?
Guy packet sniffing your wi-fi from Starbucks: Cool!
It’s a little more complex than that (and a little less goofy and dramatic), but the theory is sound. Using encryption at login only is the equivalent of setting up a toll booth in the desert.
Here’s the exploit: All it takes to steal someone’s Gmail login account is to intercept any transaction since every single one, even images, pass a cookie which contains the session information.
Spoof the session, and you get free reign to the account — including the ability to change your password. Every non-SSL session is in plain text. With a little determination, any bored, disaffected youth could read your email and change your password within a day. Is it really that easy? Here’s a useful tutorial we found via Google search. When the Gmail Account Hacking Tool is eventually released, it couldn’t be any easier.
With SSL, however, the interaction looks something like this:
Your Browser: xz6RV-BRJViqzNJROECslw
Gmail Servers: jx3iC96D3kuZ_IWNrK461w
Your Browser: PxIryG_P3_3_vRENZdWxMQ
The real thing would be even longer in length, and perfectly unreadable. SSL requires a key generated on your end and on the Gmail server’s end. There’s no way for the local guy at Starbucks to get those keys and unencrypt the data by packet sniffing.
Makes you feel a little vulnerable knowing all your public information was so nakedly exposed over the past few years, huh? Did Google know about this?
It turns out they were well aware of it. The reason Google didn’t grant users the SSL feature before, according to Perry, was because SSL is expensive. It takes a lot of bandwidth and time on both the receiver and transmitter sides to generate keys and encrypt data. Slower data connections would experience a lagging Gmail experience.
Packet sniffing for session information is not a new thing, and is bound to get even more familiar due to how easy it is. Keep in mind, it is not just Gmail which passes account information outside of SSL encrypted connections. There are many sites around the internet that are still vulnerable to this exploit. Protecting your wifi connection with WEP isn’t foolproof either. Your best bet is to use SSL whenever you are transferring information valuable to you, and to avoid sites that don’t use it at all.
Monday, we wrote about Gmail’s seemingly unprecedented outage and the resulting panic on Twitter. Okay, sure, the world did not end as we prophesied — our emergency cyanide pills are left untouched on the shelf waiting for the big day.
The service was restored in time, and the panic on Twitter has since subsided to a distant quell of fear-mongoring, strange prophecies and naysaying.
Still, Gmail’s outage was a pretty big deal for cloud computing. You may not have your entire customer service department on Gmail or may not be a paying customer using Google Apps, but there are hundreds (if not thousands?) of companies that are.
Google knows it too. Vice president of engineering Jeff Huber hit the Twitter tubes and updated everyone soon after Gmail was restored to browsers everywhere:
Ow. Painful afternoon for Gmail users. Sorry. We’ll be working on better/faster communications, and of course making that not happen again. – Jeff Huber
The Gmail Blog followed up with an even more official response titled “We Feel Your Pain and We’re Sorry.”
Many of you had trouble accessing Gmail for a couple of hours this afternoon, and we’re really sorry. The issue was caused by a temporary outage in our contacts system that was preventing Gmail from loading properly. Everything should be back to normal by the time you read this.
We heard loud and clear today how much people care about their Gmail accounts. We followed all the emails to our support team and user group, we fielded phone calls from Google Apps customers and friends, and we saw the many Twitter posts. (We also heard from plenty of Googlers, who use Gmail for company email.) We never take for granted the commitment we’ve made to running an email service that you can count on.
They are really, really sorry, and many of us appreciate it. For a few hours of our day, Gmail users lives came to a halt — that is, if you use email. According to a Pew Internet and American Life study 55% of us do everyday. It’s the most used internet application out there and so it is easy to see why people would get upset. We’re not even considering the addition of IM use, which is embedded in the Gmail service.
In some cases, when email is down, companies bleed money by the second — money used to pay employees twiddling their thumbs, lost orders, losses repairing the damage from the downtime, etc…
A lot of people probably lost big-time money yesterday by offloading their IT departments to Google. For them, yeah, it’s a pretty big deal — but one of the trade-offs of moving computing to the cloud.
Others reacted to the outage by urging self-restraint and perspective. Many dream of the kind of uptime Gmail has compared to their ISPs or local area networks.
Droopycom commented on our initial post with one perspective:
“On a personal level, I had more outages from my ISP, than from Gmail. On a professional level, I have had more outages at work because of power outage, ISP outages, company servers outage, or just my damn workstation crashing, than I had Gmail outages. Its not the end of the world. Its much better than a lot of stuff.”
In other words, if you can host e-mail servers with the efficiency Google has, hats off to you. For those of us who get their e-mail for free via Gmail, our only option is asking for our money back.
Google fans the moment you’ve been dreaming about appears to drawing near — according to reports, offline access for Google Calendar and Gmail should arrive in about six weeks.
That’s the word from Andrew Fogg who claims to have seen a working demo at the Google offices. Some users have already reported seeing hints that Google Calendar will eventually have offline access through Gears — for a while Google Calendar would display a prompt that read “to view and edit the next 3 months of your Google Calendar when you’re not connected to the Internet, click OK.” Of course the feature itself wasn’t available, but clearly something is in the works
Of course Google has never denied that it’s working on an offline version of Gmail, but the company has thus far never given anything like a timeframe. Fogg’s Twitter post has since been removed, but if the timeframe is even close, it’s going to put Gmail head and shoulders above its webmail competitors.
According to Fogg’s now deleted tweets, Google is also adding SyncML support for Gmail’s address book. SyncML is a data synchronization standard that’s generally used to synchronize contact and calendar information between portable devices and your PC. In this context Google is probably looking for some kind of mobile contact syncing app for the iPhone, Blackberry and its own Android platform.
Although it’s just a rumor at the moment, if, or more optimistically, when Gmail gains offline support, look for Yahoo and Microsoft to jump on the bandwagon as well.
If all three offer offline webmail access will there still be any use for desktop e-mail programs?