Can we trust Gmail?

Gone are the days when E-mails were sent and received from desktops and laptops. Convenience, superior functionality and ease of use drove mass adoption of web based E-mail systems, such as Yahoo, Mail, Gmail, and alike. While benefits of web based E-mail are widely known, very little consideration is given to implications on privacy and security.

Quite often web based E-mail systems claim to be secure based on the fact that the communication between user’s browser and servers is protected by SSL. That is a legitimate claim, but it covers only part of the story and leaves out the big picture.

Let’s say someone sent an E-mail message from their Gmail to The first leg of communication is indeed protected by SSL and unlikely to be intercepted by 3rd parties. Not so much for the next leg - Gmail needs to locate the server, hosting the mailbox for and transmit the message text to that server. And there lies the core of the problem – the transmission is not guaranteed to be encrypted – messages can be hijacked while in transit from one server to another.

It is not unusual for communication between mail servers to be sent in clear text, vulnerable to interception. In a way this is similar to conversation over walkie-talkies – anyone who happens to be listening can possibly hear (or read in case of E-mail messages) the exchange. In case of encrypted E-mail, the unprotected transmission between servers is not an issue, since hijacked messages are scrambled and meaningless unless the interceptor has the secret key, used for encryption.

No matter how secure is the first leg of communication, i.e. the transmission of the message between the device, (desktop or phone) and the web mail provider, the confidentiality of your messages can compromised in transit to the ultimate destination, unless the message is encrypted.

Private messages must be encrypted!