Editor's Note: Please see the update below.
I'm a big believer in offering protections for personal privacy online, but Google's decision to force all Gmail subscribers to use HTTPS encryption goes too far.
Four years ago Google turned on HTTPS by default, which was a good thing. In so doing Google put security and privacy first, while still allowing people who know what they're doing to dip into their settings to opt out. I have Gmail accounts that simply don't need HTTPS -- I don't care if someone reads the content -- and by turning HTTPS off I can improve the response time of Gmail by removing the overhead associated with encrypting and decrypting every message. On my primary personal account, however, I choose to leave HTTPS turned on.
I. Choose.
But now, citing the Snowden revelations about NSA domestic spying, Google has decided to take it upon itself to make sure I am protected by removing my option to turn off HTTPS if I don't want it. That's right: HTTPS is now mandatory if you want to use Gmail.
Since when is removing consumer choice a good thing? Does Google really know better than you do what your security posture should be for your Gmail accounts? Google's blog post on the matter ignores this point, focusing instead on how wonderful it is that the company is protecting you with an encryption methodology that I suspect the NSA can probably defeat anyway. In taking this step Google joins the ranks of other dubious "we know what's good for you" initiatives, such as former New York City Mayor Michael Bloomberg's now infamous ban on the sale of large-sized soft drinks in the Big Apple.
Making HTTPS the default is a good thing. But by not allowing the user to disable the feature, Google is following in a long line of vendors and politicians who think consumers can't be trusted to make their own decisions. The mandatory HTTPS announcement might seem like a little thing. But what will it be next time? The decision represents an attitude toward toward the customer that I find disturbing.
Businesses that consistently underestimate their customers are destined for trouble.
You are so wrong.
That's been the response from many voices regarding my assertion that I shouldn't be forced to use HTTPS for my personal Gmail accounts. I've received my share of criticism, but also a few good arguments and explanations from email and the comments below as to why universal HTTPS is so important.
So why is making HTTPS mandatory the right thing to do?
1. Because using HTTPS has no downside - there's no difference in performance. So why not?
2. Because it's not just about you. Zack Weinberg explains:
Large email providers ... are under continual attack by people who want to hijack legitimate accounts to send spam with. The easiest several ways to do that involve eavesdropping on network traffic, and so are thwarted by enforcing HTTPS for everyone.
Having HTTPS as the only mode of operation allows [large email providers] to turn on additional client-side security features. For instance,they can tell your browser "if you ever see us communicating with you over plain HTTP something has gone horribly wrong."
They can also lock down their own servers more aggressively. The code that implements the "real" Gmail never sees traffic that went over the network unencrypted anymore; unencrypted requests can only talk to a much smaller program that sends a boilerplate "try again with HTTPS" response.
For more plainspeak on HTTPS check out Weinberg's blog, Owl's Portfolio. Finally, Rory Alsop also shared this discussion at StackExchange: Is Google overreaching by forcing me to use TLS?.
That's a quick summary, and my thanks to the commenters. For more details, see the comments below.