Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

 

 

TidBITS Watchlist
 
Access Street View in iPhone Maps

Finding the Google Street View feature in the iPhone 2.2 version of Maps is tricky - there's no button for it. If you're viewing a map that you think might have a street view, drop a pin (tap the curled paper icon at lower right, then tap Drop Pin or Replace Pin if a pin is already being used). An orange person icon at the left of the pin's information line is dark and can be tapped if Street View information is available.


Link to this tip

Submitted by
Glenn Fleishman

Share your own tip! | Search TipBITS

 

 

Recent TidBITS Talk Discussions
 

 

Related Articles

 

 

Published in TidBITS 1010.
Subscribe to our weekly email edition.

 

 
Safe Computing | 13 Jan 2010 | Listen   | Print Printer-Friendly Version of This Article | Comment (7)

Google's Gmail Defaults to Encrypted Sessions

by Glenn Fleishman Send Email to Author

Google has announced that all Gmail sessions are now secured using SSL/TLS by default, rather than as a choice each individual user had to make in configuration settings. The previous default setting encrypted user logins to Gmail - as Google secures all logins - but left the content of sessions in the clear. The default encryption may be manually disabled.

Problems with offering in-the-clear webmail sessions were clear years ago, because your messages could be intercepted on public networks, such as Wi-Fi hotspots. The ante was raised in 2007, however, when a security researcher showed that the token that Google placed in a browser cookie to identify the user after login could be "sidejacked": intercepted by a local user, and used to take over a Gmail session. (See "Sidejack Attack Jimmies Open Gmail, Other Services," 27 August 2007.)

There was a workaround to use SSL at that time, where you could enter a different URL, but Google didn't expose this option, and average users would have been unaware of the consequences. In mid-2008, Google added an option to use SSL/TLS as the default, but each user had to make this setting change to activate it. (See "Google Gmail Adds Secure Session Option," 28 July 2008.)

Finally, in mid-2009, many prominent security experts asked Google in an open letter to secure all sessions for Web applications to avoid sidejacking, interception, and other issues that could allow identity theft and access to private information. (See "Security Experts Urge Google to Secure All Sessions," 19 June 2009.)

Google said then that it was concerned about latency (the delay in handshaking of transactions before data is actually sent) and additional overhead for people who don't have broadband. Apparently, Google has now tweaked its system to balance the need for speed for some users with security for all.

 

Pear Note 2: More complete, understandable notes on your Mac.
Typed notes are blended with recorded audio, video, and slides
to create notes that make more sense when you need them most.
Learn more at <http://www.usefulfruit.com/tb>!
 

Comments about Google's Gmail Defaults to Encrypted Sessions

Ray Choiniere2010-01-18 17:10
Very strange: this change made it impossible for me to reach my gmail box using Safari until I reset the address to http instead of https. Since I had heard nothing about the change I was baffled. Finally I guessed lucky and was able to use Firefox (which has no problem with gmail's https setting) to make the change.
Adam Engst2010-01-19 06:31
Very odd - I can't begin to explain what might have confused Safari.
jimsanders12010-01-19 09:05
I am not clear on the receipt of the message when the receiver's mail provider does not advertise SSL/TLS support? Does the Gmail encryption last only to the gmail server?
Adam Engst2010-01-19 09:54
Yes, all that's being encrypted here is the Web-based session from you to Gmail, which prevents a variety of attacks. This does not entail encryption of actual messages sent from the Gmail servers to your recipients.
Glenn Fleishman2010-01-19 09:58
If Gmail is set up right, it may also talk SSL/TLS to other mail servers. There's been a long-simmering interest in securing all server-to-server communications with SSL/TLS, but it's kind of a mess.

If Gmail talks SSL/TLS to another mail server, the mail is secured between the two servers, but it's not encrypted for the recipient.
jimsanders12010-01-19 11:08
Thank you, Adam and Glenn -- As I thought, end-to-end cryptomail is only available with a Public-Key-based (PKI) system. Right?
Glenn Fleishman2010-01-19 11:11
You don't need PKI, although that's the easiest way to do it without specific pre-arrangement. Using any out-of-band method, you can agree on a symmetrical key with someone, too. It's just far harder to maintain the secrecy (not integrity) of those keys.

The weak points in SSL/TLS email, even if you could assure each segment is secure (Web browser or client to server, server to server, server to client/browser), there's a decryption stage between each segment.