I'm sure many of you, also, many of you might read about Google adding a new configuration option for gmail to activate SSL from start to end of a session (http://gmailblog.blogspot.com/2008/07/m ... asier.html)
I was reading the 'news' about this and couldn't avoid to talk about it ^^
First off, the configuration option is new but the use of SSL from start to end over a session in gmail (and many other Google's services) aren't, the funny thing is that many users didn't know about that, all you needed to do was to use https:// instead of http:// in the URL to get the whole session encrypted
Anyway, Google says (which is true) that the use of SSL for the whole session while you're in gmail for instance will be slower that using normal unencrypted http, so they leave the choice to users
The new configuration option (if Always use SSL is activated) will tell the server that it should use https:// if the users didn't put that in the URL, thus, a request to http://gmail.com will be redirected to https://gmail.com, again, if the option is activated
However, I couldn't avoid thinking, what's the point in this? I mean, is still user's choice to use SSL or not for the whole session.
From one side, you could say that this news might educate gmail users to let them know that you can use SSL to encrypt the whole session, but besides that, I just don't see the point and don't see it because as I said, still is user's choice to activate the option.
In other hand you could say that well, from now on, you won't have to remember to input https:// instead http:// but c'mon, isn't so difficult to bookmark https://gmail.com or https://mail.google.com/
The bad thing in letting the user to choose is that most users are dumb and I will put it this way so you can understand what I mean by that:
Gmail Service: "Hi, welcome to our service, do you want to read mail?"
User: "Yes please"
Gmail service: "Would you like to use http over SSL or just http?"
User: "erhh......"
Gmail service: "Using SSL will be more secure but slower"
User: "ohh...http then
"Gmail service: "Are you sure? SSL will more secure"
User: "Yeah but it will be slower =("
If you catch that my point is that users (those who live away from security existence) don't care about security if that is going to make things little harder to get the things done and we all know that more security means a harder service to use, just imagine an user opening ports in firewall to get the MSN working, what the user will do? turn off that piece of crap firewall
So my point remains, unless is done for educational purposes, what's the point in the new option if users can avoid to activate it? what do you think?
From my POV, if you want to offer security at some point you'll have to understand that you have to force your users to do things right
!
