SSL on Google means Semi Secure Links

After much debating, we decided to enable Google Apps Premier Edition for in-office use. SSL had always been a sticky point for us, and Google Apps are notoriously lacking in this regard, but probing around various newsgroups and sites seemed to show behavior had been improved across the board. Unfortunately, things are still very hit and miss and I fear they're getting worse.

The biggest sell of Google Apps Premier Edition is that blanket security can be brought to organizations through a "force SSL" checkbox located in the Admin control panel. This box is mentioned in Google's own security PDF document and referenced by hopeful users in the Apps support forum.

That box, of course, is nowhere to be found. Google, replying to a thread in which a user pointed out they were not living up to their promises — and contractual agreements — replied that accessing an application through the SSL URL would not only encrypt the entire session — as it used to — but also carry the SSL protection to the links to other applications featured within the interface. The promised checkbox was apparently still being worked on, with no ETA.

Surprise! The recommended method works. Log securely into Google Calendar and the session will stay encrypted — nothing new here. Click on the Mail link at the top left and you securely access GMail without a drop of cookie-evaporating HTTP in sight. Yayy! It's not nearly as good as a dedicated SSL box that would force such behavior but it's a step closer to true protection. Gone are the most dangerous links.

Don't relax too soon, though… Now, try logging into the most sensitive site of all, the Domain's control panel. Are you there? Good. Click on the "Help" link at the top right. Still using SSL? You bet! Google is really getting good at it, aren't they?

Now, go back one step and click on "Inbox" right from your admin panel. Boom! That link was HTTP. Game over, your admin session has now been hijacked and your corporate web site is now dedicated to a "tits on toast" fetish. (A tit being, as you know, a small songbird, which probably means your hackers are interested in gourmet sandwiches.)

Google has made one big step forwards by fixing the most glaring problem of its SSL security, the cross-application linkage. They've also proven they don't care much by making the holes sneakier and placing them in more sensitive areas. I really appreciate all the tremendous efforts required by the maintenance of a suite like Google apps, but is it too much to ask from the world's web application authority to hire an intern to click on links and report on the protocol they use?

As users, shall we choose between MobileMe's no-SSL policy or Google's SSL-surprise extravaganza? Most users just spend their days leaking information in the wild. The few who care (a lot) manage to lessen that to a few times a week. Meanwhile, Google is blurring photos of empty fields of grass on demand to avoid violating the privacy of cows and Apple is focusing on remote-wiping iPhones… Two very laudable initiatives, that goes without saying, but maybe not carrying the highest impact on the daily life of the average user.

While I am at it, here's an anti-leak trick for us Mac users. Encapsulate your Google applications within a Fluid instance and use Little Snitch to deny outbound access to anything but port 443. Not ideal but definitely lighter than installing a browser extension for a few sites. (Especially since logging into Google Apps in the very browser you use to update your MySpace page is asking for trouble.)