Https encrypts the traffic between the user’s computer and the server. The core benefit here is that it protects the data from network snooping. That’s handy if you are using a public computer, are in a computer network or do not want your ISP or your boss to find out what you are doing on a particular site that has https enabled.

Yesterday Google announced that they have enabled forward secrecy by default.

Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic.

Forward secrecy requires that the private keys for a connection are not kept in persistent storage. An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.

Perfect forward secrecy basically makes sure that attackers cannot use private keys that they have obtained in the future can not be used to compromise data that has been recorded in the past.

Forward secrecy has been enabled for Google Mail (Gmail) and other Google services that use the https including SSL search, Google Docs and Google+.

The only browsers currently supported are Google Chrome and Firefox on all platforms and Microsoft’s Internet Explorer on Vista or later.

Google has also made available the work that they did on the open source OpenSSL library that made the implementation of forward secrecy possible. You can read the original announcement over at the Google Online Security blog.

It was still possible to open the https website manually but Google does not force the use of https. There is however a setting in Gmail that is called Browser Connection (discovered via Sizlopedia) where the user can select to Always Use HTTPS when he connects to Gmail.

I highly recommend to enable that setting to everyone who is using Gmail as a mail client but especially to those users who use additional Google services that already force https usage.

You can reach the configuration menu by clicking on the Settings link in the top right corner of the Gmail account. Scroll down to the very bottom of the menu that is showing up after clicking on the link and check the Always Use HTTPS box.