Google recently has created the Gmail Security Checklist to aid users in tightening the security of their Gmail account.

The checklist lists a total of 18 different items that are divided into five groups.

• Your Computer: Check for viruses and malware, Make sure your operating system is up to date, Make sure to perform regular software updates.
• Your browser: Check your browser for plug-ins, extensions, and third-party programs/tools that require access to your Google Account credentials, Make sure your browser is up to date
• Your Google Account: Change your password, Check the list of websites that are authorized to access your Google Account data, Update your account recovery options
• Your Gmail settings: Confirm the accuracy of your mail settings to ensure that your mail stays and goes where you want it to, Check for any strange recent activity on your account, Use a secure connection to sign in.
• Final Reminders: Watch out for messages that ask for your username and/or password. Gmail will never ask for this information, Never give out your password after following a link sent to you in a message, even if it looks like Gmail’s sign-in page. Access Gmail directly by typing https://mail.google.com in your browser’s address bar, Don’t share your password with other websites – Google can’t guarantee the security of other websites and your Gmail password could be compromised, Keep secrets! Never tell anyone your password, or your secret question and answer; if you do tell someone, change it as soon as possible, Clear forms, passwords, cache and cookies in your browser on a regular basis – especially on a public computer, Only select ‘Stay signed in’ if you’re signing in from a personal computer, Always sign out when you’ve finished reading your mail.

Those short reminders alone won’t help a lot of users protect their account login and data. A read more button is displayed next to each item that contains further explanations and links to related services, software and information. The check for viruses and malware link for instance links to a page that lists antivirus software to perform those checks.

It will take more than a minute to go through all the items, but it can be very well worth it. Experienced users may be able to complete it just by looking at the titles of each suggestion, while inexperienced users may need to click on the read more link for additional instructions and links.

Gmail Checklist in 30 seconds or less:

Make sure your operating system, software and web browsers are up to date. Make also sure you run an up to date antivirus software.

Check Google account and Gmail settings to make sure that only authorized websites and services are able to access them.

Update your account recovery options and regularly check for recent account activities.

Finally, make sure you always use a secure connection to sign in, and make sure to log out whenever you are finished using the service.

Keeping those basic rules in mind goes a long way to keep any account on the Internet secure.

Check out the Gmail Checklist at Google.

Access to this feature is provided at the bottom of every Gmail page by clicking on the Details link there. But that option is a passive one as it requires the user to access it. Users who do not check the account activity there might miss unauthorized access to their Gmail account.

To improve that Google has implemented a new automatic option that warns the Gmail user whenever suspicious account activity was detected.

The message “Warning: We believe your account was recently accessed from: Country. Show details and preferences. Ignore” will be displayed if Gmail believes that it discovered unauthorized access to the Gmail account.

The warning message is for instance triggered if the account is accessed from multiple countries in short succession, for instance first i the United States and then two hours later from China. This could be unauthorized or legit use if the account is shared with another person.

A click on the Show details and preferences link will display pretty much the same information that are displayed when clicking on the Details link at the bottom of every Gmail page with the difference that it is also showing information about concurrent sessions.

The concurrent session information table lists all access types, locations and IP addresses that are currently accessing the Gmail account with an option to sign out of all other sessions immediately.

The recent activity table lists the date and time, access type, location and IP address of the last log ins to the account. An option to change the password immediately is provided if the activity contains logins that have not been done by the user.

The new warning is an important step in informing Gmail users of suspicious account behavior. Google will implement the feature into Google Apps as well. (via Gmail Blog)

Changes have been announced to the way http and https connections are handled in Gmail in light of recent events. Google decided to roll out https for everyone which will redirect any request to connect to Gmail to https.

Users who are confident in their network security can change this behavior in the Gmail options which basically have been swapped. Now it is possible to enable the http protocol in the options.

We are currently rolling out default https for everyone. If you’ve previously set your own https preference from Gmail Settings, nothing will change for your account. If you trust the security of your network and don’t want default https turned on for performance reasons, you can turn it off at any time by choosing “Don’t always use https” from the Settings menu. Gmail will still always encrypt the login page to protect your password. Google Apps users whose admins have not already defaulted their entire domains to https will have the same option.

Gmail users who are using the service offline will likely experience some problems, namely that the mail does not sync anymore and that shortcuts and bookmarks might behave differently. Google has provided a solution for this:

The quickest way to fix this is to disable the ‘Always use https’ option, so you’re accessing Gmail through an HTTP connection.

But, because using https is a more secure way of signing in to Gmail, we recommend that you switch your Offline Gmail so that it syncs with the https URL rather than http. To do so, follow these steps:

1) Make sure you’re online. You won’t be able to follow these steps while offline. You can always start over later, if you get disconnected.

2) Switch to http, not https. This is a temporary step. You’ll switch back to https in step 5.
a) Go to Settings.
b) In the “Browser Connection” section, choose “Don’t always use https”, and hit Save.
c) Go to http://mail.google.com.

3) Your mail will sync automatically. Wait until your Outbox is empty, and the sync icon is a check-mark.

4) Uninstall http Offline Gmail:
a) Click the sync icon.
b) Click Show Actions
c) Click Disable Offline Mail
d) When asked it you want to remove all mail, select Remove.
5) Switch back to https:
a) Go to Settings/Browser Connection.
b) Select “Always use https”, and hit Save.
c) You’ll automatically be directed to https://mail.google.com. 6) Install Offline Gmail on https. (If you’ve already done this, you can skip this step.)
a) Click Settings.
b) Click the Offline tab.
c) Click Enable Offline Mail for this computer and hit Save Changes. 7) (optional) Delete any old bookmarks or desktop shortcuts that go to http. Consider making new bookmarks that point to https. The http URL will still work while you’re online, but not while you’re offline, so it’s best to replace them, if you normally access Gmail using bookmarks or shortcuts.

Most email users should already be familiar with the tips offered at the Gmail blog. Here are the five tips posted at the website:

• Remember to sign out
• Be careful about sending certain sensitive information via email
• Enable “Always use HTTPS.”
• Be wary of unexpected attachments.
• Make sure your account recovery information is up-to-date

Two of the five tips (being suspicious of attachments and careful about sending out information) are valid for all email accounts no matter where they are hosted and whether they are accessed from a website or desktop email software. These programs on the other hand make the tips one and three unnecessary. The email recovery tip on the other hand makes sense for all Gmail users. Gmail offers an option to add another email address to the account which can be used to retrieve Gmail login information or retake an account after it has been hacked by an attacker.

Do you think those tips are sufficient to protect email accounts or would you add other tips to the list?

A new widget has been recently added to Gmail labs that increases email security by offering phishing protection for the two services PayPal and eBay. Emails send by these two services are authenticated by the widget and an authentication icon is displayed in the Gmail interface so that the user can see at first glance that the emails are coming from the original source.

The main advantage of this added layer of phishing protection is that emails that claim to be from either PayPal or eBay but are not will now be deleted before they reach the user’s email account meaning that they will not appear in the spam folder either. Google is hoping to add additional services in the future to increase the reach of the additional email security layer.

Users can add the new phishing protection by logging into their Gmail account, clicking on the Settings link in the top right corner, switching to the Labs tab and enabling the Authentication icon for verified senders widget.

The main problem that privacy interested users have is that Google will recognize them when they use other Google services especially Google Search which can be used to create extensive user profiles. This becomes more difficulty if the user is not signed into a Google service as Google can only rely on cookies or IPs to identify users.

The sign in link is shown in the upper right corner if the user is not signed in a Google service and the mail of the user if the user is still signed in.

There have also been talks about Gmail security vulnerabilities which Google promptly denied. Fact is, there have been several incidents where filters have been set in Gmail accounts of experienced users. Those filters have been used to transfer web domains to other registrars.

Additional Resources:

90 Tools To Make You A Gmail Pro
Gmail Backup
Gmail Mail Notifier

Gmail Sign In

The easiest way to sign in to Google Mail is to head over to the page right away and do so. It can happen that you encounter error messages, a blank page or other problems that prevent the log in page from opening correctly. One of the easiest fixes that works in a lot of cases is to access Gmail directly via https://mail.google.com and not http.

You might want to reload the page once, or, if that does not work clear the web browser cache and cookies before trying again. We have published two guides that explain how to clear a browser cache.

If that still does not work, I suggest you download and install another web browser to try connecting to Gmail with that program.

The attacker basically set filters in Gmail to forward emails from the domain registrar to another email account. To ensure that the account owner would not notice the mails they were set to be deleted afterwards.

Most domain registrars offer web forms that can be used to retrieve account information. Godaddy for instance provides web forms to retrieve the username and reset the password of an account. They do send out emails to the primary email account. Those emails are however forwarded and deleted so that they can only be accessed by the attacker.

The two emails will contain the account’s username and a new password which can be used to log into the account and initiate a domain transfer to another registrar.

The exploit makes use of a specially prepared website to steal the Google Mail cookie from the user to set the filter in an hidden iframe. This is why the account owners were never logged out of their account by the attacker. He never had physical access to the account. But the filter was enough to hijack the domains.

Gmail users should regularly check their Filters to make sure that none exist that have not been added by them. A better solution would be to retrieve the emails from a desktop email client like Thunderbird or Microsoft Outlook instead.No word yet from the Google Mail team about the vulnerability.

Gmail provides information about the time of the last login and which IP has been used to login to the account. A Details link is available at the end of the line which opens a popup window with further information.

Activity on this account is the name of the window and it displays the last five activities in a table with information about the access type (pop, mobile, browser), IP of the computer that logged into Gmail and the time.

The page does inform the user on concurrent activity as well and it is possible to sign out all other sessions which can be helpful in numerous cases. The current IP of the user is also displayed in that window making it easier to compare IPs.

This new feature is a great addition to Gmail to increase the security of the system. I would like to see an extensive history though, not only the last five logins but maybe those of the last three months or even year. Users who connect regularly will probably see only connection attempts of the same day in the history.