Secure Gmail Notifier using hidden preference setting

I was shocked to discover that the Gmail Notifier, as distributed by Google, defaults to sending your Gmail password over the network in clear text every time it checks your inbox for new mail. This is incredibly insecure, especially since Google has plenty of smart people who now how to secure internet communication. They have the capability to enable secure communication as proven by the ability to access Gmail entirely over HTTPS (by using https://mail.google.com as the entry point). As it turns out, there is an easy "hack" for Mac users to switch Gmail notifier to HTTPS as well:

Pull down the Notifier menu (either Calendar or Gmail), hold down Command and Option, and click Preferences on the menu. You'll see a hidden settings editor. Enter SecureAlways in the Key field (upper and lower case must be entered as shown) and 1 in the Value field, then click Set. Quit Notifier and start it up again. From now on, all connections with both Gmail & Gcal will be https. Thanks to this comment on the O'Reilly blogs for this trick!

From our Sponsor...

The macosxhints Poll

iPad_poll_#1

Secure Gmail Notifier using hidden preference setting | 13 comments | Create New Account

Click here to return to the 'Secure Gmail Notifier using hidden preference setting' hint

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Secure Gmail Notifier using hidden preference setting
Authored by: unforeseen:X11 on Mon, Jul 9 2007 at 9:31AM PDT

Sometimes I really wonder what Google is thinking. Thank you for sharing!

---
this is not the sig you`re looking for.

Secure Gmail Notifier using hidden preference setting
Authored by: tvl on Mon, Jul 9 2007 at 12:55PM PDT

Actually the writeup isn't correct. If you look at the traffic, they use https for the login, and use some token in the http request for authorization after the fact (same a what reading gmail via http does). The pref just move this later traffic over https (just like using https for gmail reading does).

Secure Gmail Notifier using hidden preference setting
Authored by: brucio on Mon, Jul 9 2007 at 10:34AM PDT

Excellent hint! Thanks!

Secure Gmail Notifier using hidden preference setting
Authored by: fcote on Mon, Jul 9 2007 at 11:25AM PDT

Great tip, Thanks!

Secure Gmail Notifier using hidden preference setting
Authored by: tvl on Mon, Jul 9 2007 at 12:57PM PDT

Secure Gmail Notifier using hidden preference setting
Authored by: UberFu on Mon, Jul 9 2007 at 4:09PM PDT

Well - not sure about the Notifier [never used it]

BUT - I dug thru the Gmail Widget [which I use constantly] and the initial request goes out to http://www.google.com/mail - but a little farther down the code - it uses 2 https calls for authentication_

I went and switched the intital request to https [didn't break it] and loks like it's rather secure - for web security_

Secure Gmail Notifier using hidden preference setting
Authored by: tobyvoss on Tue, Jul 10 2007 at 1:56AM PDT

the very obvious alternatives to the way given in this hint are:
1. in Terminal, type defaults write com.google.GmailNotifier SecureAlways -string 1
2. in Property List Editor, open the file ~/Library/Preferences/com.google.GmailNotifier.plist and add a new child named SecureAlways of class String and value 1 under Root

Secure Gmail Notifier using hidden preference setting
Authored by: delepster on Tue, Jul 10 2007 at 5:35AM PDT

Wow, thanks for the tip!

Secure Gmail Notifier using hidden preference setting
Authored by: derherr on Tue, Jul 10 2007 at 7:14AM PDT

As a Firefox user, I prefer the Gmail Manager extension. https://addons.mozilla.org/en-US/firefox/addon/1320 (link pops)

In the Preferences, there is an explicit option "Use secured connection when checking this account" (among other handy features). Check it out.

[ Reply to This | # ]

Secure Gmail Notifier using hidden preference setting
Authored by: thomasbosboom on Fri, Jul 13 2007 at 5:06AM PDT

This is my submission, apparently my name didn't come through. Too bad ;-)
Anyway, the lessen is it can be reveiling to run Wireshark on your mac for a while and then search for your passwords in the capture. This should reveil any insecure communication.
It turned out I also misconfigured iCal so that it was sending my server pass in the clear everytime I updated my calendar... oops!

Secure Gmail Notifier using hidden preference setting
Authored by: osxpounder on Fri, Jul 13 2007 at 9:08AM PDT

Thomas, how do you secure iCal so it doesn't send your info in cleartext?

Secure Gmail Notifier using hidden preference setting
Authored by: creeeatura on Sun, Jul 29 2007 at 11:04AM PDT

is it possible to hack Gmail notifier (the one working on Panther, not Google notifier) to force it use SSL?
I've modified the .plist adding the SecureAlways / value 1 tags, but it seems it doesn't work.

Secure Gmail Notifier using hidden preference setting
Authored by: tvl on Mon, Oct 29 2007 at 2:51PM PDT

With 1.9.100 or later of notifier, it does all traffic over https.

Hint Options

Search

From our Sponsor...

User Functions

What's New:

Hints

Comments last 2 days

Links last 2 weeks

What's New in the Forums?

The Editor's Corner...

Hints by Topic

News from Macworld

The macosxhints Poll