Wednesday, 27 July 2011

Gmail forwarding security reminders

Since Gmail was first released in 2004, it's led the field in webmail security. They were the first big player to pioneer systems like two-factor authentication and geographic checking, and they've still got a few nice settings that nobody else has implemented yet - like demanding immediate verification if user activity seems suspicious rather than notifying you after the event.

But with everything else, they've always had a bit of a hole in their account security: Forwarding. Hidden away in the gmail options is a setting that will silently forward a copy of all your received email to an email address. It's incredibly useful (I've been using it since 2005), but it's a setting few people pay attention to. All an attacker would need is two minutes of access to your account - say when you wandered off to get a cup of coffee or answer the phone - and they'd have access to all your incoming emails for the indefinite future.

As of today, google seems to have addressed the issue: If you have with forwarding enabled, when you sign in there's a notification bar at the top of the screen letting you know just what those settings are and asking you to double check that they're correct. It's a fairly understated but you also can't dismiss it manually.

If you click on 'why is this notice here?' you get an explanation:
You’re seeing a notice to help you confirm that the forwarding setting that’s active on your account is accurate. If your account has this feature enabled, you should see this notice ... For about a week, this notice will appear for a few minutes each time you sign in to your account. Displaying the notification in this way helps ensure that you have a chance to see the notice, rather than someone who might try to gain unauthorized access to your account and use this setting improperly.

It's a great start, hopefully after the initial week is up it'll turn into one of their occasional reminders rather than being scrapped completely.