Robert Graham writes in Errata Security that “Google recently made a change that allowed you to configure your Gmail account to force SSL.”
In Gmail click on Settings. On the General Tab under Browser Connection select Always Use HTTPS. Without this I believe the behavior is SSL during login only which has been shown to not protect a authentication cookie.
Google Help warns that you’ll need a patch for Google Notifier and it may break mobile applications that check Gmail.
Related posts:
