Google now sends email notification when you sign in to a Google account from a new device. Here's an excerpt from Google's notification:

"Your Google Account was just used to sign in from Chrome on Mac. Why are we sending this? We take security very seriously and we want to keep you in the loop on important actions in your account. We were unable to determine whether you have used this browser or device with your account before. This can happen when you sign in for the first time on a new computer, phone or browser, when you use your browser's incognito or private browsing mode or clear your cookies, or when somebody else is accessing your account."


Google suggests to check the Devices & activity section from Google Accounts Settings if you don't recognize this activity. You can also find additional information about the browsers and locations that were used. For mobile devices, you can even remove account access to make sure it can no longer access your Google Account.

This is not that new, but I thought it's worth sharing. Google no longer supports security questions and you can't use them to access your account if you forget your password.

The "security question" section of the Google Account settings page informs users that "We no longer support security questions as a way to access your account. Please consider adding a recovery phone or recovery email address to keep your account secure." You can only delete your security question.


Security questions weren't a great way to protect an account since many answers could be guessed or found using a Google search. For example, Sarah Palin had her Yahoo email account compromised by someone who found the answers to her secret questions. "The hacker simply reset Palin's password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search."

When you're signing in to a Google account from a different country, Google asks you to confirm your identity. You can enter your recovery email address or phone number, enter a verification code received in an SMS messages or voice call and now you can enter a code generated by your Android device.


"If you're signing in from a different location than you usually do, we may ask you to enter a code from the Google Settings app on your Android phone or tablet to make sure you own the account. You don't need an internet connection or phone/SMS connectivity to get codes using this app."


The Google Settings app is the UI for Google Play Services, Google's framework that delivers new features and APIs without installing a new Android version. It has nothing to do with the built-in Settings app, which is part of the operating system and can't be updated by Google.

The verification code has 8 digits and it can be obtained by opening the Google Settings app, tapping the menu button and selecting "Get verification code".

{ Thanks, Herin Maru. }

Google has a new settings page that lets you enable or disable access to less secure apps.

"Some devices and apps use insecure sign-in technology to access your data. Choosing Disable prevents these less secure devices and apps from accessing your Google Account. Choosing Enable increases your chances of unauthorized account access but allows you to continue using these less secure devices and apps."



Many mail apps use insecure sign-in standards:

* the Mail app for iOS 6 or below
* the Mail app from Windows Phone 8.0 or earlier
* some built-in Android mail apps not developed by Google
* desktop mail clients like Microsoft Outlook and Mozilla Thunderbird.

If the access to less secure apps is disabled, you'll see a "Password incorrect" error when signing in and you can't set up a Google account on your device. "Google may block sign in attempts from some apps or devices that do not use modern security standards. Since these apps and devices are easier to break into, blocking them helps keep your account safer."

A Microsoft article explains that "Google has increased its security measures to block access to Google accounts after July 15, 2014 if those accounts are being set up or synced in apps and on devices that use Basic Authentication." Another article informs that "Windows Phone builds earlier than 8.10.12359.845 [Windows Phone 8.1] use Basic Authentication and therefore may be impacted. Windows Phone builds later than 8.10.12359.845 use Open Authentication (or OAuth) and therefore will not be impacted".

All Google products use OAuth 2.0, so if you use the desktop Gmail site, the mobile Gmail site or the mobile Gmail apps, you're not affected by this change. 90% of Apple devices are using iOS 7, so most iOS users are not affected. If you use Android mail apps built by OEMs like Samsung, the built-in mail app for Windows Phone or a desktop app like Outlook or Thunderbird, it's a good idea to make sure that the "enable" setting is checked on this page.

An article from April provides more information:

Beginning in the second half of 2014, we'll start gradually increasing the security checks performed when users log in to Google. These additional checks will ensure that only the intended user has access to their account, whether through a browser, device or application. These changes will affect any application that sends a username and/or password to Google.

To better protect your users, we recommend you upgrade all of your applications to OAuth 2.0. If you choose not to do so, your users will be required to take extra steps in order to keep accessing your applications.The standard Internet protocols we support all work with OAuth 2.0, as do most of our APIs. We leverage the work done by the IETF on OAuth 2.0 integration with IMAP, SMTP, POP, XMPP, CalDAV, and CardDAV.

In summary, if your application currently uses plain passwords to authenticate to Google, we strongly encourage you to minimize user disruption by switching to OAuth 2.0.

{ Thanks, Herin. }

If you sign it to your Google account from a different country, you'll probably see a page that asks you to verify it's really you and not someone who managed to obtain your password. This page has been recently redesigned and looks better.


After you enter your credentials, Google shows a list of verification methods. If you've provided a recovery email address, you can enter it (Google shows the the first and the last character). If you've provided a phone number, you can enter it or ask Google to send a verification code in an SMS message or voice call. You can answer your secret question or enter the name of the city or town where you usually sign in. If you can't answer any of the questions or enter the verification code, you still have an option: reset your password.

"The additional step at sign in is designed to prevent an unauthorized person who does not know you from accessing your account, even if they've obtained your username and password. While this won't necessarily stop people who know you from accessing your account (for that, try 2-step verification), it's an important measure to keep hijackers who have a long list of passwords from doing malicious things with your account, such as creating spam or accessing and deleting valuable data," informs Google.

This page has a screenshot that shows the old interface. Google used to ask: "Hey [email protected], is that really you?".

Google also has a page that shows a list of recent security-related actions you've taken, like signing in to your Google Account or changing your password. Google includes the IP address, approximate location, as well as the browser and operating system, so you can quickly spot unusual activity.

{ Thanks, Herin. }

Google redesigned the page that allows you to generate app passwords. The page is now available at https://security.google.com/settings/security/apppasswords or you can check the Security tab from Google Settings. It can be accessed only if you've enabled 2-step verification.


"When you sign up for 2-Step Verification, we normally send you verification codes. However, these codes do not work with some apps and devices, like Gmail on your iPhone or iPad, Thunderbird, and Outlook. Instead, you'll need to authorize the app or device the first time you use it to sign in to your Google Account by generating and entering an App password," explains Google.

Here's an example of password generated by Google (it always has 16 characters, but you'll only have to enter once, so don't worry about memorizing it):


The page used to look like this:


{ Thanks, Herin. }

Google's account settings page has an updated section for phone numbers that groups some features that were already available elsewhere. If you click "edit" next to "phone numbers", Google will show the phone numbers associated with your account.

You'll probably see a phone number associated with Hangouts. You can enable or disable this setting: "Help people who have your phone number find and connect with you on Google services, like Hangouts and caller ID by Google." You can edit the phone number, change the way it's verified or remove the number.

There's also a phone number that's used for account recovery. Google encourages users to enable this feature, but it's optional. For now, the account recovery page is not integrated with the account settings page, so it looks different and has a long URL. "We'll use your phone to do things like challenge hijackers or send you a text message to help you access your account if you forget your password," informs Google.



The phone number management page was added back in May, but now it's more functional.

{ Thanks, Herin. }

Google's account permissions page has a new interface which does a better job at listing the permissions, shows bigger thumbnails and the date when you authorized a service.

"On the Account Permissions tab of your Google Account, you can see a list of third-party sites and applications. These are sites and applications to which you've granted permission to access your Google Account, and you can see on this list to what parts of your account they have access. For example, you might have downloaded an app that helps you schedule workouts with friends. This application might have requested access to your Google Calendar and Contacts to suggest times and friends for you to meet up with," informs Google's help center.

Google shows your Android and iOS devices at the top of the page. My Nexus 7 tablet was listed 3 times, so I clicked "Revoke access" next to the entries that include: "Inactive - We haven't seen activity from this device for at least 60 days."


If you see some services you no longer use, click "Revoke access". You'll be asked for permission the next time you use them.

{ Thanks, Florian K. }

Back in September, I wrote about Netcraft, who incorrectly flagged this blog as phishing. Many applications use the Netcraft backlist, so Opera, Kaspersky and probably other apps prevent users from visiting this site. I reported this issue to Netcraft, who solved it, but the site was added again to the blacklist a few days later. A Netcraft employee promised to flag the site as safe.

The issue is that Netcraft only flagged googlesystem.blogspot.com. Blogger redirects to domains like blogspot.co.uk, blogspot.ro, depending on your country. Now Netcraft flags as phishing all googlesystem.blogspot.* URLs, except for googlesystem.blogspot.com. According to VirusTotal, security tools from ESET, Fortinet and Kaspersky show phishing warnings for this blog.



Google Safe Browsing also shows a phishing warning for googlesystem.blogspot.ca, googlesystem.blogspot.se, googlesystem.blogspot.ro, googlesystem.blogspot.com.br and probably other similar URLs. Google Safe Browsing is used by Chrome, Firefox, and Safari for desktop. "Reported Phishing Website Ahead! Google Chrome has blocked access to googlesystem.blogspot.com.br. This website has been reported as a phishing website. Phishing websites are designed to trick you into disclosing your login, password or other sensitive information by disguising themselves as other websites you may trust."


I reported this issue to Netcraft and Google, so hopefully it will be solved. I just don't understand what triggered these phishing warnings and why they're no longer limited to Netcraft.

Update: After a few hours, the issue was fixed.

{ Thanks, Manuel Janeiro. }

If you use Opera to visit the site, you'll probably see this warning: "This site has been reported as fraudulent. Exchanging sensitive or confidential information with this site could put you at risk for identity theft and/or financial fraud. Opera Software strongly discourages visiting this page."


Opera uses Netcraft's phishing blacklist. You'll get a similar warning if you install Netcraft's toolbar:


Netcraft's site report page doesn't provide too many useful information. I could only find that the Google OS blog has a 5/10 risk rating, but the rating varies depending on the URL. The recent post about the Google logo has a 7/10 risk rating.

Many factors contribute to the risk rating of each site. The dominant factor for most sites is the age of the domain name in which the site appears. Domain names that have never been seen in the Netcraft Web Server Survey are given a high risk rating, since many phishing sites and relatively few legitimate sites fall into this category. Other factors which can influence the risk rating include:

* Any other known phishing sites in the same domain.
* Whether a hostname or a numeric IP address is used in the URL.
* Whether or not a port number appears in the URL.
* The hosting ISP's history with respect to phishing sites.
* The hosting country's history with respect to phishing sites.
* The top level domain's history with respect to phishing sites.
* The site's popularity with Netcraft Extension users.

So just because other Blogger blogs are used for phishing, Netcraft decided that this is a phishing site? It's hard to say. Google's official blog has a 0/10 risk rating, while a random blog like googlelatlong.blogspot.com (it's not Google's Maps blog) has a 7/10 risk rating, but there's no warning.

A site that lets you check multiple anti-phishing blacklists is the Google-owned VirusTotal. "VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware." VirusTotal reported that there are 3 services that flag the Google OS blog: Opera, Netcraft and Kaspersky. They probably have the same source.


Here's Kaspersky's "access denied" message:


Ironically, a recent blog post from Kaspersky's site informs that: "Kaspersky's product blocked 99 percent of the 187 phishing websites while producing zero false alarms among the 400 legitimate URLs, earning first place among its competitors with an Advanced + award from AV-Comparatives."

I used Netcraft's browser extension to report that the URL was flagged by mistake and received this message after a few minutes: "Thank you for your enquiry. Following a review of the URL in question, I have unblocked the URL from the toolbar. Please allow a short period of time for the changes to propagate."


{ Thanks, Josh Rich. He reported this issue. }

There's a lot of talk about an Android security bug that affects almost all the Android devices. Jeff Forristal from Bluebox Security reported that "the vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature. Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security's close relationship with Google in February 2013."

So the bug could allow someone to create a modified version of an system app and trick other people to install it. The modified version could include malicious code.

Actually, the bug is simple: APK files are ZIP archives and Android allows APK files to include files with the same name. "It's a problem in the way Android handles APKs that have duplicate file names inside," says Pau Oliva Fora, security engineer at security firm ViaForensics. "The entry which is verified for signature is the second one inside the APK, and the entry which ends up being installed is the first one inside the APK - the injected one that can contain the malicious payload and is not checked for signature at all."

The problem is that Android supported duplicate file names in APKs and the patch removed this support. The patch is extremely simple: return an error if the APK file has duplicate file names.


Apparently, Geremy Condra from Google wrote a patch in February. "Google made changes to Google Play in order to detect apps modified in this way and a patch has already been shared with device manufacturers," informs ComputerWorld. CyanogenMod included the bug fix in the latest release, faster than OEMs and even Google, which didn't update Nexus devices to address this issue.

The bug #8219321 is now a test that will show us how fast Google, OEMs and carriers can deploy security patches. For now, CyanogenMod is the place to go to get the latest features and security patches.

There's a new section in the Google Account settings page: recent activity. Google shows a list of recent sign-ins and other security-related actions, with information about the browser, device, IP address and approximate location.


The feature seems similar to Gmail's account activity feature, but it's not. Gmail's feature shows information about about recent activity, whether it's from a browser or an email client, and it's only limited to Gmail. Google's new recent activity feature shows "security-related actions you've taken, like signing in to your Google Account, changing your password, or adding a recovery email address or phone number. This information is for your entire Google Account, so sign-ins from any Google product (such as Blogger, Gmail, or YouTube) will be listed in this section."

There's a subtle difference: "A sign-in is only listed when you've actually typed your username and password to sign in. For example, if you've been signed in to your account for several weeks on your phone, checking your email from time to time, we'll only list the time and location of your initial sign-in." That's not the case for Gmail's account activity feature, which is not limited to the initial sign-ins.

In other related news, Google has a new security dashboard that shows information about your password, recovery options, notifications for unusual activity, 2-step verification and connected applications/sites.


{ Thanks, Florian K. and Herin. }

Google has always added great security features that protect user accounts: from SSL access to most services, Google Safe Browsing, Gmail's spam and phishing filters to 2-step authentication, phone number verification and Gmail's account activity monitoring.

Sometimes Google's security features are extra paranoid and block Google's own services. I tried to use the mail fetcher feature from a secondary Gmail account and Google mentioned that the authentication failed (it's been enabled before). I entered the right password and Google still couldn't authenticate. Then Google started to show warnings in my main Gmail account, at the top of Google search pages and even sent an email and an SMS message: "Someone recently tried to use an application to sign in to your Google Account. We prevented the sign-in attempt in case this was a hijacker trying to access your account."

Google sent me to this page which says: "We detected activity on your Google Account from a location you don't usually sign in from." The IP address is 209.85.192.147 (mail-pd0-f147.google.com) and it's from United States. Obviously, it's Google's own IP address.




How to fix this issue? Go to this page, click "Yes" and "Yes - Continue". From the Google confirmation message: "As a security precaution, Google may prevent an application from accessing your account if it's the first time we've seen this application sign in to your account, or if it's attempting to sign in from a new location."


Then Google sends you to this page and you need to click "Continue" and "sign in using the application you want to authorize access to your account within the next ten minutes."


Unfortunately for Google, it wasn't even the first time when Gmail's mail fetcher was enabled. Google should find a way to make Gmail's mail fetcher work without having to jump through hoops.

A Google help center page mentions a new feature that will be added to the Google Account settings page: security notifications.


"Google notifies you via email and/or text message when your password is changed, and when we detect a suspicious attempt to sign in to your account. If you receive a notification about a password change you didn't make, or an attempt to sign in to your account that wasn't you, these email and text message notifications will provide details on next steps to help you secure your account," informs Google.

This feature should be available under the "security" tab of the Account Settings page, but I don't see it. Maybe it's enabled in your accounts.

In other related news, the Account Settings page has a new interface and shows information about your account activity, a large photo from your profile, Google Drive storage data.


{ Thanks, Herin. }

Google doesn't like to manually review user-generated content. It's not efficient and algorithms can do a better job. Imagine how many people would need to be hired to watch all the videos submitted to YouTube (60 hours of videos uploaded every minute).

In some ways, uploading an application to the Android Market is just like uploading a video to YouTube. Sure, you need to pay a fee, but you don't have to wait until a Google employee checks the application. Unfortunately, this also means that the application can include malware, deceive users, crash or spam your contacts. Google usually reviewed the app only after enough users reported that the app is malicious.

Now there's a new service called Bouncer "which provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process. The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts. Here's how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google's cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior".

That seems like a great idea: Google actually tests the apps without having to wait until other users install them and notice there's something wrong. The bad news is that this service was tested last year and was used to find potentially-malicious apps. Despite that, the apps infected by DroidDream were found by a security vendor and not by Google.

"The service has been looking for malicious apps in Market for a while now, and between the first and second halves of 2011, we saw a 40% decrease in the number of potentially-malicious downloads from Android Market. This drop occurred at the same time that companies who market and sell anti-malware and security software have been reporting that malicious applications are on the rise," says Google. Another explanation could be that Google's service is not good enough.

Google also says that Android "makes malware less potent" because it uses sandboxing, it displays the list of permissions and Android Market can remotely remove malware. I don't think that most of the users read the list of permissions. They simply ignore them, click "OK" and install the application. Maybe it would be a better idea to require users to explicitly enable sensitive permissions when they're using the apps.

While security vendors try to scare Android users and push their products, Google should focus on removing spam and malware from the Android Market and make it a safer place. Improving Android's security model and finding ways to install security updates faster are also important.

Google announced that in the coming weeks all Google.com users that are logged in will be redirected to Google Secure Search. The secure version of Google Search has been launched last year and now includes all the features from the regular Google interface. The main difference is that the connection is encrypted and Google is the only one who knows the queries you've typed. ISPs, network administrators, those who intercept your connection and the webmasters of the pages from Google's search results won't able to find your searches. "SSL encrypts the communication channel between Google and a searcher's computer. When search traffic is encrypted, it can't easily be decoded by third parties between a searcher's computer and Google's servers," as Google says.

"As search becomes an increasingly customized experience, we recognize the growing importance of protecting the personalized search results we deliver. As a result, we're enhancing our default search experience for signed-in users. Over the next few weeks, many of you will find yourselves redirected to https://www.google.com (note the extra 's') when you're signed in to your Google Account. This change encrypts your search queries and Google's results page. This is especially important when you're using an unsecured Internet connection, such as a WiFi hotspot in an Internet cafe," explains Google.


Right now, https://www.google.com no longer redirects to https://encrypted.google.com and Google no longer informs users that they're using Secure Search. It's important to keep in mind that no other search engine offers this feature and SSL has a performance penalty, which means that search results pages will load slower. This is especially noticeable when you use Google Instant and the results won't show up as fast as before.

After the security incident from December 2009, Google went to great lengths to make its services more secure. Most services that require authentication default to SSL and many no longer offer unencrypted versions. It's interesting to see that Google Search will be treated just like Gmail, Google Docs, Google+ and other services that store user data even if this change won't make too many people happy (users will complain that search results pages load slower, webmasters will complain that their logs will be less useful, AdSense ads from search results will no longer be able to use the Google query and fewer users will click them, companies won't be able to monitor their employees' Google searches). Google already offers some solutions that address these issues: webmasters can use Google Webmaster Tools to find the most popular Google searches that sent users to their sites, while network admins can try the NoSSLSearch option.

It's an important change, but I don't see why signed-in users should be treated differently and why protecting user queries outweighs the drawbacks mentioned earlier. One of the explanations could be that search will no longer be a distinct service and will integrate with Google+, Gmail, Google Docs Drive so much that it will be hard to notice when you've switched to a different app. Larry Page, Google's CEO, has recently said that "our ultimate ambition is to transform the overall Google experience, making it beautifully simple, almost automagical, because we understand what you want and can deliver it instantly. This means baking identity and sharing into all of our products so that we build a real relationship with our users. Sharing on the Web will be like sharing in real life across all your stuff."

Google started to show a yellow warning box at the top of the search results pages if the computer is likely to be infected with malware that changes Web pages, inserts ads and sends users to other pages to download more malware.


"Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software (...) that causes infected computers to send traffic to Google through a small number of intermediary servers called proxies," explains Google.

Showing a warning message is not a foolproof idea, since malicious software could easily remove it or use it to install more malware. Google links to a page titled "Your computer appears to be infected", which suggests to install an antivirus software and perform a system scan. The page doesn't suggest to install a different operating system or to buy a Chromebook.

"Some forms of malicious software will alter your computer settings to redirect some or all of your traffic through a proxy controlled by the attacker. When you use Google, the proxy forwards your query to the real Google servers to fetch the search results. If our system detects that a search came through one of these proxies, we display the warning," informs Google.

{ Thanks, Herin. }

Google added a new password recovery option: you can now associate a mobile phone number with your Google Account and Google will send a recovery code by SMS.

"Since most people use cell phones these days, we decided text messaging would be an easy, convenient addition to our password recovery options. To set up password recovery via your mobile phone, just sign in to your account and click Change Password Recovery Options. Enter your mobile phone number and current password and then click Save. If you lose access to your account for any reason, you'll be able to regain access by entering a code we'll send in a text message."


For now, the options is only available in the US, so you need to use a US proxy to see it. Google also updated the password recovery settings page to include all the account-recovery options: secondary email addresses, text messages and the security question.

Update: the feature is now available everywhere.

{ via Blogoscoped Forum }

Secunia is a respected security service provider that tracks vulnerabilities in more than 20,000 applications and operating systems. To find information about the latest vulnerabilities, you could subscribe to Secunia's mailing lists, but if you want to know whether there are known security issues for the software installed in your computer, install Secunia Personal Security Inspector.

The Windows application scans your computer and it lists the insecure programs, information about vulnerabilities and links to the patches. In most cases, Secunia provides direct links to the latest updates, so they are easy to download and install. To find more information about security problems and to list all the software from your computer that needs to be updated, switch to the advanced interface.


Secunia collected data from 20,000 users of the software and found at least one vulnerability in 98.09% of the cases. "By insecure program it is understood, that there is a newer version of the program available from the vendor that corrects one or more vulnerabilities, but the user has yet to install the secure version. A vulnerability in a program can be exploited by hackers to anything from compromising a PC, to automatically install trojans/viruses, to sniff out private information (passwords, credit cards information, etc)."

Not all applications include auto-update and users have to manually update to the latest versions. Google is one of the companies that thinks it's important to update software without any user intervention, that's why most Google software has an auto-update feature or is integrated with Google Update.

Secunia's software focuses on updates that solve security problems. More comprehensive solutions for updating your software include UpdateStar, FileHippo Update Checker and Appget, but none of them is very reliable.

Gmail rolls out a new option that lets you set the https version as default. If you go to the Settings and select "always use https", Gmail will automatically redirect to the secure version. Until now, you had to manually type https://mail.google.com in the address bar, bookmark the address or use a Greasemonkey script.


"If you sign in to Gmail via a non-secure Internet connection, like a public wireless or non-encrypted network, your Google account may be more vulnerable to hijacking. Non-secure networks make it easier for someone to impersonate you and gain full access to your Google account, including any sensitive data it may contain like bank statements or online log-in credentials. We recommend selecting the 'Always use https' option in Gmail any time your network may be non-secure," explains Google.

Read, for example, David Pogue's post about Wi-Fi eavesdropping. "All Jon needed [to read my mail] was a packet sniffing program; such software is free and widely available. (He used a Mac program called Eavesdrop.) It sniffs the airwaves and displays whatever data it finds being transmitted in the public hot spot."

Https is typically used for sites that deal with sensitive data, so you'll see it when you authenticate to sites like Google or Facebook and when you use your mobile banking account, PayPal, Google AdWords and a handful of similar sites. The benefit is that the connection between your browser and the remote servers is encrypted and nobody could capture the sensitive data.

"We use https to protect your password every time you log into Gmail, but we don't use https once you're in your mail unless you ask for it (by visiting https://mail.google.com rather than http://mail.google.com). Why not? Because the downside is that https can make your mail slower. Your computer has to do extra work to decrypt all that data, and encrypted data doesn't travel across the internet as efficiently as unencrypted data," says the Gmail blog.

In addition to the worse performance, Google also mentions that the mobile application could show errors if you don't enable 'Always use secure network connections (slower performance)' in the app's settings section. If you use Firefox, don't forget to disable the Greasemonkey scripts that redirect Gmail to the secure version and to deactivate the similar option from Firefox extensions like Better Gmail and CustomizeGoogle.

The good news is that you don't need a similar setting for other Google applications if you use the navigation bar: Google automatically links to the secure versions of Google Calendar, Google Docs, Google Reader and Google Sites. If you don't see the new option in Gmail's settings, you have to wait until Gmail enables it in your account.