Google Public Policy Blog posted a response to a tremdonous exposé on Google HTTPS by a group of researchers (at least "signed" by a group of researchers).  It really wasn’t all that in-depth, but it was a good report none-the-less.  Could it have been a blog post?  Yes.  Would it have been as effective?  No and Yes.  I think getting Google to respond to something publicly is a step forward in their cause and doesn’t do any damage to Google.

It only helps everyone I believe.  The more people that know about web security – a better web will be had for all.

The overview from the research paper:

Google supports HTTPS encryption for the entire Gmail, Docs or Calendar session. However, this is disabled by default, and the configuration option controlling this security mechanism is not easy to discover. (1)

What they want done:

Rather than forcing users of Gmail, Docs and Calendar to “opt-in” to adequate security, Google should make security and privacy the default. (1)

I think Google is an unfair target in this situation.  I tried getting HTTPS on my Yahoo! mail – no going.  No options.  Appending https to mail.yahoo.com only encrypts your login and not your mail session.  How about getting them to change??

I don’t know about hotmail or live mail whatever it is called now, but I suspect that is also the same.  Google is far ahead of its competition, yet, they are singled out?  I don’t get it, but I do.

Google is an agent of change and represents the future; they are held to a higher standard.  They should be applauded for all the good they have done for the web and all of us. 

I’m not sure if Google should be forced into this situation of automatically enabling HTTPS for all users; do we need HTTPS at home?  How many of their users access from home or other secured network?  This is a question that Google alone can answer.  Sure, it would be nice to protect all the people who have no clue about security, but is that Google’s responsibilty?

I don’t know.  Should Google start a new PR campaign about the dangers of using unencrypted HTTP on a public network?  That sounds like something Microsoft or Yahoo! would do.