SSL Connections at google Apps

http://www.google.com/support/a/bin/answer.py?hl=en&answer=100181

 

SSL Connections

Print

This article describes a feature for Premier and Education Editions only.

SSL (Secure Sockets Layer) is a protocol that provides secure communications on the Internet for such things as web browsing, e-mail, instant messaging and other data transfers. If you enable SSL connections, Google will force HTTPS (Hypertext Transfer Protocol Secure) when your users access most services in Google Apps. Some access points do not offer SSL.

SSL varies by service:

Email - Yes.
Calendar - Yes.
Docs - Yes.
Sites - Yes.
Chat - Yes. SSL supports Chat in Gmail. The Google Talk Client is always over a secure connection (TLS).
Video - Not available.
Start Page - Not available. This includes start page gadgets for email, chat, calendar, and docs account.

Additionally, as the administrator, if you access your account by linking directly from the control panel, HTTPS is not forced.

The advantage of SSL is added security for your users. If your users access Google Apps on a non-secure Internet connection, such as a public wireless or non-encrypted network, your users' accounts may be more vulnerable to hijacking. A secure connection prevents hijacking by protecting the cookie session. Cookie session hijacking refers to a situation where an impostor gains unauthorized access to cookies and seizes control of a legitimate session while it is still in progress.

However, forcing HTTPS for your users can make Gmail a little slower. If you trust the security of your network, you can turn this feature off at any time. When the feature is disabled, your users will access Google Apps via HTTP (Hypertext Transfer Protocol).

To enable this feature for your domain:

1. Log in to the control panel.
2. Click Domain settings.
3. Under the General tab and in the SSL section, check the box next to Enable SSL.
4. Click Save changes.

To enable this feature for an individual email account, visit the Gmail Help Center.

Note: If you force HTTPS for your domain, your users won't be able to disable HTTPS on an individual basis. However, if you don't force HTTPS for your domain, your users can enable HTTPS when necessary.