Secure Google Authentication

Question

I need to make a query to one of Google's services. I read this answer: download csv from google insight for search
The copied and pasted code from that question is:

using (var client = new WebClient())
    {
        // TODO: put your real email and password in the request string
        var response = client.DownloadString("https://www.google.com/accounts/ClientLogin?accountType=GOOGLE&Email=youraccount@gmail.com&Passwd=secret&service=trendspro&source=test-test-v1");
        // The SID is the first line in the response
        var sid = response.Split('\n')[0];
        client.Headers.Add("Cookie", sid);
        byte[] csv = client.DownloadData("http://www.google.com/insights/search/overviewReport?q=test&cmpt=q&content=1&export=2");

        // TODO: do something with the downloaded csv file:
        Console.WriteLine(Encoding.UTF8.GetString(csv));
        File.WriteAllBytes("report.csv", csv);
    }

and I want to know whether sending the password in the string is secure or can it be grabbed?

If this is not secured, how should it be done?

Answer 1

Since it uses https (not plain HTTP) it should be about as secure as most anything else can ever be on the net. All data, including the URL, travel on an encrypted channel once the underlying TLS connection's established.

Answer 2

This is one of those "good news, bad news" situations.

Good news: The password can't be grabbed by an eavesdropper (because it is sent over HTTPS: encrypted).

Bad news: the session cookie can be grabbed by an eavesdropper (because it is sent over HTTP: not encrypted). As Firesheep has demonstrated, letting someone get access to your Google session cookie is dangerous, as it gives the attacker access to your email and other content stored on Google.

If you can change the http URL to a https URL, that would be safer.