Print 13 comment(s) - last by jtesoro.. on Aug 25 at 11:08 AM

Gmail sessions are vulnerable if the feature is not enabled

A friendly FYI for all my fellow Gmail users out there: Google added a full, mandatory SSL mode to its Gmail service, and I highly suggest that you enable it. Even though Google’s blog post is dated July 24, it says it’s in the process of rolling the feature out to all its users.

Why? A hack detailed at last week’s DEF CON outlined an easy way for an attacker to steal your Gmail session cookie, allowing them to hijack your Gmail account as if they were logged in as you.

Gmail’s previous HTTPS implementation only seemed to encrypt the authentication interface, meaning that everything you did after logging in was sent as plaintext HTTP, an observation I’d noticed that’s always made me uneasy. The cookie exchange appears to have been protected – well, at least until this year’s DEF CON – even though the rest of your session seemed to operate sans SSL.

It’s important to note that cookie hijacking is nothing new, and both myself and plenty of others are wondering why it’s taken Google so long to fully implement its HTTPS support – I was never comfortable when I went out to do my work at a net café, for example, so typically I would do my work through an SSH tunnel to my Linux box at home.

The SSL feature, however, appears to have been available in some form since 2004, if you knew how to invoke it. Why wasn’t this publicized earlier?

In any case, now that the cookie-hijack attack is way out in the wild, be sure you’re appropriately protected. The feature is available in your Gmail account’s Settings screen, towards the bottom: be sure “Always use https” is checked.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Good Article
By Oralen on 8/20/2008 4:00:49 AM , Rating: 5
Informative and usefull.

I would like more of that kind, and less of the "Playstation/Xbox, PC/Apple, Nvidia/Amd/Intel I-am-ten-year-old-and-I-have-an-opinion" flame wars "news", please.

Keep up the good work, and thank you.

RE: Good Article
By Smilin on 8/20/2008 12:33:35 PM , Rating: 2
Aye, good article.

I've got a pretty much unused gmail account so I hadn't been paying attention. I guess I'm kinda stunned to hear that it hasn't been full SSL all along.

RE: Good Article
By Hare on 8/22/2008 12:51:36 AM , Rating: 2
Before there was the option of always using SSL, I noticed that used https while and some other domain used plain http.

It was a nice trick to always use for encrypted mail. Anyway, nice to see SSL as standard (like it always should have been).

RE: Good Article
By jtesoro on 8/25/2008 11:08:21 AM , Rating: 2
Does the threat apply to other mail services as well like Yahoo mail or MS's hotmail? Should be standard across the board with mail services if so.

RE: Good Article
By Axbattler on 8/21/2008 5:59:49 PM , Rating: 2
Another thanks from me. The lack of https is one of the reasons I have a Gmail account I use exclusively when travelling for use with unsecured public wi-fi. I'll still keep the account for quick emails I am at an Internet cafe or using a public PC in case there are password stealing malware in the system, but as far as my own devices are concerned, I can have more peace of mind.

RE: Good Article
By bodar on 8/21/2008 6:52:54 PM , Rating: 2
Righteo then:

Gmail is teh roxor! Yahoo is for total nubs, and Hotmail is teh ghey!!!1!one!

*insert part where I claim to be "First" even though I am blatantly not*

RE: Good Article
By Clauzii on 8/24/2008 12:43:01 PM , Rating: 2
Heard of Works everywhere too :) And with 2GB mailspace and a free 1GB account it's pretty sweet :)

Google Apps?
By WobbleWobble on 8/20/2008 12:12:52 PM , Rating: 5
I wonder when they will enable this for Google Apps users?

By Ringold on 8/20/2008 1:49:09 AM , Rating: 2
for the heads up.

PS3 > X360 > Wii
By Cullinaire on 8/20/2008 9:37:55 PM , Rating: 2
...I mean, thanks for the heads up! I love my Gmail account.

Good Info
By Venator on 8/23/2008 11:01:15 AM , Rating: 2
This is great information for the everyday user and mass market crowd.

Just wanted to point out that this was reported in December 2005 by Steve Gibson of the Gibson Research Corp.

Contraband Check
By chmilz on 8/23/2008 3:36:04 PM , Rating: 2
Ha! Picture reminded me of that Family Guy scene with Cookie Monster in rehab

...and this little number from Photoshop Phriday a while back (at bottom of page)

By lemonadesoda on 8/23/2008 8:40:24 PM , Rating: 2
Mandatory option?

"A lot of people pay zero for the cellphone ... That's what it's worth." -- Apple Chief Operating Officer Timothy Cook

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki