A friendly FYI for all my fellow Gmail users out there: Google added a full, mandatory SSL mode to its Gmail service, and I highly suggest that you enable it. Even though Google’s blog post is dated July 24, it says it’s in the process of rolling the feature out to all its users.
Why? A hack detailed at last week’s DEF CON outlined an easy way for an attacker to steal your Gmail session cookie, allowing them to hijack your Gmail account as if they were logged in as you.
Gmail’s previous HTTPS implementation only seemed to encrypt the authentication interface, meaning that everything you did after logging in was sent as plaintext HTTP, an observation I’d noticed that’s always made me uneasy. The cookie exchange appears to have been protected – well, at least until this year’s DEF CON – even though the rest of your session seemed to operate sans SSL.
It’s important to note that cookie hijacking is nothing new, and both myself and plenty of others are wondering why it’s taken Google so long to fully implement its HTTPS support – I was never comfortable when I went out to do my work at a net café, for example, so typically I would do my work through an SSH tunnel to my Linux box at home.
The SSL feature, however, appears to have been available in some form since 2004, if you knew how to invoke it. Why wasn’t this publicized earlier?
In any case, now that the cookie-hijack attack is way out in the wild, be sure you’re appropriately protected. The feature is available in your Gmail account’s Settings screen, towards the bottom: be sure “Always use https” is checked.