backtop


Print 13 comment(s) - last by jtesoro.. on Aug 25 at 11:08 AM

Gmail sessions are vulnerable if the feature is not enabled

A friendly FYI for all my fellow Gmail users out there: Google added a full, mandatory SSL mode to its Gmail service, and I highly suggest that you enable it. Even though Google’s blog post is dated July 24, it says it’s in the process of rolling the feature out to all its users.

Why? A hack detailed at last week’s DEF CON outlined an easy way for an attacker to steal your Gmail session cookie, allowing them to hijack your Gmail account as if they were logged in as you.

Gmail’s previous HTTPS implementation only seemed to encrypt the authentication interface, meaning that everything you did after logging in was sent as plaintext HTTP, an observation I’d noticed that’s always made me uneasy. The cookie exchange appears to have been protected – well, at least until this year’s DEF CON – even though the rest of your session seemed to operate sans SSL.

It’s important to note that cookie hijacking is nothing new, and both myself and plenty of others are wondering why it’s taken Google so long to fully implement its HTTPS support – I was never comfortable when I went out to do my work at a net café, for example, so typically I would do my work through an SSH tunnel to my Linux box at home.

The SSL feature, however, appears to have been available in some form since 2004, if you knew how to invoke it. Why wasn’t this publicized earlier?

In any case, now that the cookie-hijack attack is way out in the wild, be sure you’re appropriately protected. The feature is available in your Gmail account’s Settings screen, towards the bottom: be sure “Always use https” is checked.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Good Article
By Oralen on 8/20/2008 4:00:49 AM , Rating: 5
Informative and usefull.

I would like more of that kind, and less of the "Playstation/Xbox, PC/Apple, Nvidia/Amd/Intel I-am-ten-year-old-and-I-have-an-opinion" flame wars "news", please.

Keep up the good work, and thank you.




RE: Good Article
By Smilin on 8/20/2008 12:33:35 PM , Rating: 2
Aye, good article.

I've got a pretty much unused gmail account so I hadn't been paying attention. I guess I'm kinda stunned to hear that it hasn't been full SSL all along.


RE: Good Article
By Hare on 8/22/2008 12:51:36 AM , Rating: 2
Before there was the option of always using SSL, I noticed that mail.google.com used https while www.google.com and some other domain used plain http.

It was a nice trick to always use mail.google.com for encrypted mail. Anyway, nice to see SSL as standard (like it always should have been).


RE: Good Article
By jtesoro on 8/25/2008 11:08:21 AM , Rating: 2
Does the threat apply to other mail services as well like Yahoo mail or MS's hotmail? Should be standard across the board with mail services if so.


RE: Good Article
By Axbattler on 8/21/2008 5:59:49 PM , Rating: 2
Another thanks from me. The lack of https is one of the reasons I have a Gmail account I use exclusively when travelling for use with unsecured public wi-fi. I'll still keep the account for quick emails I am at an Internet cafe or using a public PC in case there are password stealing malware in the system, but as far as my own devices are concerned, I can have more peace of mind.


RE: Good Article
By bodar on 8/21/2008 6:52:54 PM , Rating: 2
Righteo then:

Gmail is teh roxor! Yahoo is for total nubs, and Hotmail is teh ghey!!!1!one!

*insert part where I claim to be "First" even though I am blatantly not*


RE: Good Article
By Clauzii on 8/24/2008 12:43:01 PM , Rating: 2
Heard of goowy.com? Works everywhere too :) And with 2GB mailspace and a free 1GB box.net account it's pretty sweet :)


"A politician stumbles over himself... Then they pick it out. They edit it. He runs the clip, and then he makes a funny face, and the whole audience has a Pavlovian response." -- Joe Scarborough on John Stewart over Jim Cramer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki