backtop


Print

Gmail sessions are vulnerable if the feature is not enabled

A friendly FYI for all my fellow Gmail users out there: Google added a full, mandatory SSL mode to its Gmail service, and I highly suggest that you enable it. Even though Google’s blog post is dated July 24, it says it’s in the process of rolling the feature out to all its users.

Why? A hack detailed at last week’s DEF CON outlined an easy way for an attacker to steal your Gmail session cookie, allowing them to hijack your Gmail account as if they were logged in as you.

Gmail’s previous HTTPS implementation only seemed to encrypt the authentication interface, meaning that everything you did after logging in was sent as plaintext HTTP, an observation I’d noticed that’s always made me uneasy. The cookie exchange appears to have been protected – well, at least until this year’s DEF CON – even though the rest of your session seemed to operate sans SSL.

It’s important to note that cookie hijacking is nothing new, and both myself and plenty of others are wondering why it’s taken Google so long to fully implement its HTTPS support – I was never comfortable when I went out to do my work at a net café, for example, so typically I would do my work through an SSH tunnel to my Linux box at home.

The SSL feature, however, appears to have been available in some form since 2004, if you knew how to invoke it. Why wasn’t this publicized earlier?

In any case, now that the cookie-hijack attack is way out in the wild, be sure you’re appropriately protected. The feature is available in your Gmail account’s Settings screen, towards the bottom: be sure “Always use https” is checked.





"We basically took a look at this situation and said, this is bullshit." -- Newegg Chief Legal Officer Lee Cheng's take on patent troll Soverain






Most Popular ArticlesSuper Hi- Vision Will Amaze the World
January 16, 2017, 9:53 AM
Samsung Chromebook Plus – Coming in February 2017
January 17, 2017, 12:01 AM
Samsung 2017 Handset’s Updates
January 17, 2017, 12:01 AM
Comparison – Surface Pro VS Tbook X5 Pro
January 21, 2017, 7:00 AM
Comparison – iPad Mini Vs Huawei MediaPad M3
January 19, 2017, 2:08 AM

Latest Blog Posts
Apple Watch
Saimin Nidarson - Jan 24, 2017, 6:51 AM
Some new News
Saimin Nidarson - Jan 23, 2017, 8:59 AM
What is new?
Saimin Nidarson - Jan 22, 2017, 7:00 AM
News
Saimin Nidarson - Jan 20, 2017, 7:00 AM
News of the World
Saimin Nidarson - Jan 19, 2017, 7:00 AM
Some tips
Saimin Nidarson - Jan 17, 2017, 12:16 AM
News of the Day
DailyTech Staff - Jan 16, 2017, 12:10 PM
Tech News
Saimin Nidarson - Jan 15, 2017, 12:32 AM
Here is Some News
Saimin Nidarson - Jan 14, 2017, 12:39 AM
News around the world
Saimin Nidarson - Jan 12, 2017, 12:01 AM
Rumors and Announcements
Saimin Nidarson - Jan 11, 2017, 12:01 AM
Some news of Day
Saimin Nidarson - Jan 7, 2017, 12:01 AM
News 2017 CES
Saimin Nidarson - Jan 6, 2017, 12:01 AM






botimage
Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki