An Internet hub for moderates, centrists, and independents, with domestic and international news, analysis, original reporting, and popular features from the left, center, and right

« Pervez Stepping Down

Civil Rights Roundup: 08/20/08 »

Gmail Hacking Tool: it’s time to be more careful

Posted by JOE WINDISH, Technology Editor in At TMV.
Aug 20th, 2008 | Comments

Gmail has some new security features. Hacking Truths tells us it’s time to use them:

A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas.

Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.

When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.

Even though when you log in, Gmail forces the authentication over SSL (secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.

To permanently switch on SSL log on to your GMail account, click on Settings at the upper right corner of the page. The last choice at the bottom of the Settings page is ‘Browser Connection’. Choose ‘Always use https.’

The Official GMail Blog describes this as a ‘feature’ for making security easier. The Industry Standard points out that since Perry notified Google about this situation over a year ago, it’s really a fix:

Gmail is a perpetual beta, but should still bear some responsibility for its users’ security. If they really did have a year to issue a fix, and left it to an optional “feature” with no explanation to their users, they’ve pushed that responsibility back to their users without even a basic explanation of the protection it provides. If you click the “learn more” link, the text provided by Google actually sounds like it’s discouraging users from enabling the feature.

Another Google feature lets you know if your account is signed in at another location. If you click the “details” button next to the message, you’ll see the Internet address of other computers signed in to your account. You can click “Sign out all other sessions” to remotely sign them out.

LATER: In comments, Jazz advises that if you use the g-mail notifier, using https cuts it off.

Ads by Project Wonderful! Your ad here, right now: $0

ChrisWWW

Good tip. I just turned it on for my accounts!

Jazz

Just an advisory... if you turn on the always use https function and you happen to use the g-mail notifier (as I do) it immediately cuts off your notifier and it can no longer check your mail for you. I'm going to have to give this some thought.

Marlowecan

Yes, an excellent post. Thank you, Joe.

The GMail people are very bad at communicating with their users.

Note, for example, the issue of GMail crashing the browser. There seems to have been a change in the GMail code a few weeks back, which causes those who repeatedly press certain keys (it seems the Delete key and Cutting Text may be integral) to crash the entire browser.

There has been a lot of discussion about this issue, but no response from the Gmail people.

Holly_in_Cincinnati

Thanks Jazz, I discovered the same thing and eliminated the Notifier.

Lynx

Thanks for the tip Jazz, I've secured mine.

Pete Abel

Ditto here. Very good tip, and activated for me, as well.

Protect_Yourself

If you're having problem getting your SSL enabled in Gmail, try the guide at http://dotdoh.com/?p=262

blog comments powered by Disqus