« Pervez Stepping Down
Civil Rights Roundup: 08/20/08 »



Gmail Hacking Tool: it’s time to be more careful

August 20th, 2008
By JOE WINDISH, Technology Editor

Print Print

Gmail has some new security features. Hacking Truthsgmail.jpg tells us it’s time to use them:

A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas.

Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.

When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.

Even though when you log in, Gmail forces the authentication over SSL (secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.

To permanently switch on SSL log on to your GMail account, click on Settings at the upper right corner of the page. The last choice at the bottom of the Settings page is ‘Browser Connection’. Choose ‘Always use https.’

The Official GMail Blog describes this as a ‘feature’ for making security easier. The Industry Standard points out that since Perry notified Google about this situation over a year ago, it’s really a fix:

Gmail is a perpetual beta, but should still bear some responsibility for its users’ security. If they really did have a year to issue a fix, and left it to an optional “feature” with no explanation to their users, they’ve pushed that responsibility back to their users without even a basic explanation of the protection it provides. If you click the “learn more” link, the text provided by Google actually sounds like it’s discouraging users from enabling the feature.

Another Google feature lets you know if your account is signed in at another location. If you click the “details” button next to the message, you’ll see the Internet address of other computers signed in to your account. You can click “Sign out all other sessions” to remotely sign them out.

LATER: In comments, Jazz advises that if you use the g-mail notifier, using https cuts it off.



This entry was posted on Wednesday, August 20th, 2008 at 10:47 am and is filed under Technology, Computers. You can leave a response, or trackback from your own site.

Viewing 7 Comments

 
close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus

« Pervez Stepping Down
Civil Rights Roundup: 08/20/08 »


By posting comments on The Moderate Voice you are acknowledging and agreeing to the following general comments policy:

(1) The Moderate Voice's comments are hosted by Disqus (http://disqus.com). If your comment doesn't appear immediately, please be patient since it is an off-site system.

(2) All e-mail received from readers by The Moderate Voice is considered intended for publication unless otherwise indicated in the initial message from the writer. Please do not send us attachments unless you contact us and we agree to it.

(3)The Moderate Voice reserves the right to edit all e-mail and posted comments for content, clarity, and length.

(4) Our comment space is reserved for comments that relate to a post's topic. You should not reprint lengthy text from your own works or those of others, including news articles. You MAY link to them.

(5) Comments that are abusive, offensive, contain profane or racist material or violate the terms of service for this blog's host provider will be removed and the author(s) banned from future comments. Such comments also violate the very SPIRIT of this site -- which was created to encourage thoughtful and vigorous discussion among readers who may share differing viewpoints.

(6) All points of view are welcome on The Moderate Voice, with the following exceptions:

(a) Comments posted several times a day with the intent of dominating, re-directing or hijacking the thread by turning a discussion into the equivalent of a bitter shouting match.

(b) Comments posted several times a day that insult or call other commenters or blog writers names or repeatedly make the same point with the effect of or clear intent to annoy other commenters or blog writers.

(7) Name-calling, personal attacks, racist comments or use of profanity by any commenter, whether they are by persons who agree or disagree with the views expressed by The Moderate Voice will NOT be tolerated and will result in the deletion of the comment and the banning of the commenter's ISP address, without notice. In some cases a comment may be deleted and the writer will be given another chance. Commenters who virtually ASK The Moderate Voice to ban them by ignoring any warnings or daring TMV to ban them will quickly get their wish.

(8) Anonymous commenters should identify themselves with the same moniker, so readers know their comments are coming from a single individual. If they don't, they are subject to a banning.

(9)If we have problems with inappropriate or inflammatory comments from a commenter who it turns out gave a fake email address that person is subject to immediate banning.

(10) Quotes from material appearing on The Moderate Voice with attribution are allowed. Reprints are allowed only by permission from The Moderate Voice. You may request permission by e-mail.

(11) The Moderate Voice is a personal site. It is not the Government. It is NOT aligned with any political party. It is NOT promoting any specific candidate for office. It is not a public institution or a media organization. It is not a neutral site. It is intended to express and disseminate the authors' varying points of views. Writers on this weblog WILL take positions. It reserves the right to limit comments to those that, in its view, comport with its stated comment policy. Comments that do not comply are subject to deletion and banning of the author's ISP.

Disclaimer:

--Reading and posting comments at The Moderate Voice constitutes acknowledgment of and agreement to the terms outlined in this comment policy. This comment policy may be revised in part or in full at any time.

--All comments must comport with applicable state and federal laws. The Moderate Voice has no obigation to monitor, edit, censor, or take responsibility for comments. It may or may not act upon a violation of its comment policy once a suspected violation has been brought to its attention. Therefore, commenters are solely responsible for the content of their comments and should ensure that that their comments are lawful and fall within the stated guidelines of both The Moderate Voice and its hosting company.

--The Moderate Voice is not be responsible for injury or liability to any reader or commenter resulting from its own communications or those of commenters, that may be offensive, misleading, inaccurate, illegal, or otherwise unsuitable in the view of the reader. Readers and commenters further agree to indemnify and hold harmless The Moderate Voice from claims resulting from the use of any material appearing on The Moderate Voice which damages the reader, commenter or any other party.

--The Moderate Voice is not responsible for and might disagree with material posted in the comments section. While we strive for accuracy in our posts and DO correct errors, material posted by The Moderate Voice in its posts -- or those left by others in the comments section -- may or may not be accurate.

Read and Post at your own risk.