Gmail has some new security features. Hacking Truths tells us it’s time to use them:
A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas.
Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.
When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.
Even though when you log in, Gmail forces the authentication over SSL (secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.
To permanently switch on SSL log on to your GMail account, click on Settings at the upper right corner of the page. The last choice at the bottom of the Settings page is ‘Browser Connection’. Choose ‘Always use https.’
The Official GMail Blog describes this as a ‘feature’ for making security easier. The Industry Standard points out that since Perry notified Google about this situation over a year ago, it’s really a fix:
Gmail is a perpetual beta, but should still bear some responsibility for its users’ security. If they really did have a year to issue a fix, and left it to an optional “feature” with no explanation to their users, they’ve pushed that responsibility back to their users without even a basic explanation of the protection it provides. If you click the “learn more” link, the text provided by Google actually sounds like it’s discouraging users from enabling the feature.
Another Google feature lets you know if your account is signed in at another location. If you click the “details” button next to the message, you’ll see the Internet address of other computers signed in to your account. You can click “Sign out all other sessions” to remotely sign them out.
LATER: In comments, Jazz advises that if you use the g-mail notifier, using https cuts it off.