Tuesday, August 19, 2008

Your GMAIL might be insecure!

According to this post [ref: ./], your gmail account credentials can be hijacked if you do NOT enable HTTPS for all transactions with gmail.

So go to your gmail Setting page now, scroll all the way down, and choose "Always use https" in your "Browser connection:" setting.

Click "Save Changes", sigh, get back to email :).

To drive the point home, here is the text from this comment on /.

Unless you SET THE PREFERENCE, you are insecure, even if you MANUALLY type in https://mail.google.com/ [google.com] always.

Because unless you SET THE PREFERENCE, google does NOT set the session cookie to be SECURE.

This is what Mike Perry's tool does: it takes any of your OTHER connections, redirects it to http://mail.google.com/ [google.com] so your browser spits out the session cookie anyway, and then can redirect you back (so you don't know what happened).

Google's SSL mode for gmail, UNLESS YOU SET THE PREFERENCE, offers you NO protection against an active adversary. And since someone snooping your traffic at starbucks can just as easily inject packets, IT OFFERS NO PROTECTION EVEN IF YOU MANUALLY TYPE IN HTTPS ALL THE TIME, UNLESS YOU SET THE PREFERENCE!!!!


What are you waiting for, go secure your gmail!
:-).

6 comments:

  1. thanks for the tip

    ReplyDelete
  2. Alternatively, use Thunderbird: It has SSL enabled for for all transactions with gmail. :)
    Instructions at http://mail.google.com/support/bin/answer.py?answer=86399

    ReplyDelete
  3. Anonymous11:17 PM

    on :-). the '.' almost looks like a side dimple. Very cute.
    and of course, thanks for the info.

    ReplyDelete
  4. Anonymous7:48 AM

    Awesome! Thanks, Animesh. :)

    ReplyDelete
  5. Anonymous3:31 AM

    What you say is incorrect. That option is set so as to protect the contents of the emails you send. Your credentials cannot be stolen notwithstanding that setting. When you login in gmail (or any google account for that matter) the connection is a secure https connection.(Even if you type http it will change to https.)

    Of course anyone can see the sensitive matter sent in your email but definitely not your credentials(password, id). What you suggest is that google had been careless in handling Millions of credential info. This is plain stupid. (Agreed that they may have bugs, but they are not stupid enough to not use ssl for login.)

    Even if you set that option others may read your email at any other end. For example, you send a mail to a yahoo id. the contents can be intercepted by others when your friend accesses his mail, since yahoo also is not using ssl for mails.(note that Yahoo too uses ssl for login)

    ReplyDelete
  6. @barathi: What you said is what I used to believe, and indeed, your email can surely be intercepted if someone controls the routers over which the message travels between gmail's servers and yahoo's servers.

    What the article I linked to claims [which apparently you didn't read] is that someone sitting next to you at starbucks can use his computer to access your inbox.

    My suggestion -- read the article. After that, if you don't feel like, don't enable https :).

    -A
    P.S. I didn't say "stolen", I said "hijacked". But why steal your gmail password if I can log in as _you_ without a password?

    ReplyDelete