Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Good Reason To Go Full-Time SSL For Gmail

timothy posted about 6 years ago | from the oh-that-hurts dept.

Security 530

Ashik Ratnani writes with this snippet from Hungry Hackers: "A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks."

cancel ×

530 comments

Sorry! There are no comments related to the filter you selected.

Good thing Slashdot is safe... (5, Funny)

Anonymous Coward | about 6 years ago | (#24659201)

Or else someone could hijack my accBILL GATS SI TEH DEVLI!!!!!!!!!

Re:Good thing Slashdot is safe... (0)

Anonymous Coward | about 6 years ago | (#24659245)

All your AC post are belong to us.

Just for Google? (5, Insightful)

Toe, The (545098) | about 6 years ago | (#24659235)

Is there any reason to not use SSL every time one sends a password?

Unfortunately, the general public still seems entirely uneducated about SSL, figuring that passwords must be secure because they appear as bullets on the screen, right?

Re:Just for Google? (4, Informative)

SCHecklerX (229973) | about 6 years ago | (#24659269)

Like when you read slashdot?

Re:Just for Google? (4, Informative)

HungryHobo (1314109) | about 6 years ago | (#24659287)

The password is sent over SSL, the problem is that it will happily send your cookie over HTTP which is for all intensive purposes just as good as a password.

Re:Just for Google? (5, Informative)

caramelcarrot (778148) | about 6 years ago | (#24659435)

After me, say it slowly: intents and purposes That way it actually makes sense.

Re:Just for Google? (0, Offtopic)

mrchaotica (681592) | about 6 years ago | (#24659627)

It also actually makes sense if you use a period when you want to end your sentence. ; )

Also -- and this is just a stylistic suggestion, not an error -- if you really want him to say it, you should put quotation marks around "intents and purposes."

Re:Just for Google? (1, Interesting)

Anonymous Coward | about 6 years ago | (#24659681)

I know this is being pedantic, but you are missing a period after the quote or you should have moved it outside the quotes. The urge is too strong since you seem to be so happy harping on missing periods...

Re:Just for Google? (0)

Anonymous Coward | about 6 years ago | (#24659791)

Nope. If a sentence ends with a quote, the punctuation goes inside the closing quote. It doesn't always make a lot of sense to me, but them's the rules...

Re:Just for Google? (3, Informative)

cromar (1103585) | about 6 years ago | (#24660011)

Apparently this is not true everywhere (e.g. Great Britain).

Re:Just for Google? (5, Funny)

Hordeking (1237940) | about 6 years ago | (#24659909)

I know this is being pedantic, but you are missing a period after the quote or you should have moved it outside the quotes. The urge is too strong since you seem to be so happy harping on missing periods...

My girlfriend has been missing her period. Should I be worried?

Re:Just for Google? (2, Informative)

caramelcarrot (778148) | about 6 years ago | (#24660009)

That was slashcode fucking up my formatting. It was more obvious when I had line breaks. In addition, I'm aware that making corrections to people's posts causes everyone to immediately jump on your small errors, but actually writing "itensive purposes" is just irritating.

Re:Just for Google? (5, Funny)

Kozar_The_Malignant (738483) | about 6 years ago | (#24659751)

It's not "in tents with porpoises?" I thought it was about cetacean hentai.

Re:Just for Google? (1, Funny)

tomcode (261182) | about 6 years ago | (#24660025)

Irregardless, hackers do work with all intensive purposes, so the price free information is internal vigilance.

Ow ow ow. (4, Insightful)

zippthorne (748122) | about 6 years ago | (#24659437)

all intensive purposes

Is this the road we're going down? Pseudo-homophones of idiomatic phrases?

Yeah, yeah, grammar pedantry is bad. Nevertheless, this stuff hurts to read.

Re:Ow ow ow. (1, Interesting)

Anonymous Coward | about 6 years ago | (#24659517)

People usually treat phrases as words and don't really pay attention to their origin or what the individual parts of the phrase mean.

Re:Ow ow ow. (1)

MightyYar (622222) | about 6 years ago | (#24659841)

There should still be some part of a person's brain that stops and says, "That doesn't make any sense..." when the write something like that.

I guess for some people speaking == writing. You could probably get away with saying "intensive purposes" and no one would blink.

Re:Ow ow ow. (5, Funny)

dat cwazy wabbit (1147827) | about 6 years ago | (#24659565)

I could of died when I saw that.

Re:Ow ow ow. (1)

greysunrise (1261960) | about 6 years ago | (#24659827)

There you are, I was wondering when the insightful and informative moderators were going to let the funny mod out of the closet.

Re:Ow ow ow. (1, Funny)

toby (759) | about 6 years ago | (#24659833)

could have

Yeah, yeah, grammar pedantry is bad. Nevertheless, this stuff hurts to read.

Re:Ow ow ow. (4, Funny)

cetan (61150) | about 6 years ago | (#24659609)

Most people "could care less."

Which hurts on many levels...

Re:Ow ow ow. (0)

Anonymous Coward | about 6 years ago | (#24659675)

To any americans who went "Ow" when reading that. That's exactly how I feel reading the bastardised english you use.

Re:Ow ow ow. (1)

pohl (872) | about 6 years ago | (#24659783)

Just floating a unlikely hypothesis here, but could it be that cetan's use of a well-known pseudo-homophone of an idiomatic phrase, in a thread on that very subject, might be intentional?

Re:Ow ow ow. (1)

DragonWriter (970822) | about 6 years ago | (#24659803)

Most people "could care less."

Which hurts on many levels...

Why? It's simply the milder form of "I couldn't [possibly] care less [about anythign else than I do about the issue at hand]."; that is, "I could [in theory] care less [about something else than I do about the issue at hand, but in fact I do not]."

Re:Ow ow ow. (1)

clone53421 (1310749) | about 6 years ago | (#24660007)

Actually, if I ever say "I could care less" I've put nowhere near that much consideration into it. I'm simply being sarcastic.

I must admit, though, that it puzzles me how the pedants yell when someone says that. If we're truly interested in being pedantic, then technically (in theory, as you pointed out) I could care less. "Practically speaking I realise it's nearly impossible, but there's always the theoretical situation which I could indeed care less about than this current one."

Re:Ow ow ow. (5, Funny)

Hoi Polloi (522990) | about 6 years ago | (#24659621)

Its a waist of time to corect peoples gramar and speling. Your simply not going to brake there bad habits irregardless of how you feal.

Re:Ow ow ow. (5, Funny)

Lostlander (1219708) | about 6 years ago | (#24659703)

It burns us! Nasty tricksy, little hobbitses.

Re:Ow ow ow. (0)

Anonymous Coward | about 6 years ago | (#24659933)

I know it's a joke, but that just hurt to read.

Re:Ow ow ow. (0)

Anonymous Coward | about 6 years ago | (#24659999)

you misspelled "tiem"

Re:Ow ow ow. (1, Insightful)

Anonymous Coward | about 6 years ago | (#24659715)

It might help if you had said that the correct phrase is "for all intents and purposes" instead of being an asshole and mocking/ridiculing the GP.

My story: I had always heard people say "for all intensive purposes," so that's what I said and wrote from as early as I can remember to somewhere around age 20 when I finally saw the phrase in print for the first time. The sad part: nobody ever bothered to correct me.

Everybody has to learn somewhere. Don't assume everyone first encountered the phrase the same way you did.

READING helps (1)

toby (759) | about 6 years ago | (#24659923)

Grammar and spelling suffer as a result of a TV-centric culture. Reading better writers will always improve a writer's style and correctness. (Watching less TV is always healthier for the personality and brain anyway.)

Re:Ow ow ow. (0, Flamebait)

Spad (470073) | about 6 years ago | (#24659899)

I could care less about your grammar Nazism.

Re:Ow ow ow. (1)

TyZone (555958) | about 6 years ago | (#24659939)

And ending sentences with prepositions. That's something up with which I won't put!

Re:Ow ow ow. (1)

spacefiddle (620205) | about 6 years ago | (#24660021)

Is this the road we're going down? Pseudo-homophones of idiomatic phrases?

We've been barreling down that highway for a while now. Choose any MMO and listen for a bit...

Re:Just for Google? (3, Interesting)

clone53421 (1310749) | about 6 years ago | (#24659475)

Not quite ALL intents and purposes. If I want to change my password, I still need to know my current password. Although somebody who steals my SID can read my mail they can't change my password and lock me out.

Re:Just for Google? (1)

profplump (309017) | about 6 years ago | (#24660039)

And there is (presumably) some upper limit for how long the SID will work. And there may be other actions that invalidate the SID sooner, such as logging in again. And there's essentially no possibility that the same SID will let you log into other sites.

Re:Just for Google? (0)

Anonymous Coward | about 6 years ago | (#24659553)

What are "intensive purposes"? Are they the kind that you have to try really hard to feel purposeful about?

Re:Just for Google? (5, Informative)

Spad (470073) | about 6 years ago | (#24659307)

Gmail always uses SSL for logins.

Previously if you wanted to maintain SSL for the whole session you had to login via https://mail.google.com/ [google.com] otherwise it dropped back to http after login. Now you can set it to always use SSL regardless of the URL you visit it from.

But it was NOT secure... (2, Informative)

nweaver (113078) | about 6 years ago | (#24659537)

Until Google added the option, it never actually set the GX cookie as secure, so you could do an active-hijack of any OTHER connection they make so that it does a redirect to http://mail.google.com/ [google.com] and spits out the cookie in the clear for the attacker to capture.

Re:But it was NOT secure... (1, Interesting)

Anonymous Coward | about 6 years ago | (#24659735)

isnt gmail the only webmail provider that offers this? Why are you not complaining about hotmail, yahoo, etc.

Re:But it was NOT secure... (5, Funny)

howdoesth (1132949) | about 6 years ago | (#24659835)

Everyone knows hotmail is evil and yahoo is irrelevant.

Re:Just for Google? (1)

aliquis (678370) | about 6 years ago | (#24659797)

Yeah, because not using encryption the whole time in the first place made so much sense!

I can't understand how people argue. Same with people who say they don't "need" encryption, gpg or whatever. What's the benefit of not having it (except in gpgs case user convenience I guess)?

Re:Just for Google? (1)

bigstrat2003 (1058574) | about 6 years ago | (#24659953)

Even if it takes a miniscule amount of effort to encrypt my stuff, as long as the benefit to me is 0 (which is in my sole estimation, not yours), the cost:benefit ratio is infinitely big. That isn't worth it.

Re:Just for Google? (4, Informative)

Timothy Brownawell (627747) | about 6 years ago | (#24659351)

Is there any reason to not use SSL every time one sends a password?

Firefox 3, and I think other newer browsers, lie to people by strongly implying that HTTPS with self-signed certificates is far more dangerous than bare unencrypted HTTP.

Re:Just for Google? (1)

HungryHobo (1314109) | about 6 years ago | (#24659799)

while in reality self-signed certificates are fairly worthless and just as open to man in the middle attacks as plaintext.Best they do is prevent extremely casual snooping and these days with more and more wireless networks around and people being use to just connecting to the net we have to assume that the local DNS is NEVER secure. Self-signed certificates give people the belief that they're secure unless they are told in the strongest possible terms by their browser that they are not really on a secure connection.

Re:Just for Google? (5, Insightful)

Zironic (1112127) | about 6 years ago | (#24659821)

They don't lie, they assume that if a site is self-signed it has been hijacked which is very resonable, if my bank suddenly changed to self-signed I'd want a proper warning.

Re:Just for Google? (1)

Timothy Brownawell (627747) | about 6 years ago | (#24659965)

They don't lie, they assume that if a site is self-signed it has been hijacked which is very resonable, if my bank suddenly changed to self-signed I'd want a proper warning.

So do like SSH does, and complain if the cert changes. This would also protect against someone conning a CA into giving out bogus certs.

Re:Just for Google? (1)

MightyYar (622222) | about 6 years ago | (#24659897)

Depending on the situation, it CAN be more dangerous. I'm much less likely to share sensitive information over a plain http connection. If I see the little lock and I haven't been warned, I get all warm and fuzzy that I'm actually talking to my bank. If I go to Bank of America and get a self-signed warning, I know something is afoot.

Re:Just for Google? (1)

Timothy Brownawell (627747) | about 6 years ago | (#24660031)

Depending on the situation, it CAN be more dangerous. I'm much less likely to share sensitive information over a plain http connection. If I see the little lock and I haven't been warned, I get all warm and fuzzy that I'm actually talking to my bank. If I go to Bank of America and get a self-signed warning, I know something is afoot.

So either don't show the lock, or just don't color the address bar. I'm not saying it should be treated the same as a CA-signed cert, just that treating it as worse than unencrypted is bad. If you go to Bank of America and there's no lock or colored address bar, does that also tell you something is afoot? Or could someone phish you with a fake over plain http?

Re:Just for Google? (1)

Thiez (1281866) | about 6 years ago | (#24659945)

No they don't. Certificates are not just for encryption, they also identify a website as being 'the real thing'*. If you accept self-signed certificates you can be MITM'ed. Browsers like FF3 inform you that this could be happening. Most companies that require encryption for their website can easily afford a certificate.

* This doesn't really work in practice since some of the companies that issue certificates don't bother to check if the one who requests the certificate owns the website.

Re:Just for Google? (0)

Anonymous Coward | about 6 years ago | (#24659443)

Unfortunately, the general public still seems entirely uneducated about SSL

Unfortunately, some ISPs also seem entirely uneducated about SSL.

Telus, a Canadian ISP, advertised their webmail as a "safe and secure way to access your email from anywhere". Until very recently Telus passes the userid and password for webmail over the networki as clear-text.

What a bunch of maroons!

Re:Just for Google? (1)

denis-The-menace (471988) | about 6 years ago | (#24659599)

I don't know about Rogers' webmail (it's outsourced to Yahoo) but their DNS servers are still vulnerable to the DNS security issue that was plastered in the news a few weeks ago.

I guess non-maroons are a minority.

Re:Just for Google? (1)

jacquesm (154384) | about 6 years ago | (#24659717)

I have a feeling that won't last much longer ;)

Re:Just for Google? (2, Interesting)

Loki_1929 (550940) | about 6 years ago | (#24659601)

There's a sizable portion of the general public that doesn't want to be bothered having to remember any passwords for anything. They simply want to click a button and have it work.

You'd have better luck explaining the security implications of such a system to a chimp.

Re:Just for Google? (1)

Red Flayer (890720) | about 6 years ago | (#24659947)

You'd have better luck explaining the security implications of such a system to a chimp.

That's only because my great-aunt Edna has a larger stock of feces to throw at me than the typical monkey.

Re:Just for Google? (5, Insightful)

HungryHobo (1314109) | about 6 years ago | (#24659963)

God, I've had some insane conversations with retarded people.

*me**: You know doing what you're doing is terribly terribly insecure, someone might get into your email account!
*Him*: .... ah well, it's not like there's anything important in there. I mean what are they gonna do, email someone in my name?
*me**: ....You have a paypal account right?
*Him*: Ya...
*me**: And it's linked to your email account right?
*Him*: Ya...
*me**: And if you forget your paypal password you can have them send you an email to change it right?
*Him*: Ya....
*me**: And your credit card is linked to your paypal account isn't it?
*Him*: Hmmm...
*me**: So someone with access to your mail account could get hold of your paypal and run up some insane charges buying horse porn.
*Him*: Oh....

It's depressing how people will set up accounts with things like paypal, link them to their email and then dismiss anything about security since "sure my email isn't that important"

Re:Just for Google? (0)

Anonymous Coward | about 6 years ago | (#24659763)

The important information is to enable SSL in the GMail preferences. Then GMail marks the cookie "SSL only". If you just use the HTTPS-URL, the cookie will be sent to HTTP-URLs as well. All an attacker needs to do is launch a MITM attack against you (trivial to do on an open wireless hotspot network,) embed an item with a GMail HTTP URL in a different unencrypted webpage and read the cookie which your browser will send unencrypted with the request for that item.

New feature? I've been using for ages. (0)

whoever57 (658626) | about 6 years ago | (#24659253)

The capability to access Gmail over SSL is not new. Perhaps not too many people know about it, but that does not make it new.

Re:New feature? I've been using for ages. (1)

gnick (1211984) | about 6 years ago | (#24659319)

Indeed the feature is not new, but it may be unknown to many of gmail's users. The news here, I think, is not that you can use SSL with gmail, but that if you don't you're effectively pwned.

Re:New feature? I've been using for ages. (0)

Anonymous Coward | about 6 years ago | (#24659387)

That was true before, too - at least as long as the attacker is actually able to eavesdrop on your traffic to/from GMail. In fact, if you think about it for even a moment, it's trivial in that case, and that's just why things like SSL were invented in the first place.

FWIW, this tool isn't anything fundamentally new, either: you still need to be able to eavesdrop on someone's traffic in order to do anything.

Given that, the only real news here is that instead of rolling your own scripts, you now have an automated tool that even script kiddies can use.

Breaking news it ain't exactly.

Re:New feature? I've been using for ages. (1)

gnick (1211984) | about 6 years ago | (#24659775)

Given that, the only real news here is that instead of rolling your own scripts, you now have an automated tool that even script kiddies can use.

Breaking news it ain't exactly.

Actually, I consider that pretty major news. There are a helluva lot more script kiddies out there than there experienced black-hats - All eager to show off their l33t skills by "hacking" someone's account and wreaking havoc. If an experienced black-hat cracks my gmail account, most likely he'll see that there's nothing of value there and move on. Worst case, my account becomes part of an army of spam-bots.

If some junior-high kid downloads this script and cracks my gmail account, most likely I'll wind up signing us as a MySpace troll, my contacts will get obscene mail from me, I'll be registered to every damn thing on the net that requires only a valid e-mail to sign up for, etc.

And, considering that the odds of one of the gazillion script-kiddies running this script get access to an account are a so much higher than one of the (gazillion/100k) actual black-hats getting it, this is likely to inconvenience a lot more people than are being exploited right now.

Why would google not enable SSL by default?

Re:New feature? I've been using for ages. (1)

The Iso (1088207) | about 6 years ago | (#24659345)

The new feature is to have Gmail use SSL automatically, even if you don't log in from https://mail.google.com./ [mail.google.com]

Re:New feature? I've been using for ages. (1)

De Lemming (227104) | about 6 years ago | (#24659385)

I've always used it too. The trick in the past was using "https://mail.google.com/" instead of "http://mail.google.com/" to connect to Gmail.

But now there is an option in Settings - General, "Browser connection: Always use https". I've never seen it before (but maybe it's there for some time already).

3 clicks (5, Informative)

pebcak (773787) | about 6 years ago | (#24659279)

Once you're signed into Gmail: Settings -> Always use https -> Save changes

Re:3 clicks (0)

Anonymous Coward | about 6 years ago | (#24659417)

That is exactly what I was looking for, Thank You!

Re:3 clicks (0)

Anonymous Coward | about 6 years ago | (#24659483)

me 2, couldn't find it. Thx!

Re:3 clicks (0)

Anonymous Coward | about 6 years ago | (#24659577)

At least as of a few minutes ago, this option is not available for anybody using Google to host their domains email. (a.k.a. Google Apps).

Re:3 clicks (2, Informative)

Loether (769074) | about 6 years ago | (#24659603)

I'm admin for a few domains that use gmail apps. None of mine have that option yet. It may be a rolling update.?

Re:3 clicks (1)

clone53421 (1310749) | about 6 years ago | (#24659683)

That's actually pretty typical. I use an e-mail address on such a domain and I've noticed this in the past. Typically the updates take a while to get to the hosted domains.

In the meantime, I think I'm going to use the info I gleaned here and use the https: address to keep my connection secured throughout my sessions... although I wonder if the exploit wouldn't work if I just didn't use the 'remember me' feature. Firefox remembers my password, so the 'remember me' isn't necessary anyway.

Re:3 clicks (2, Informative)

pz (113803) | about 6 years ago | (#24660027)

Once you're signed into Gmail:

Settings -> Always use https -> Save changes

And then you need to reload the page otherwise you're still on http. At least that's what my browser showed.

Google Announcement (4, Informative)

ShadowRangerRIT (1301549) | about 6 years ago | (#24659293)

For info on the new setting and how to enable it, see the Gmail blog post [blogspot.com] .

It's also explained in the Help (1)

toby (759) | about 6 years ago | (#24659807)

here [google.com] .

A few notes... (5, Insightful)

nweaver (113078) | about 6 years ago | (#24659297)

Mike Perry did a great public service by making this tool and making it available.

This attack also works against yahoo mail, hotmail, etc. Just Yahoo, hotmail, etc don't even OFFER SSL, so well, if you use them, your FSCKed.

And Google has known about this problem for a LONG time. EG, see my blog post from last february! [icir.org] .

Google waited for a year before even giving users the OPTION to be protected when SSL is used, and notice that it was only after they found out about Mike Perry's talk that the option was even added.

Also, as I argue, they got it wrong. The checkbox is good, but most users don't know about it. But if a user MANUALLY enters https://mail.google.com/ [google.com] I argue that google should INFER that the user wants to be SSL-only, at least until they explicitly log out.

already does that. (1)

Medievalist (16032) | about 6 years ago | (#24659395)

I agree with your major points, but a small quibble:

if a user MANUALLY enters https://mail.google.com/ [google.com] I argue that google should INFER that the user wants to be SSL-only, at least until they explicitly log out.

Yes, that's how it's been working for me. I'd rather it always used SSL/TLS regardless, myself, but as long as I remember to type "https://gmail.google.com" in the URL bar before I log in, gMail will stay on SSL until I log out. It's been acting that way for about a year I guess; I used to have to do some much more complicated shenanigans to make it stay encrypted.

Re:already does that. (1)

nweaver (113078) | about 6 years ago | (#24659637)

Actually, that doesn't work.

You see, Google doesn't set GX as secure unless you manually select the preference to "Always use secure".

Thus even if you are a good user and always type in https, unless you changed the preference, Mike's tool can read your mail!

Re:A few notes... (5, Insightful)

derrickh (157646) | about 6 years ago | (#24659725)

So he's going to release a tool that lets people break into Gmail accounts. And unless you read slashdot, you'd have no idea to go into preferences and flip a switch.

How is this a public service? For the 99% of the world who dont read SD every day, they're pretty much screwed.

It's good I'm a nerd and will now flip the magic switch on my gmail account...but it seems like a big f-u to everyone else.

D

Reverse or reverse? (0, Offtopic)

azav (469988) | about 6 years ago | (#24659485)

" Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks."

What is a "reverse engineer?"

Is the product called reverse? If so, it should be Reverse, since names of things start with caps.

Re:Reverse or reverse? (4, Funny)

Intron (870560) | about 6 years ago | (#24659531)

What is a "reverse engineer?"

A very specialized transmission engineer in Detroit.

Re:Reverse or reverse? (1)

cephah (1244770) | about 6 years ago | (#24659535)

Reverse engineering (RE) is the process of discovering the technological principles of a device, object or system through analysis of its structure, function and operation. It often involves taking something (e.g. a mechanical device, electronic component, or software program) apart and analyzing its workings in detail, usually to try to make a new device or program that does the same thing without copying anything from the original.

http://en.wikipedia.org/wiki/Reverse_engineering [wikipedia.org]

Re:Reverse or reverse? (4, Funny)

Loki_1929 (550940) | about 6 years ago | (#24659687)

It's someone who manufactures a problem using only working solutions.

You might also know them as: "politicians".

UNLESS YOU CHECK, you are insecure! (5, Informative)

nweaver (113078) | about 6 years ago | (#24659587)

Unless you SET THE PREFERENCE, you are insecure, even if you MANUALLY type in https://mail.google.com/ [google.com] always.

Because unless you SET THE PREFERENCE, google does NOT set the session cookie to be SECURE.

This is what Mike Perry's tool does: it takes any of your OTHER connections, redirects it to http://mail.google.com/ [google.com] so your browser spits out the session cookie anyway, and then can redirect you back (so you don't know what happened).

Google's SSL mode for gmail, UNLESS YOU SET THE PREFERENCE, offers you NO protection against an active adversary. And since someone snooping your traffic at starbucks can just as easily inject packets, IT OFFERS NO PROTECTION EVEN IF YOU MANUALLY TYPE IN HTTPS ALL THE TIME, UNLESS YOU SET THE PREFERENCE!!!!

Re:UNLESS YOU CHECK, you are insecure! (1)

clone53421 (1310749) | about 6 years ago | (#24659707)

What if you don't use the 'remember me' checkbox? Does the exploit still work?

Re:UNLESS YOU CHECK, you are insecure! (5, Funny)

Anonymous Coward | about 6 years ago | (#24659711)

Thank you for WARNING US but DO YOU THINK you really need to SHOUT that much in your SENTENCES?

I mean, it's not like WE DON'T APPRECIATE your tips, but IT CAN GET A BIT ANNOYING when people keep SHOUTING every other WORDS.

Re:UNLESS YOU CHECK, you are insecure! (2, Funny)

waztub (1166611) | about 6 years ago | (#24659873)

Wait, I don't think you were clear about one point in particular. Should I or should I not set the preference...?

Re:UNLESS YOU CHECK, you are insecure! (1)

gnick (1211984) | about 6 years ago | (#24659949)

THANKS for the HEADS UP! But what I WANT TO KNOW NOW is WHAT DO I NEED TO DO IF I WANT TO USE SSL ALL THE TIME? I mean I type in https://mail.google.com/ [google.com] every time, but I REALLY NEED TO KNOW what to do to get it NOT TO REDIRECT BACK to http://mail.google.com/ [google.com] .

Maybe there's some preference I can set...

=)

Generally a good idea (0)

Anonymous Coward | about 6 years ago | (#24659611)

I'd say it's a good idea regardless. It's a simple checkbox, turns it on permanently, and it doesn't get in your way. It's quite nice, really.

...oh, wait, this is Slashdot. Forgot. What I meant to say was, um, I can't believe the mindless sheep that are so stupid to believe that not using SSL is secure. They are so very stupid and I hate them. Arrrrrrrrrrg they make me so very mad. And Google sucks for not including twenty-hojillion-bit PGP/GPG encryption entirely in Javascript so I can use better encryption because SSL sucks so much and I hate it and if I don't have you in my keyring you don't matter. Stupid people-who-aren't-me. Where does everyone else get off not being as smart and clever as I am? I hate them all.

...there, do I fit in now?

Re:Generally a good idea (0)

Anonymous Coward | about 6 years ago | (#24659787)

if you didn't start your post with a troll you would probably be modded up.

Gmail Notifier (5, Informative)

triplej3000 (804712) | about 6 years ago | (#24659635)

Selecting 'Always use https' breaks Gmail Notifier. Luckily Google has released a patch for this. Here is a link: http://mail.google.com/support/bin/answer.py?hl=en&answer=9429 [google.com]

Breaks Picasa Too (1)

gQuigs (913879) | about 6 years ago | (#24659825)

On Linux at least. I am unaware of any updates as of yet.

Re:Breaks Picasa Too (0)

Anonymous Coward | about 6 years ago | (#24659927)

On Linux at least. I am unaware of any updates as of yet.

On windows too of course!

This still drives me nuts with Google Apps (1)

jtshaw (398319) | about 6 years ago | (#24659667)

If I direct people to mail..com via http it forwards them to the insecure version after login. Unfortunately you can't hit mail..com with https and as a result to be secure people who use my Google Apps mail have to type the long drawn out mail.google.com/a/ to connect to it. I can't seem to find a setting anywhere to force security.... I first submitted the https->http thing to Google when I started using it in like 2004.... about damn time they started doing something about it.

Why can't the whole web be HTTPS? (5, Interesting)

thomasdz (178114) | about 6 years ago | (#24659731)

I can understand that back in the web's "stone age" (mid 1990s), having HTTPS for every web site would have seriously slowed down all the computers due to CPU usage, but nowadays is there any real good reason that the whole web can't be HTTPS?
With all the government and ISP snoopings going on, I'm surprised that at least some sites haven't gone that way.
(or is it that embedded browsers like on cell phones can't do SSL?)

TDz.

the first step to this (1)

toby (759) | about 6 years ago | (#24659785)

Is probably DNSSEC. Cue Antibozo to explain why (or why not:)

Did this right away (1)

JackassJedi (1263412) | about 6 years ago | (#24659761)

I switched on this GMail setting right after i realized the danger from reading the Defcon article; I just didn't think Google would be this careless with private data and assumed previously that in some AJAX-y way the actual GMail session data is being encrypted anyway.

Shame on me.

Author's site (5, Informative)

Captain Segfault (686912) | about 6 years ago | (#24659855)

Mike Perry's site [fscked.org] might (or might not) be a better source than some random blog post that doesn't even link to it.

Uhm? It's Google Mail! (2, Insightful)

Casandro (751346) | about 6 years ago | (#24659883)

I mean it's Google Mail, Google stores your e-mails till all ethernity and will surely hand it out to any dictator waving something which looks like an official document.

It doesn't matter much how secure the login is as the service itself is designed to be a gapping security hole.

don't freak out, requires packet sniffing (4, Informative)

YesIAmAScript (886271) | about 6 years ago | (#24659931)

Yes, this is a vulnerability. But it isn't like every person out there on the internet is going to be able to steal your session cookies in two weeks when the tool is released.

In order to execute this attack, a person would have to be able to sniff your packets and steal the cookies. And since the vast majority of people on the internet have no ability to intercept your traffic, this means in practice, the average person is pretty safe without having to worry about all this.

Re:don't freak out, requires packet sniffing (1)

vil3nr0b (930195) | about 6 years ago | (#24660033)

Correct. Just like not every person is going to be able to use netstumbler to find unsecured wireless. The vast majority of people are pretty safe. Does suck to be that one person out of 100,000,000 though.

Why does he need to release the tool? (2, Interesting)

origamy (807009) | about 6 years ago | (#24660023)

I don't understand why does someone need to prove a security vulnerability by releasing the tool?
By releasing this tool he will make it available for anyone with bad intentions to implement it. Weeks later we will have issues all over the place because we did not teach our grandparents to enable the checkbox in gmail; or the vulnerability is exploited in other webmail clients. By then, the botnets will be hijacking Gmail accounts to send Spam to everybody
So, really, who benefits of the release of this tool?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>