For everyone who uses gmail

rhadamanthus · Aug 20, 2008

A hack will be released in a few weeks capable of stealing ID/passwords.

Thankfully, there is a simple fix. Gmail now has the option to run in SSL all the time.

Once you're signed into Gmail: Settings -> Always use https -> Save changes

moestavern19 · Aug 20, 2008

thanks for the heads up.

the futants · Aug 20, 2008

Thanks.

Hayesfan · Aug 20, 2008

ditto thanks for the news! I already changed my settings.

D-Lite · Aug 20, 2008

so why does this setting make my account resistive to the hack?

rhadamanthus · Aug 20, 2008

D-Lite said:

so why does this setting make my account resistive to the hack?
Click to expand...

My understanding is that while the password is sent via secure http (SSL), the cookie is sent via normal http - which can be intercepted. Addittionally, once you logged in, it appears gmail reverted back to http. Even if you logged in manually at https://mail.google.com

Anyhow, this just leaves you in https mode the whole time, sending all the data encrypted.

For the record, yahoo and hotmail don't even offer SSL. And this attack works on there systems too.

EDIT: from someone WAY smarter than me...

The need for SSL-encrypting your session was known with sidejacking. If you use SSL for credential exchange but not for the whole session, your session cookie is transmitted in the clear, and an attacker can sniff it and use your session (as the cookie acts temporarily as a credential). Encrypting the whole session with SSL prevents this. This is well-known at this point.

The subject of this talk was not sidejacking. If the site (Gmail) does not set the secure bit on the session cookie, then your session cookie can be transmitted in the clear, even if all of your intentional communication with Gmail is over SSL! An attacker need only inject a link to the appropriate domain (e.g., mail.google.com) in some other page you request, and the cookie will be sent with that request over HTTP. Only by marking the cookie as secure will the browser refuse to send it over HTTP.
Click to expand...

Lil Pun · Aug 20, 2008

Thanks for the heads up. I need to change my settings.

Jeremiah · Aug 20, 2008

I know that Google won't sit around and let this happen.

That said, anyone know how to configure GMail on the Outlook side to set the HTTPS?

Ziggy · Aug 20, 2008

Ya I am too lazy to do anything. Google is just gonna have to circumvent this.

The_Yoyo · Aug 20, 2008

thanks for the heads up.

does this hack also affect people who get gmail to their phone as well?

rhadamanthus · Jan 14, 2010

Google switching to HTTPS as default. Finally.

REEKO_HTOWN · Jan 14, 2010

Thanks! Just changed it.

Legend Killer · Jan 14, 2010

Thanks for the heads up... just adjusted my settings

tested911 · Jan 14, 2010

REEKO_HTOWN said:

Thanks! Just changed it.
Click to expand...

look at the orginal post date...

DonnyMost · Jan 14, 2010

Well, crisis averted I guess.

Normally you don't hear about a "coming hack", how odd.

Legend Killer · Jan 14, 2010

tested911 said:

look at the orginal post date...
Click to expand...

Haha... i didn't notice that either.

Forums

For everyone who uses gmail

rhadamanthus Member

moestavern19 Member

the futants Member

Hayesfan Member

D-Lite Member

rhadamanthus Member

Lil Pun Member

Jeremiah Member

Ziggy QUEEN ANON

The_Yoyo Member

rhadamanthus Member

REEKO_HTOWN I'm Rich Biiiiaaatch!

Legend Killer Member

tested911 Member

DonnyMost Member
Supporting Member

Legend Killer Member

Share This Page

About ClutchFans

Rockets Content

Support ClutchFans!

For everyone who uses gmail

rhadamanthus Member

moestavern19 Member

the futants Member

Hayesfan Member

D-Lite Member

rhadamanthus Member

Lil Pun Member

Jeremiah Member

Ziggy QUEEN ANON

The_Yoyo Member

rhadamanthus Member

REEKO_HTOWN I'm Rich Biiiiaaatch!

Legend Killer Member

tested911 Member

DonnyMost Member Supporting Member

Legend Killer Member

Share This Page

DonnyMost Member
Supporting Member