19 Aug
SSLification
I saw this on Slashdot today, where a bunch of hackers developed a tool for stealing session IDs in Gmail. By default, gmail authentication is encrypted, but the rest of your session is not. In the requests that you send to gmail is included a session ID cookie, which is in the clear. With your gmail session cookie, I can put it into my browser, and gmail would think I’m you, without needing to re-authenticate. I could then peruse your craig’s list personal responses. I’m guessing that would be bad.
So now Gmail will allow you to do all SSL, all the time. This isn’t just a gmail problem, but one that affects all logged-in sessions. I’m guessing gmail has a pretty high-end SSL accelerator in operation for this.
