Load Balancing Digest

19 Aug

SSLification

I saw this on Slashdot today, where a bunch of hackers developed a tool for stealing session IDs in Gmail.  By default, gmail authentication is encrypted, but the rest of your session is not.  In the requests that you send to gmail is included a session ID cookie, which is in the clear.  With your gmail session cookie, I can put it into my browser, and gmail would think I’m you, without needing to re-authenticate. I could then peruse your craig’s list personal responses.  I’m guessing that would be bad.

So now Gmail will allow you to do all SSL, all the time.  This isn’t just a gmail problem, but one that affects all logged-in sessions.  I’m guessing gmail has a pretty high-end SSL accelerator in operation for this.

One Response to “SSLification”

  1. 1
    Load Balancing Digest » Blog Archive » Gmail Goes All SSL, and So Should You Says:

    [...] Back in July of 2008, they put in the option to force HTTPS for everything.   If you simply put “gmail.com” into your address bar, your browser would default to HTTP and you’d be unencrypted.  With the force option, you’d be automatically redirected to HTTPS.  This was in response to the threat of stealing cookies and assuming other’s identity at Wifi spots that I mentioned back in 2008. [...]

Leave a Reply

OpenID

Anonymous

© 2010 Load Balancing Digest | Entries (RSS) and Comments (RSS)

GPSwordpress logo