19 Aug
SSLification
I saw this on Slashdot today, where a bunch of hackers developed a tool for stealing session IDs in Gmail. By default, gmail authentication is encrypted, but the rest of your session is not. In the requests that you send to gmail is included a session ID cookie, which is in the clear. With your gmail session cookie, I can put it into my browser, and gmail would think I’m you, without needing to re-authenticate. I could then peruse your craig’s list personal responses. I’m guessing that would be bad.
So now Gmail will allow you to do all SSL, all the time. This isn’t just a gmail problem, but one that affects all logged-in sessions. I’m guessing gmail has a pretty high-end SSL accelerator in operation for this.
[...] Back in July of 2008, they put in the option to force HTTPS for everything. If you simply put “gmail.com” into your address bar, your browser would default to HTTP and you’d be unencrypted. With the force option, you’d be automatically redirected to HTTPS. This was in response to the threat of stealing cookies and assuming other’s identity at Wifi spots that I mentioned back in 2008. [...]
January 14th, 2010 at 3:29 pm