A Good Reason to Use Gmail's SSL Option

If you use Gmail and read my post about Google's new "Always use HTTPS" Gmail option (or heard about it elsewhere) and did not enable immediately, here's your (yet another) reason to do so.

A tool was presented at Defcon that can steal your Gmail credentials. It was created by Mike Perry, a reverse engineer from San Francisco and it works like this:

You may have noticed that when you're logged into Gmail and then browse to, say, www.blogger.com you're automatically logged in. That's because a cookie is already present that gets sent to anything and everything Google related even images you click on). This cookie is cleared whenever you manually click a Google Sign Out button.

That means if you log into Gmail on your ultra-secure home wireless using https:// and then use your University's open WiFi later to visit a Google website your cookie is still sent over an unencrypted connection. Anyone else have their iGoogle page set to their homepage?

However, this can be easily defeated with 3 clicks from Gmail's home page.


No comments: