Slashdot Log In
A Good Reason To Go Full-Time SSL For Gmail
Posted by
timothy
on Tue Aug 19, 2008 11:26 AM
from the oh-that-hurts dept.
from the oh-that-hurts dept.
Ashik Ratnani writes with this snippet from Hungry Hackers: "A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks."
Related Stories
[+]
HTTPS Cookie Hijacking Not Just For Gmail 128 comments
mikepery writes with a followup to last month's mention of a security vulnerability affecting Gmail accounts, which it seems understated the problem.
"I figure the Slashdot readership is the best place to reach a large number of
slacking admins and developers, so I want to announce that it's been 30 days
since my DEFCON presentation on HTTPS
cookie hijacking, and as such, it's now time to release the tool to a much
wider group. Despite what was initially
reported, neither the attack nor the tool
are gmail-specific, and many
other websites are vulnerable. So, if you maintain any sort of reasonable
looking website secured by
any SSL certificate (Sorry Rupert, you lose on both counts), even if it is just self-signed, you can contact me and I will provide you with a copy of the tool. Be sure to put 'CookieMonster' in the subject, without a space." (More below.)
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Good thing Slashdot is safe... (Score:5, Funny)
Or else someone could hijack my accBILL GATS SI TEH DEVLI!!!!!!!!!
Just for Google? (Score:5, Insightful)
Is there any reason to not use SSL every time one sends a password?
Unfortunately, the general public still seems entirely uneducated about SSL, figuring that passwords must be secure because they appear as bullets on the screen, right?
Re:Just for Google? (Score:5, Informative)
Like when you read slashdot?
Parent
Re:Just for Google? (Score:5, Informative)
Gmail always uses SSL for logins.
Previously if you wanted to maintain SSL for the whole session you had to login via https://mail.google.com/ [google.com] otherwise it dropped back to http after login. Now you can set it to always use SSL regardless of the URL you visit it from.
Parent
Re:But it was NOT secure... (Score:5, Funny)
Parent
Re:Just for Google? (Score:5, Informative)
Is there any reason to not use SSL every time one sends a password?
Firefox 3, and I think other newer browsers, lie to people by strongly implying that HTTPS with self-signed certificates is far more dangerous than bare unencrypted HTTP.
Parent
Re:Just for Google? (Score:5, Insightful)
They don't lie, they assume that if a site is self-signed it has been hijacked which is very resonable, if my bank suddenly changed to self-signed I'd want a proper warning.
Parent
Re:Just for Google? (Score:5, Informative)
Parent
Re:Just for Google? (Score:5, Funny)
Parent
Re:Ow ow ow. (Score:5, Funny)
Parent
Re:Ow ow ow. (Score:5, Funny)
Most people "could care less."
Which hurts on many levels...
Parent
Re:Ow ow ow. (Score:5, Funny)
Its a waist of time to corect peoples gramar and speling. Your simply not going to brake there bad habits irregardless of how you feal.
Parent
Re:Ow ow ow. (Score:5, Funny)
Parent
3 clicks (Score:5, Informative)
Google Announcement (Score:5, Informative)
A few notes... (Score:5, Insightful)
Mike Perry did a great public service by making this tool and making it available.
This attack also works against yahoo mail, hotmail, etc. Just Yahoo, hotmail, etc don't even OFFER SSL, so well, if you use them, your FSCKed.
And Google has known about this problem for a LONG time. EG, see my blog post from last february! [icir.org].
Google waited for a year before even giving users the OPTION to be protected when SSL is used, and notice that it was only after they found out about Mike Perry's talk that the option was even added.
Also, as I argue, they got it wrong. The checkbox is good, but most users don't know about it. But if a user MANUALLY enters https://mail.google.com/ [google.com] I argue that google should INFER that the user wants to be SSL-only, at least until they explicitly log out.
Re:A few notes... (Score:5, Insightful)
So he's going to release a tool that lets people break into Gmail accounts. And unless you read slashdot, you'd have no idea to go into preferences and flip a switch.
How is this a public service? For the 99% of the world who dont read SD every day, they're pretty much screwed.
It's good I'm a nerd and will now flip the magic switch on my gmail account...but it seems like a big f-u to everyone else.
D
Parent
UNLESS YOU CHECK, you are insecure! (Score:5, Informative)
Unless you SET THE PREFERENCE, you are insecure, even if you MANUALLY type in https://mail.google.com/ [google.com] always.
Because unless you SET THE PREFERENCE, google does NOT set the session cookie to be SECURE.
This is what Mike Perry's tool does: it takes any of your OTHER connections, redirects it to http://mail.google.com/ [google.com] so your browser spits out the session cookie anyway, and then can redirect you back (so you don't know what happened).
Google's SSL mode for gmail, UNLESS YOU SET THE PREFERENCE, offers you NO protection against an active adversary. And since someone snooping your traffic at starbucks can just as easily inject packets, IT OFFERS NO PROTECTION EVEN IF YOU MANUALLY TYPE IN HTTPS ALL THE TIME, UNLESS YOU SET THE PREFERENCE!!!!
Re:UNLESS YOU CHECK, you are insecure! (Score:5, Funny)
Thank you for WARNING US but DO YOU THINK you really need to SHOUT that much in your SENTENCES?
I mean, it's not like WE DON'T APPRECIATE your tips, but IT CAN GET A BIT ANNOYING when people keep SHOUTING every other WORDS.
Parent
Gmail Notifier (Score:5, Informative)
Why can't the whole web be HTTPS? (Score:5, Interesting)
I can understand that back in the web's "stone age" (mid 1990s), having HTTPS for every web site would have seriously slowed down all the computers due to CPU usage, but nowadays is there any real good reason that the whole web can't be HTTPS?
With all the government and ISP snoopings going on, I'm surprised that at least some sites haven't gone that way.
(or is it that embedded browsers like on cell phones can't do SSL?)
TDz.
Author's site (Score:5, Informative)
Mike Perry's site [fscked.org] might (or might not) be a better source than some random blog post that doesn't even link to it.
don't freak out, requires packet sniffing (Score:5, Informative)
Yes, this is a vulnerability. But it isn't like every person out there on the internet is going to be able to steal your session cookies in two weeks when the tool is released.
In order to execute this attack, a person would have to be able to sniff your packets and steal the cookies. And since the vast majority of people on the internet have no ability to intercept your traffic, this means in practice, the average person is pretty safe without having to worry about all this.
Re:Reverse or reverse? (Score:5, Funny)
What is a "reverse engineer?"
A very specialized transmission engineer in Detroit.
Parent
Re:Reverse or reverse? (Score:5, Funny)
It's someone who manufactures a problem using only working solutions.
You might also know them as: "politicians".
Parent