A Good Reason To Go Full-Time SSL For Gmail 530
Ashik Ratnani writes with this snippet from Hungry Hackers: "A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks."
Just for Google? (Score:5, Insightful)
Is there any reason to not use SSL every time one sends a password?
Unfortunately, the general public still seems entirely uneducated about SSL, figuring that passwords must be secure because they appear as bullets on the screen, right?
A few notes... (Score:5, Insightful)
Mike Perry did a great public service by making this tool and making it available.
This attack also works against yahoo mail, hotmail, etc. Just Yahoo, hotmail, etc don't even OFFER SSL, so well, if you use them, your FSCKed.
And Google has known about this problem for a LONG time. EG, see my blog post from last february! [icir.org].
Google waited for a year before even giving users the OPTION to be protected when SSL is used, and notice that it was only after they found out about Mike Perry's talk that the option was even added.
Also, as I argue, they got it wrong. The checkbox is good, but most users don't know about it. But if a user MANUALLY enters https://mail.google.com/ [google.com] I argue that google should INFER that the user wants to be SSL-only, at least until they explicitly log out.
Ow ow ow. (Score:4, Insightful)
Is this the road we're going down? Pseudo-homophones of idiomatic phrases?
Yeah, yeah, grammar pedantry is bad. Nevertheless, this stuff hurts to read.
Re:Ow ow ow. (Score:1, Insightful)
It might help if you had said that the correct phrase is "for all intents and purposes" instead of being an asshole and mocking/ridiculing the GP.
My story: I had always heard people say "for all intensive purposes," so that's what I said and wrote from as early as I can remember to somewhere around age 20 when I finally saw the phrase in print for the first time. The sad part: nobody ever bothered to correct me.
Everybody has to learn somewhere. Don't assume everyone first encountered the phrase the same way you did.
Re:A few notes... (Score:5, Insightful)
So he's going to release a tool that lets people break into Gmail accounts. And unless you read slashdot, you'd have no idea to go into preferences and flip a switch.
How is this a public service? For the 99% of the world who dont read SD every day, they're pretty much screwed.
It's good I'm a nerd and will now flip the magic switch on my gmail account...but it seems like a big f-u to everyone else.
D
Re:Just for Google? (Score:5, Insightful)
They don't lie, they assume that if a site is self-signed it has been hijacked which is very resonable, if my bank suddenly changed to self-signed I'd want a proper warning.
Uhm? It's Google Mail! (Score:3, Insightful)
I mean it's Google Mail, Google stores your e-mails till all ethernity and will surely hand it out to any dictator waving something which looks like an official document.
It doesn't matter much how secure the login is as the service itself is designed to be a gapping security hole.
Re:Just for Google? (Score:5, Insightful)
God, I've had some insane conversations with retarded people.
*me**: You know doing what you're doing is terribly terribly insecure, someone might get into your email account! .... ah well, it's not like there's anything important in there. I mean what are they gonna do, email someone in my name? ....You have a paypal account right?
*Him*:
*me**:
*Him*: Ya...
*me**: And it's linked to your email account right?
*Him*: Ya...
*me**: And if you forget your paypal password you can have them send you an email to change it right?
*Him*: Ya....
*me**: And your credit card is linked to your paypal account isn't it?
*Him*: Hmmm...
*me**: So someone with access to your mail account could get hold of your paypal and run up some insane charges buying horse porn.
*Him*: Oh....
It's depressing how people will set up accounts with things like paypal, link them to their email and then dismiss anything about security since "sure my email isn't that important"
Re:A few notes... (Score:5, Insightful)
Re:Ow ow ow. (Score:3, Insightful)
There should still be some part of a person's brain that stops and says, "That doesn't make any sense..." when the write something like that.
After listening to (and reading) managerese for so long, that part of the brain shuts down in self defense. If it didn't, managers and marketing people would wonder why tech employees were always running out of meetings screaming.
Re:Just for Google? (Score:4, Insightful)
Too expensive (Score:3, Insightful)
Using SSL for everything is too expensive in terms of computing resources. Gmail gets a staggering amount of traffic as it is, I don't know that they could handle all of it being run through the SSL hardware. I'm just happy the setting is there at all.
-B
Re:Just for Google? (Score:3, Insightful)
Obg link to bash.org
http://www.bash.org/?244321 [bash.org]
Explains user-unsecurity.
Bash.org has been down for a couple weeks now.
Re:Just for Google? (Score:3, Insightful)
So you encrypt and tell them "it's not secure," just like you do when you don't encrypt and tell them it's not secure. What's so bad about that?
If the user demands a black-or-white answer, then tell them the worst-case scenario: black. But be consistent about it. Behind the scenes, despite the user's wish that things are black or white, the reality is that there are degrees of security, and encrypted-but-not-authenticated is more secure than not-encrypted-and-not-authenticated. Even if you argue that point and say it's just as bad, you can't make a case that it's less secure. It just isn't.
It's ok for the UI to simplify reality by not acknowledging the degrees, but it shouldn't contradict reality, either. Showing a scary-looking popup for the more secure situation while not showing the scary popup for the less secure situation, is misleading.
Re:Just for Google? (Score:3, Insightful)
The true problem is that, in true techie style, the concepts covered by HTTPS aren't properly separated and this results in confusion for people that don't understand what's going on technically. For better or for worse, HTTPS is a leaky abstraction.
HTTPS solves two distinct problems and yet it's depicted as a single problem. Because the need for an encrypted transport layer is obvious, people forget that the other purpose of HTTPS is to verify the identity of the server you're communicating with. It can even be used for the server to identify the client that's making the request, but that feature is seldom used. But it's still two distinct (though related) problems being solved, the encrypted transport layer and the identity verification mechanism.
I'm not sure if there's a better way to convey the difference between these two concepts to non-technical users, but it would be good to try since there's value in utilizing one of the two without using both. Besides the obvious applications of unverified and encrypted connections, verified but unencrypted connections could also be useful for situations where encryption isn't needed but it's important to know that the information you're seeing is coming from a trusted source (i.e. stock listings or other public information that you really need to know is genuine).