All Your Gmail Are Ours: Point-and-Click Gmail Account Theft
September 5, 2008
From Wired and Slashdot: A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts [was] presented at the Defcon hackers’ conference in Las Vegas.
Google [has] introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks
Something similar was demonstrated last year at DefCon to demonstrate how vulnerable unprotected wifi access is too.
It’s not enough to just insert an “s” into the URL after the “http” bit in the URL when you login to Gmail, you’ve got to set your Gmail preference to always use HTTPS. You can do so thusly.
Okay, now here’s the best part: Of the other big · webmail · providers, Gmail is the only service that has offered HTTPS, albeit pretty badly, to protect your webmail transmissions. The others don’t even offer any pretense of security after you’ve logged in. None.
So if you’ve got your PayPal account linked to your Gmail account, you’d better get moving before somebody else snatches up your webmail account and ruins your credit rating.
Added 2008.09.12: If you’re using AOL, Yahoo or Hotmail (that only momentarily protects your login with HTTPS), then the rest of your session, account identifier and information are still vulnerable to hoovering and interception. So get thee a Gmail account, or better yet, get the real thing: VaultletSuite 2 Go.
[...] government. By making secure transmission the default, non-tech-savvy users no longer have to go through this to protect their [...]