Beware of GMail not enforcing an SSL connection…

I’ve just been reading this: TG Daily – Point and click Gmail hacking at Black Hat (thanks for passing that on Al)

Basically, if you aren’t logging into GMail using SSL then someone can grab your cookie and replay it. Well, that is pretty obvious if you are familiar with how all that kind of thing works and of course, I only log into GMail using SSL in fact, Google enforces this. Oh… actually, now I look it doesn’t enforce it at all…

If you enter the url mail.google.com it automatically redirects you to https://mail.google.com and all is well. But if you log in and then close your browser, re-open it and enter it again it takes you straight to http://mail.google.com presumably passing the unencrypted cookie along the way.

Opening up your e-mail is not good, especially when you consider the alarming wealth of sites that still send password reminders as plain text which are all sitting in your mail archive along with those that send your full credit card number when you get an order confirmation.

GMail works perfectly well if you add the all important little ‘s’ into any of its URLs so why don’t they just enforce it and save us the bother?

About these ads

4 Responses to “Beware of GMail not enforcing an SSL connection…”


  1. 1 Gå ner i vikt May 28, 2011 at 10:06 pm

    Has this happened to anyone?

  2. 2 jorge-yamam.com June 11, 2013 at 12:22 pm

    I’ve been surfing online more than 2 hours today, yet I never found any interesting article like yours. It’s pretty worth enough for me.
    In my opinion, if all website owners and bloggers made good
    content as you did, the internet will be much more useful than ever before.

  3. 3 public safety alerts July 18, 2013 at 5:06 am

    Way cool! Some extremely valid points! I
    appreciate you penning this article and also the
    rest of the site is extremely good.


  1. 1 free automotive repair Trackback on October 20, 2014 at 2:15 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s





Follow

Get every new post delivered to your Inbox.

Join 37 other followers

%d bloggers like this: