I apologize up-front if this question has been addressed in the past, but I noticed something interesting with Gmail this morning. It seems that when you log into Gmail, the default connection for user validation is via SSL, however, once your Inbox is loaded, the connection is relegated to ordinary http://. If you change the URL prefix to https://, it seems to reconnect to your Inbox via SSL and then retain the SSL connection for the remainder of the session. This behavior is the same regardless if you are using Firefox or IE.
Given that I frequently connect to my Gmail account via public wireless access points, this is very concerning to me. I looked in the Gmail settings and there does not seem to be an option to force SSL as the default for every session. Therefore my questions to the group are:
1) Am I an idiot and have missed something very obvious here?
2) Is there some other secure messaging solution being used by Gmail over http:// or should I assume that anyone sniff my e-Mail information while connected?
3) How can I force Gmail to maintain an SSL connection every session?
well.. I checked it out.. and..
if you go to gmail via https://gmail.google.com (won't work if you go via https://www.gmail.com ) it will stay https:// even when you are logged in.. however.. checking my connections shows I am connected to gmail via port 80 anyway..
as they're some sort of frames in it..
so don't guess that even entering https after you logged in won't help you..
I NEVER use public places to check my mail and stuff like that.. wouldn't recommend it either.. only do it if you don't have a choice!
Serhat - Thanks for the info, it seems when you use gmail.google.com Google uses https for authentication and http for everything else, I assume to save resources. https://gmail.google.com retains the secure session as you describe. I guess my surprise was in that Google didn't maintain a secure session once logged in regardless if you entered the site via http or https. Yes, I may be a bit naive in assuming that this would be done by default.
linux_dude - Thanks for your comments as well, however, I think you missed my point. I use my gmail account for both personal mail as well as for file storage as do many others I know in the business. I'm surprised that you had such a narrow view of what data actually exists in the typical Gmail account. Though I don't keep very sensitive files in the account, on principle I did not want any "skiddies" having a free peak.
Thanks again Serhat, I appreciate your feedback and insight.
I can tell you what I am worried about, The fact that you view gmail as simply an email system. I believe that it has become pretty aparent that gmail is being used as a storage system as well. Perhaps instead of taking such a combative stance you should take a minute to understand the reasoning behind someone's question.
Okay, I don't know why YOU'RE that hostile but maybe it's time to loosen the tinfoil hat and reread what the thread starter is worried about.
Someone getting a warrant 10 years from now to search through all his spam for pr0n and \/i@gra pills isn't what he's worried about, instead it's someone grabbing live wifi traffic about what email he's sending/receiving. :D
Like I said, Gmail probably doesn't support PGP so why not setup a VPN to your home computer if you're that worried, then ANY traffic over open Wifi points is secure.
Another thing, whole sessions aren't in SSL because SSL requires more CPU overhead, so authentication credentials are done in SSL and then it's cleartext for the rest. Same goes for alot of other webmail providers and alot of other protected areas, such as some chessy banks :-).
BTW: Unless you physically control the server, why do you assume ANY email service you have ever used deleted ANYTHING of yours?
I also found that when you try to login to gmail it uses ssl but right after it authenticates you it changes to a non ssl environment. You can fix this by aborting loading the non encrypted page and change http to https it will load ur email box with ssl (not sure if that stops the server from sending the unencrypted front page). You can also use the link that i discovered below and not even worry about that.
I found this link by doing the above method then, copying the address url once I was in my mailbox, signing out, then entering that copied address. It would then forward me to the address above that solves your issue
I tried this
Once logging I close all the windows (but didn't Sign off) and later came back and opened the last URL I got from GMAIL.
Guess what ... I didn't have to sign-on.
So I look over my cookies and yep, there is a cookie from gmail.
Ok, then gmail due to his Beta release is not 100% secure, so be aware of this and imagine possibilities to hack :ph34r: .
Will try to test against public computers (not servers) and look if I can borrow someone's gmail account.
I have to say, I've always found all this compeletly pointless!
We're living in a world were people seem to assume that there are people out there who hang around wireless areas 24/7 (No sleep of course) with 6 or 7 boxes to hand and processing power everywhere, spending time and money trying to sniff out fragments of your e-mail.
Why?? Are your really so important that you have people with wiretaps following your every move, desparatly trying to get any info about you they can, because your just that special.
Well you're not.
Nobody is going to "hack" your e-mail, simply because nobody cares enough.
lol assuming you don't know him personaly it's kinda weird asuming he is a nobody.
He could as well be a nsa worker or fbi or cia, with a normal question which in that case would make him important enough, depending on his status in such a organisation.
well if he were he wouldnt have to wory abt gmail... i spose fbi has its own email system rofl... the desire for secrecy and security doesnt have to do with what you are trying to hide or not, its just the feeling of being insecure and thats it. if you can harden your system why not do it?
People trying to learn things maybe you shouldnt just stop to *what use is it gonna be to you* or is it just a way to admit *i dont have a single clue but i want to say something just to look smart on the fofos*
I wouldnt like anyone prying into my email or accessing my computer. even if i dont have ANYTHING sensitive on it. (couple of private trojans source code and nude pics of my gf dont count).
Even so i still keep my 2 firewalls and my av system and my personal hookers around just to be on the safe side.
so you guys thinking someone shud be important to want security... and if your not important urself turn off your firewall, uninstall your avs. remove protection from ur routers and give us ur passwords...
I have to say, I've always found all this compeletly pointless!
We're living in a world were people seem to assume that there are people out there who hang around wireless areas 24/7 (No sleep of course) with 6 or 7 boxes to hand and processing power everywhere, spending time and money trying to sniff out fragments of your e-mail.
Why?? Are your really so important that you have people with wiretaps following your every move, desparatly trying to get any info about you they can, because your just that special.
Well you're not.
Nobody is going to "hack" your e-mail, simply because nobody cares enough.
I guess you have never spent that much time around a hotspot wondering what to do? They dont follow his every move, they could just be some bored person having some playtime. I know its true because I have done it. Its because of arrogant people like you that the internet is so insecure.
The only encryption that Gmail offers once your logged in is TLS. At least I think so... I'll get back to you. Oh, and could someone give me an invite to Gmail? Would love to have this wonderful mailbox.
Sign In
Register
Help
MultiQuote
Posted 05 August 2005 - 07:33 AM
