I apologize up-front if this question has been addressed in the past, but I noticed something interesting with Gmail this morning. It seems that when you log into Gmail, the default connection for user validation is via SSL, however, once your Inbox is loaded, the connection is relegated to ordinary http://. If you change the URL prefix to https://, it seems to reconnect to your Inbox via SSL and then retain the SSL connection for the remainder of the session. This behavior is the same regardless if you are using Firefox or IE.
Given that I frequently connect to my Gmail account via public wireless access points, this is very concerning to me. I looked in the Gmail settings and there does not seem to be an option to force SSL as the default for every session. Therefore my questions to the group are:
1) Am I an idiot and have missed something very obvious here?
2) Is there some other secure messaging solution being used by Gmail over http:// or should I assume that anyone sniff my e-Mail information while connected?
3) How can I force Gmail to maintain an SSL connection every session?
Thanks for any insight you are willing to share.
Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Secure Gmail?
Started by
Guest_harden_*
, Jul 05 2005 05:08 AM
14 replies to this topic
#2
Serhat
-
- Members
-
- 803 posts
Second Lieutenant
Posted 05 July 2005 - 06:22 AM
well.. I checked it out.. and..
if you go to gmail via https://gmail.google.com (won't work if you go via https://www.gmail.com ) it will stay https:// even when you are logged in.. however.. checking my connections shows I am connected to gmail via port 80 anyway..
as they're some sort of frames in it..
so don't guess that even entering https after you logged in won't help you..
I NEVER use public places to check my mail and stuff like that.. wouldn't recommend it either.. only do it if you don't have a choice!
Serhat
if you go to gmail via https://gmail.google.com (won't work if you go via https://www.gmail.com ) it will stay https:// even when you are logged in.. however.. checking my connections shows I am connected to gmail via port 80 anyway..
as they're some sort of frames in it..
so don't guess that even entering https after you logged in won't help you..
I NEVER use public places to check my mail and stuff like that.. wouldn't recommend it either.. only do it if you don't have a choice!
Serhat
#3
linux_dude
-
- Members
-
- 343 posts
Staff Sergeant
Posted 05 July 2005 - 07:10 PM
What are you worried about exactly?
Even if Gmail was HTTPS from you to the server, what do you think happens after Gmail has to send your email somewhere?
It's bounced endlessly and openly around the internet till it gets to whereever it has to go.
I don't know if Gmail supports PGP, but what could you be doing that's so secretive that you're worried about this?
Even if Gmail was HTTPS from you to the server, what do you think happens after Gmail has to send your email somewhere?
It's bounced endlessly and openly around the internet till it gets to whereever it has to go.
I don't know if Gmail supports PGP, but what could you be doing that's so secretive that you're worried about this?
#4 Guest_harden_*
Guest_harden_*
-
- Guests
Posted 06 July 2005 - 08:21 AM
Serhat - Thanks for the info, it seems when you use gmail.google.com Google uses https for authentication and http for everything else, I assume to save resources. https://gmail.google.com retains the secure session as you describe. I guess my surprise was in that Google didn't maintain a secure session once logged in regardless if you entered the site via http or https. Yes, I may be a bit naive in assuming that this would be done by default.
linux_dude - Thanks for your comments as well, however, I think you missed my point. I use my gmail account for both personal mail as well as for file storage as do many others I know in the business. I'm surprised that you had such a narrow view of what data actually exists in the typical Gmail account. Though I don't keep very sensitive files in the account, on principle I did not want any "skiddies" having a free peak.
Thanks again Serhat, I appreciate your feedback and insight.
linux_dude - Thanks for your comments as well, however, I think you missed my point. I use my gmail account for both personal mail as well as for file storage as do many others I know in the business. I'm surprised that you had such a narrow view of what data actually exists in the typical Gmail account. Though I don't keep very sensitive files in the account, on principle I did not want any "skiddies" having a free peak.
Thanks again Serhat, I appreciate your feedback and insight.
#5
Blake
-
- Retired Admin
-
- 7,334 posts
Former Commander In Chief
Posted 06 July 2005 - 08:47 AM
What are you worried about exactly?
Even if Gmail was HTTPS from you to the server, what do you think happens after Gmail has to send your email somewhere?
It's bounced endlessly and openly around the internet till it gets to whereever it has to go.
I don't know if Gmail supports PGP, but what could you be doing that's so secretive that you're worried about this?
I can tell you what I am worried about, The fact that you view gmail as simply an email system. I believe that it has become pretty aparent that gmail is being used as a storage system as well. Perhaps instead of taking such a combative stance you should take a minute to understand the reasoning behind someone's question.
Subscribe To Our RSS Feed For the Latest News from GovernmentSecurity.orgWould you like to earn money posting on GSO?
#6
linux_dude
-
- Members
-
- 343 posts
Staff Sergeant
Posted 06 July 2005 - 12:21 PM
Okay, I don't know why YOU'RE that hostile but maybe it's time to loosen the tinfoil hat and reread what the thread starter is worried about.
Someone getting a warrant 10 years from now to search through all his spam for pr0n and \/i@gra pills isn't what he's worried about, instead it's someone grabbing live wifi traffic about what email he's sending/receiving.
Like I said, Gmail probably doesn't support PGP so why not setup a VPN to your home computer if you're that worried, then ANY traffic over open Wifi points is secure.
Another thing, whole sessions aren't in SSL because SSL requires more CPU overhead, so authentication credentials are done in SSL and then it's cleartext for the rest. Same goes for alot of other webmail providers and alot of other protected areas, such as some chessy banks :-).
BTW: Unless you physically control the server, why do you assume ANY email service you have ever used deleted ANYTHING of yours?
Someone getting a warrant 10 years from now to search through all his spam for pr0n and \/i@gra pills isn't what he's worried about, instead it's someone grabbing live wifi traffic about what email he's sending/receiving.
Like I said, Gmail probably doesn't support PGP so why not setup a VPN to your home computer if you're that worried, then ANY traffic over open Wifi points is secure.
Another thing, whole sessions aren't in SSL because SSL requires more CPU overhead, so authentication credentials are done in SSL and then it's cleartext for the rest. Same goes for alot of other webmail providers and alot of other protected areas, such as some chessy banks :-).
BTW: Unless you physically control the server, why do you assume ANY email service you have ever used deleted ANYTHING of yours?
#7
withdraw
-
- Members
-
- 72 posts
Private First Class
Posted 06 July 2005 - 02:38 PM
I also found that when you try to login to gmail it uses ssl but right after it authenticates you it changes to a non ssl environment. You can fix this by aborting loading the non encrypted page and change http to https it will load ur email box with ssl (not sure if that stops the server from sending the unencrypted front page). You can also use the link that i discovered below and not even worry about that.
I found this link by doing the above method then, copying the address url once I was in my mailbox, signing out, then entering that copied address. It would then forward me to the address above that solves your issue
https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%3Fui%3Dhtml%26zy%3Dl&hl=en
I found this link by doing the above method then, copying the address url once I was in my mailbox, signing out, then entering that copied address. It would then forward me to the address above that solves your issue
#8
hack_una_matata
-
- Members
-
- 1 posts
Private
Posted 05 August 2005 - 07:33 AM
I tried this
Once logging I close all the windows (but didn't Sign off) and later came back and opened the last URL I got from GMAIL.
Guess what ... I didn't have to sign-on.
So I look over my cookies and yep, there is a cookie from gmail.
Ok, then gmail due to his Beta release is not 100% secure, so be aware of this and imagine possibilities to hack
.
Will try to test against public computers (not servers) and look if I can borrow someone's gmail account.
Peace
-----
Once logging I close all the windows (but didn't Sign off) and later came back and opened the last URL I got from GMAIL.
Guess what ... I didn't have to sign-on.
So I look over my cookies and yep, there is a cookie from gmail.
Ok, then gmail due to his Beta release is not 100% secure, so be aware of this and imagine possibilities to hack
.Will try to test against public computers (not servers) and look if I can borrow someone's gmail account.
Peace
-----
#9
ANELKAOS
-
- Members
-
- 9 posts
Private
Posted 16 November 2005 - 10:39 AM
I can try to imagine...Ok, then gmail due to his Beta release is not 100% secure, so be aware of this and imagine possibilities to hack
#10
Ground Zero
-
- Members
-
- 38 posts
Private First Class
Posted 17 November 2005 - 06:04 AM
I have to say, I've always found all this compeletly pointless!
We're living in a world were people seem to assume that there are people out there who hang around wireless areas 24/7 (No sleep of course) with 6 or 7 boxes to hand and processing power everywhere, spending time and money trying to sniff out fragments of your e-mail.
Why?? Are your really so important that you have people with wiretaps following your every move, desparatly trying to get any info about you they can, because your just that special.
Well you're not.
Nobody is going to "hack" your e-mail, simply because nobody cares enough.
We're living in a world were people seem to assume that there are people out there who hang around wireless areas 24/7 (No sleep of course) with 6 or 7 boxes to hand and processing power everywhere, spending time and money trying to sniff out fragments of your e-mail.
Why?? Are your really so important that you have people with wiretaps following your every move, desparatly trying to get any info about you they can, because your just that special.
Well you're not.
Nobody is going to "hack" your e-mail, simply because nobody cares enough.
#11 Guest_DiabloPatch_*
Guest_DiabloPatch_*
-
- Guests
Posted 27 November 2005 - 11:17 AM
lol assuming you don't know him personaly it's kinda weird asuming he is a nobody.
He could as well be a nsa worker or fbi or cia, with a normal question which in that case would make him important enough, depending on his status in such a organisation.
He could as well be a nsa worker or fbi or cia, with a normal question which in that case would make him important enough, depending on his status in such a organisation.
#12
mas0
-
- Members
-
- 20 posts
Private First Class
Posted 28 November 2005 - 10:42 PM
well if he were he wouldnt have to wory abt gmail... i spose fbi has its own email system rofl... the desire for secrecy and security doesnt have to do with what you are trying to hide or not, its just the feeling of being insecure and thats it. if you can harden your system why not do it?
People trying to learn things maybe you shouldnt just stop to *what use is it gonna be to you* or is it just a way to admit *i dont have a single clue but i want to say something just to look smart on the fofos*
I wouldnt like anyone prying into my email or accessing my computer. even if i dont have ANYTHING sensitive on it. (couple of private trojans source code and nude pics of my gf dont count).
Even so i still keep my 2 firewalls and my av system and my personal hookers around just to be on the safe side.
so you guys thinking someone shud be important to want security... and if your not important urself turn off your firewall, uninstall your avs. remove protection from ur routers and give us ur passwords...
People trying to learn things maybe you shouldnt just stop to *what use is it gonna be to you* or is it just a way to admit *i dont have a single clue but i want to say something just to look smart on the fofos*
I wouldnt like anyone prying into my email or accessing my computer. even if i dont have ANYTHING sensitive on it. (couple of private trojans source code and nude pics of my gf dont count).
Even so i still keep my 2 firewalls and my av system and my personal hookers around just to be on the safe side.
so you guys thinking someone shud be important to want security... and if your not important urself turn off your firewall, uninstall your avs. remove protection from ur routers and give us ur passwords...
#13
Dante
-
- Members
-
- 2 posts
Private
Posted 07 February 2006 - 04:09 AM
I have to say, I've always found all this compeletly pointless!
We're living in a world were people seem to assume that there are people out there who hang around wireless areas 24/7 (No sleep of course) with 6 or 7 boxes to hand and processing power everywhere, spending time and money trying to sniff out fragments of your e-mail.
Why?? Are your really so important that you have people with wiretaps following your every move, desparatly trying to get any info about you they can, because your just that special.
Well you're not.
Nobody is going to "hack" your e-mail, simply because nobody cares enough.
I guess you have never spent that much time around a hotspot wondering what to do? They dont follow his every move, they could just be some bored person having some playtime. I know its true because I have done it. Its because of arrogant people like you that the internet is so insecure.
#14
sbt
-
- Members
-
- 9 posts
Private
Posted 04 March 2006 - 04:34 PM
let me add something to gmail security
recently 14years old kid found a bug in gmail
this bug allowes to exec JS
heres the whole story + screenshot
http://ph3rny.blogsp...y-in-gmail.html
recently 14years old kid found a bug in gmail
this bug allowes to exec JS
heres the whole story + screenshot
http://ph3rny.blogsp...y-in-gmail.html
#15
Geminias
-
- Members
-
- 65 posts
Private First Class
Posted 17 March 2006 - 12:28 AM
The only encryption that Gmail offers once your logged in is TLS. At least I think so... I'll get back to you. Oh, and could someone give me an invite to Gmail? Would love to have this wonderful mailbox.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
