Point-and-Click Gmail Hacking Shown at Black Hat

not5150 writes "Using Gmail or most other webmail programs over an unsecured access point just got a bit more dangerous. At Black Hat Robert Graham, CEO of errata security, showed how to capture and clone session cookies very quickly over connections without encryption. He even hijacked a shocked attendee's Gmail account in the middle of his presentation. 'While Ou was typing, Graham was running Ferret and sniffing all the cookies that were being sent from Ou's laptop and Google. Graham then clicked on Ou's IP address and Gmail page, complete with Ou's recently sent message on the screen. We photographed both Graham's and Ou's laptop at that time and posted it to the picture gallery. You'll see that the contents are exactly the same.'"

Re:Slow News day?

[Cancel-Or-Allow]

The funny thing is, gmail offers the ability to sign-in securely, but not an option to keep it SSL throughout the entire session. It works when you manually change the http to https in the url after signed in, but there is still brief moment of unsecured traffic during this process.

Re:Correct me if I'm wrong but

[TheRaven64]

Even if he's not NAT'd, if he's on the same WLAN then he's on the same broadcast segment as the real owner of the IP, so he can just send packets claiming to be from the legitimate user and run his interface in promiscuous mode to grab the replies.

Re:Slow News day?

[zippthorne]

That's odd. I go to https://mail.google.com/ and at no time during the login process do I ever see the address bar go from yellow to white. Are you sure it still works the way you say? Or is it sending something unencrypted so fast that I'm just not noticing (which would be kind of worrying).

Re:Could be fixed easily by Google. Shame.

[mtmra70]

A quick check of some main email websites and none of them are secure after you log in. Shame on them also?

Re:Could be fixed easily by Google. Shame.

[fbjon]

They shouldn't tell anyone, just transparently redirect to the secure URL. Sane defaults, and all that jazz. Or at least semi-transparently, with a "redirecting..." page that has a link to both encrypted and unencrypted login URLs, in case some network blocks https.

Re:Slow News day?

[tom17]

Seemingly neither do the people in the comments section at the bottom of TFA :-(

Worrying.

Re:Could be fixed easily by Google. Shame.

[BewireNomali]

correct me if I'm wrong, but don't most who complain about microsoft OSes point to prior defaults to administrator privileges as a major security concern? If so, by that same reasoning, shouldn't web services default to more secure configurations as opposed to less?

Re:Slow News day?

[kdemetter]

it is possible however . it basically works be faking the certificate .
Cain does it that way . The user does get a notification that the certificate is untrusted , but most people will just allow it anyway ( otherwise they can't use the webpage ) .

Re:Slow News day?

[Burz]

This takes way more work, and there will be a popup that says "This certificate has not been signed by a trusted authority, someone might be trying to sniff you out". No one with a tiny bit of computer security knowledge would fall for this, but a clueless user who clicks "Allow" on everything probably would be.

And I try to educate everyone I know about handling certificate warnings. They are all worried about Internet insecurity, and I tell them their connection (assuming they have a clean systems) WILL be very secure if the browser displays the lock symbol and they have not chosen to bypass a certificate warning.

This, along with making people more aware of address domains in pages and emails, is what everyone frequenting these techie/nerd sites should be explaining to everyone around them. Tell them that whatever confidence they got from "doing things" on the Internet by clicking on pretty pictures is probably false and they may need to learn crucial (if simple) rules before they get in trouble.

The Internet now is like the common roadway in the 1920s: No one has taken drivers' ed, and even basic computer literacy courses don't teach about SSL!

Trojans are another huge problem, and should scarcely exist. However our modern GUI interfaces have been designed to pictographically confuse data with code, as documents and the programs that use them usually have the same/similar icons. BeOS was an exception where all code was shown with a '!' prefix. I think Ubuntu has been trying out a similar scheme. No script or binary should EVER be allowed to look like a jpeg or other data file.

Re:Could be fixed easily by Google. Shame.

[AeroIllini]

The user must take responsibility for their own security. Yet we turn around and lambaste Microsoft for allowing users to run as Administrator by default, having no-password logins, not locking down the registry, and allowing 3rd party developers to still require admin privileges just to run a userspace application.

The point is, security is more than just "what's available." It also has to be about how good the defaults are. The technical community cried foul when Microsoft included a firewall in Windows XP but didn't have it turned on by default, and we complained so much that in SP2 Microsoft finally changed the default.

I agree that security is ultimately the responsibility of the user, but they should not have to seek out secure settings and turn them all on one by one. The default mode for any network-enabled program should be Secure. If the user needs Insecure, then they should have to change a setting to make it so. Spam should be opt-in, security should be opt-out. Anything else is unfair to the user.