A Good Reason To Go Full-Time SSL For Gmail

Ashik Ratnani writes with this snippet from Hungry Hackers: "A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks."

Just for Google?

[Toe,+The]

Is there any reason to not use SSL every time one sends a password?

Unfortunately, the general public still seems entirely uneducated about SSL, figuring that passwords must be secure because they appear as bullets on the screen, right?

Re:Just for Google?

[Zironic]

They don't lie, they assume that if a site is self-signed it has been hijacked which is very resonable, if my bank suddenly changed to self-signed I'd want a proper warning.

Re:Just for Google?

[HungryHobo]

God, I've had some insane conversations with retarded people.

*me**: You know doing what you're doing is terribly terribly insecure, someone might get into your email account!
*Him*: .... ah well, it's not like there's anything important in there. I mean what are they gonna do, email someone in my name?
*me**: ....You have a paypal account right?
*Him*: Ya...
*me**: And it's linked to your email account right?
*Him*: Ya...
*me**: And if you forget your paypal password you can have them send you an email to change it right?
*Him*: Ya....
*me**: And your credit card is linked to your paypal account isn't it?
*Him*: Hmmm...
*me**: So someone with access to your mail account could get hold of your paypal and run up some insane charges buying horse porn.
*Him*: Oh....

It's depressing how people will set up accounts with things like paypal, link them to their email and then dismiss anything about security since "sure my email isn't that important"

A few notes...

[nweaver]

Mike Perry did a great public service by making this tool and making it available.

This attack also works against yahoo mail, hotmail, etc. Just Yahoo, hotmail, etc don't even OFFER SSL, so well, if you use them, your FSCKed.

And Google has known about this problem for a LONG time. EG, see my blog post from last february!.

Google waited for a year before even giving users the OPTION to be protected when SSL is used, and notice that it was only after they found out about Mike Perry's talk that the option was even added.

Also, as I argue, they got it wrong. The checkbox is good, but most users don't know about it. But if a user MANUALLY enters https://mail.google.com/ I argue that google should INFER that the user wants to be SSL-only, at least until they explicitly log out.

Re:A few notes...

[derrickh]

So he's going to release a tool that lets people break into Gmail accounts. And unless you read slashdot, you'd have no idea to go into preferences and flip a switch.

How is this a public service? For the 99% of the world who dont read SD every day, they're pretty much screwed.

It's good I'm a nerd and will now flip the magic switch on my gmail account...but it seems like a big f-u to everyone else.

D

Re:A few notes...

[Timothy+Brownawell]

Maybe the two weeks notice is a hint to google that it might be a good idea to fix the default setting or make all connections encrypted?

Ow ow ow.

[zippthorne]

all intensive purposes

Is this the road we're going down? Pseudo-homophones of idiomatic phrases?

Yeah, yeah, grammar pedantry is bad. Nevertheless, this stuff hurts to read.