Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Good Reason To Go Full-Time SSL For Gmail

Posted by timothy on from the oh-that-hurts dept.

Ashik Ratnani writes with this snippet from Hungry Hackers: "A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks."

5 of 530 comments (clear)

  1. Re:Just for Google? by clone53421 · · Score: 3, Interesting

    Not quite ALL intents and purposes. If I want to change my password, I still need to know my current password. Although somebody who steals my SID can read my mail they can't change my password and lock me out.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  2. Why can't the whole web be HTTPS? by thomasdz · · Score: 5, Interesting

    I can understand that back in the web's "stone age" (mid 1990s), having HTTPS for every web site would have seriously slowed down all the computers due to CPU usage, but nowadays is there any real good reason that the whole web can't be HTTPS?
    With all the government and ISP snoopings going on, I'm surprised that at least some sites haven't gone that way.
    (or is it that embedded browsers like on cell phones can't do SSL?)

    TDz.

    --
    Karma: Excellent. 15 moderator points expire sometime.
  3. Cache relevancy depletion by DuSTman31 · · Score: 3, Interesting

    One thing that I find somewhat counterproductive is that browsers do not save files sent over SSL in their caches.

    It's sensible, I suppose, to assume that if something's sent over an SSL channel that it's sensitive and therefore shouldn't be saved, but it would give a speed and bandwidth efficiency hit which would deter usage of SSL for everyday browsing.

    You could, of course, have the HTML transmitted over SSL and the supporting images over plain HTTP, but then the browser will scare people by warning that not all content on the page is secure..

    I think browsers should start looking at encrypting their cache files, so that stuff such as SSL can be accommodated without breaking caching.

  4. Re:A few notes... by Dolohov · · Score: 4, Interesting

    Mike Perry did a great public service by making this tool and making it available.

    WTF? No he didn't. Pointing out the vulnerability is a a public service, yes. Giving a talk where he outlines the problem? Also a public service. Distributing the means for anyone to make use of this vulnerability (ESPECIALLY when so many major vendors aren't prepared for it yet) is not a public service anymore. It's just arming script kiddies. Ralph Nader was able to do plenty of good without going around ramming into Chevy Corvairs to somehow "drive home" the need for a fix.

  5. Re:Just for Google? by rah1420 · · Score: 3, Interesting

    So why the fuck haven't I had mod points? This might be one of the most interesting things I've read on /. in a long time. If ever.

    Yeah, so sue me. I don't get out much.

    --
    Mit der Dummheit kämpfen Götter selbst vergebens.