Slashdot Mirror
A Good Reason To Go Full-Time SSL For Gmail
Ashik Ratnani writes with this snippet from Hungry Hackers: "A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks."
I can understand that back in the web's "stone age" (mid 1990s), having HTTPS for every web site would have seriously slowed down all the computers due to CPU usage, but nowadays is there any real good reason that the whole web can't be HTTPS?
With all the government and ISP snoopings going on, I'm surprised that at least some sites haven't gone that way.
(or is it that embedded browsers like on cell phones can't do SSL?)
TDz.
Karma: Excellent. 15 moderator points expire sometime.
Mike Perry did a great public service by making this tool and making it available.
WTF? No he didn't. Pointing out the vulnerability is a a public service, yes. Giving a talk where he outlines the problem? Also a public service. Distributing the means for anyone to make use of this vulnerability (ESPECIALLY when so many major vendors aren't prepared for it yet) is not a public service anymore. It's just arming script kiddies. Ralph Nader was able to do plenty of good without going around ramming into Chevy Corvairs to somehow "drive home" the need for a fix.