A Good Reason To Go Full-Time SSL For Gmail

← Back to Stories (view on slashdot.org)

A Good Reason To Go Full-Time SSL For Gmail

Posted by timothy on Tuesday August 19, 2008 @03:26AM from the oh-that-hurts dept.

Ashik Ratnani writes with this snippet from Hungry Hackers: "A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks."

93 of 530 comments (clear)

Good thing Slashdot is safe... by Anonymous Coward · 2008-08-19 03:27 · Score: 5, Funny

Or else someone could hijack my accBILL GATS SI TEH DEVLI!!!!!!!!!
1. Re:Good thing Slashdot is safe... by Naughty+Bob · 2008-08-19 05:00 · Score: 5, Funny
  
  Good thing Slashdot is safe...
  
  Or else someone could hijack my accBILL GATS SI TEH DEVLI!!!!!!!!!
  Yep, looks like slashdot is unaffected for the moment.
  
  --
  "Be light, stinging, insolent and melancholy"
Just for Google? by Toe,+The · 2008-08-19 03:28 · Score: 5, Insightful

Is there any reason to not use SSL every time one sends a password?
Unfortunately, the general public still seems entirely uneducated about SSL, figuring that passwords must be secure because they appear as bullets on the screen, right?
1. Re:Just for Google? by SCHecklerX · 2008-08-19 03:30 · Score: 4, Informative
  
  Like when you read slashdot?
2. Re:Just for Google? by HungryHobo · 2008-08-19 03:32 · Score: 4, Informative
  
  The password is sent over SSL, the problem is that it will happily send your cookie over HTTP which is for all intensive purposes just as good as a password.
3. Re:Just for Google? by Spad · 2008-08-19 03:32 · Score: 5, Informative
  
  Gmail always uses SSL for logins.
  Previously if you wanted to maintain SSL for the whole session you had to login via https://mail.google.com/ otherwise it dropped back to http after login. Now you can set it to always use SSL regardless of the URL you visit it from.
4. Re:Just for Google? by Timothy+Brownawell · 2008-08-19 03:35 · Score: 4, Informative
  
  Is there any reason to not use SSL every time one sends a password?
  Firefox 3, and I think other newer browsers, lie to people by strongly implying that HTTPS with self-signed certificates is far more dangerous than bare unencrypted HTTP.
5. Re:Just for Google? by caramelcarrot · 2008-08-19 03:41 · Score: 5, Informative
  
  After me, say it slowly: intents and purposes That way it actually makes sense.
6. Re:Just for Google? by clone53421 · 2008-08-19 03:44 · Score: 3, Interesting
  
  Not quite ALL intents and purposes. If I want to change my password, I still need to know my current password. Although somebody who steals my SID can read my mail they can't change my password and lock me out.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
7. Re:Just for Google? by Loki_1929 · 2008-08-19 03:53 · Score: 2, Interesting
  
  There's a sizable portion of the general public that doesn't want to be bothered having to remember any passwords for anything. They simply want to click a button and have it work.
  You'd have better luck explaining the security implications of such a system to a chimp.
  
  --
  -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
8. Re:Just for Google? by Kozar_The_Malignant · 2008-08-19 04:03 · Score: 5, Funny
  
  It's not "in tents with porpoises?" I thought it was about cetacean hentai.
  
  --
  Some mornings it's hardly worth chewing through the restraints to get out of bed.
9. Re:Just for Google? by Zironic · 2008-08-19 04:07 · Score: 5, Insightful
  
  They don't lie, they assume that if a site is self-signed it has been hijacked which is very resonable, if my bank suddenly changed to self-signed I'd want a proper warning.
10. Re:Just for Google? by Hordeking · 2008-08-19 04:11 · Score: 4, Funny
  
  I know this is being pedantic, but you are missing a period after the quote or you should have moved it outside the quotes. The urge is too strong since you seem to be so happy harping on missing periods...
  My girlfriend has been missing her period. Should I be worried?
  
  --
  Disclaimer: The opinions and actions of the US Gov't are in no way representative of those held by this author or its ci
11. Re:Just for Google? by HungryHobo · 2008-08-19 04:15 · Score: 5, Insightful
  
  God, I've had some insane conversations with retarded people.
  *me**: You know doing what you're doing is terribly terribly insecure, someone might get into your email account!
  *Him*: .... ah well, it's not like there's anything important in there. I mean what are they gonna do, email someone in my name?
  *me**: ....You have a paypal account right?
  *Him*: Ya...
  *me**: And it's linked to your email account right?
  *Him*: Ya...
  *me**: And if you forget your paypal password you can have them send you an email to change it right?
  *Him*: Ya....
  *me**: And your credit card is linked to your paypal account isn't it?
  *Him*: Hmmm...
  *me**: So someone with access to your mail account could get hold of your paypal and run up some insane charges buying horse porn.
  *Him*: Oh....
  It's depressing how people will set up accounts with things like paypal, link them to their email and then dismiss anything about security since "sure my email isn't that important"
12. Re:Just for Google? by caramelcarrot · 2008-08-19 04:19 · Score: 2, Informative
  
  That was slashcode fucking up my formatting. It was more obvious when I had line breaks. In addition, I'm aware that making corrections to people's posts causes everyone to immediately jump on your small errors, but actually writing "itensive purposes" is just irritating.
13. Re:Just for Google? by cromar · 2008-08-19 04:19 · Score: 3, Informative
  
  Apparently this is not true everywhere (e.g. Great Britain).
14. Re:Just for Google? by Anonymous Coward · 2008-08-19 04:24 · Score: 5, Funny
  
  My girlfriend has been missing her period. Should I be worried?
  It depends; will the father be financially supporting the baby, or will you be stuck paying the bills?
15. Re:Just for Google? by Culture20 · 2008-08-19 04:43 · Score: 4, Funny
  
  I'll tell you what it's not for, then you'll understand why I can never go back to Seaworld.
16. Re:Just for Google? by profplump · 2008-08-19 04:56 · Score: 3, Informative
  
  Self-signed raise the level of complexity from "passive snooping at any point along the data path" to "active interception of traffic, either directly or via a secondary exploit".
  Saying that self-signed certificates are worthless is like saying that a fence at a prison is worthless unless it's electric -- sure, the electric fence is better, and it provides additional security, but the plain old fence is a good place to start, and I don't think a lot of wardens would call it "worthless" just because it can be climbed.
  That's not to say that users shouldn't be warned about the lower level of security, but it's a little disingenuous to pretend that a MitM attack is significantly more likely that say, someone getting a perfectly legitimate, CA-signed certificate for a typo-squatting site.
  My big beef here is that unencrypted traffic produces no such warnings. If I didn't bother to provide a certificate for my website we'd be talking in the clear, and your browser wouldn't even mention it to you (other than maybe that one-time warning about sending data). Meanwhile if I offer a certificate from an authority you don't trust your browser will act as if I'm trying to steal from you rather than protect you. Email clients are just as bad -- regular email has no integrity guarantees, but S/MIME-signed messages are flagged as bad if the CA is untrusted, in spite of the relatively good security compared to messages with no signature.
  The long and the short of it is security is more complicated than an on/off indication, and users will eventually have to deal with that if they want to be secure. I'm not suggesting grandma needs to know how SSL works, but if we replaced with lock with a multi-level system to indicate "plaintext", "signed", "signed and authenticated", "encrypted", "encrypted, signed, and authenticated" -- still a pretty small number of states, all of which could be described in a short hover tooltip -- users could make more informed decisions about the security in place and whether or not is is sufficient for the task at hand.
17. Re:Just for Google? by digitig · 2008-08-19 05:00 · Score: 2, Informative
  
  Correct. The British rule is essentially that unless the quote is a whole sentence the punctuation goes outside the quote marks. But the GP was correct to call foul on the GGP for an attempted pedantic correction that wasn't necessarily true.
  
  --
  Quidnam Latine loqui modo coepi?
18. Re:Just for Google? by Hatta · 2008-08-19 05:09 · Score: 2, Informative
  
  Why is it that everyone piles on this guy for saying "intensive purposes", yet when someone corrects the incorrect usage of "begs the question" English is all of a sudden a descriptive language with meanings that evolve?
  
  --
  Give me Classic Slashdot or give me death!
19. Re:Just for Google? by Belial6 · 2008-08-19 05:20 · Score: 3, Insightful
  
  You forgot to add: *you: So your going to stop doing the insecure thing right? *Him: Nah, it's not like there's anything important in there. I mean what are they gonna do, email someone in my name? It's the same with my pet peeve, 'check cards'.
20. Re:Just for Google? by A440Hz · 2008-08-19 05:42 · Score: 5, Informative
  
  Actually, it is historical, normal usage to put the period (or comma) inside the quotes, even if the period wasn't in the original quotation. This was originally done for typesetting reasons: putting a period outside the quotes caused type blocks to break. The period inside the quote was better mechanically--less breakage.
21. Re:Just for Google? by Anonymous Coward · 2008-08-19 05:52 · Score: 3, Insightful
  
  Obg link to bash.org
  http://www.bash.org/?244321
  Explains user-unsecurity.
  Bash.org has been down for a couple weeks now.
22. Re:Just for Google? by corbettw · 2008-08-19 06:18 · Score: 2, Funny
  
  I think you're begging the question a bit there.
  
  --
  God invented whiskey so the Irish would not rule the world.
23. Re:Just for Google? by Sloppy · 2008-08-19 06:21 · Score: 2, Insightful
  
  try to explain that to your average user.
  They want either "it's secure" or "it's not secure"
  So you encrypt and tell them "it's not secure," just like you do when you don't encrypt and tell them it's not secure. What's so bad about that?
  If the user demands a black-or-white answer, then tell them the worst-case scenario: black. But be consistent about it. Behind the scenes, despite the user's wish that things are black or white, the reality is that there are degrees of security, and encrypted-but-not-authenticated is more secure than not-encrypted-and-not-authenticated. Even if you argue that point and say it's just as bad, you can't make a case that it's less secure. It just isn't.
  It's ok for the UI to simplify reality by not acknowledging the degrees, but it shouldn't contradict reality, either. Showing a scary-looking popup for the more secure situation while not showing the scary popup for the less secure situation, is misleading.
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
24. Re:Just for Google? by corbettw · 2008-08-19 06:24 · Score: 2, Interesting
  
  But if a site is not signed at all, then it must be safe, huh?
  An unencrypted site is less dangerous than a self-signed one because the former isn't advertising that it's safe; the latter is. It's presenting the appearance of security, with the reality of none. You're much better off thinking you're insecure, and acting appropriately, than assuming you're secure, and not realizing you've just given your bank account information to a phisher.
  
  --
  God invented whiskey so the Irish would not rule the world.
25. Re:Just for Google? by Pope · 2008-08-19 06:34 · Score: 2, Funny
  
  "Fuck The What" ?
  
  --
  It doesn't mean much now, it's built for the future.
26. Re:Just for Google? by edmicman · 2008-08-19 06:36 · Score: 2, Funny
  
  Watch it! That's a slippery slope your going down!
27. Re:Just for Google? by rah1420 · 2008-08-19 07:30 · Score: 3, Interesting
  
  So why the fuck haven't I had mod points? This might be one of the most interesting things I've read on /. in a long time. If ever.
  Yeah, so sue me. I don't get out much.
  
  --
  Mit der Dummheit kämpfen Götter selbst vergebens.
28. Re:Just for Google? by colourmyeyes · 2008-08-19 07:42 · Score: 5, Funny
  
  I read Slashdot because it's a place where a comment about the British rule for placement of punctuation relative to quotation marks is modded "informative."
  
  ...in a discussion about using SSL for for an email service.
  
  --
  My grandmother used anecdotal evidence all the time, and she lived to be 120 years old.
29. Re:Just for Google? by dkf · 2008-08-19 09:19 · Score: 3, Informative
  
  You are mixing up security and identity.
  Not really. Had you said that he was mixing up encryption and identity, I'd have agreed, but for secure communication with some other party you need to both secure the channel (encryption) and verify that the other party is who you want to talk to (identity). Without that identity verification step, you're very vulnerable to man-in-the-middle attacks.
  There are many ways to handle the identity problem (e.g. by using a shared secret key) but SSL is elegant in that it uses public key cryptography to set up a secret session key and ensure that the other party is who you think they are. That all works great and is straight-forward if you know each other's public keys, but that really doesn't scale. Think about it: how do you find out my public key and ensure that it really is my public key? You've probably not got the time or resources to meet me in person.
  There are two solutions to this, both of which rely on adding cryptographic signatures to public keys to allow you to determine whether someone you trust knows the key is right. PGP and GPG use a "web of trust" scheme, and SSL uses "certificate authorities". When done properly, CAs are an excellent solution since they can require really strong proof of identities before signing anything, and there are CAs about who do this sort of thing for real. (HTTPS uses an additional check over basic SSL in that it requires the server to have its DNS name signed into the public certificate, which stops additional types of spoofing peculiar to some types of web interactions.) Web browsers are seeded with the public certificates of CAs believed (through analysis of their published policies) to be well-run.
  The problem is that not all CAs are scrupulous. OK, a black-hat operated CA will always be bad, but some others are looking more and more grey due to their pursuit of the almighty buck at all costs. In effect, they're breaking their own policies and hoping that nobody will notice. The only solution for this is to revoke the trust of those CAs who do this, either by getting their master CA to revoke the signature (why do you think CRLs/OCSP is important?) or by removing a particular trust root from browsers. That last option is very much the "nuclear option" since it will harm a lot of perfectly innocent bystanders, but I reckon that unless and until someone is publicly crucified like that, the siren call of the extra cash will win more often than it should.
  (Yes, I know I've simplified things a lot. This message is long enough!)
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
30. Re:Just for Google? by curunir · 2008-08-19 11:33 · Score: 2, Insightful
  
  The true problem is that, in true techie style, the concepts covered by HTTPS aren't properly separated and this results in confusion for people that don't understand what's going on technically. For better or for worse, HTTPS is a leaky abstraction.
  HTTPS solves two distinct problems and yet it's depicted as a single problem. Because the need for an encrypted transport layer is obvious, people forget that the other purpose of HTTPS is to verify the identity of the server you're communicating with. It can even be used for the server to identify the client that's making the request, but that feature is seldom used. But it's still two distinct (though related) problems being solved, the encrypted transport layer and the identity verification mechanism.
  I'm not sure if there's a better way to convey the difference between these two concepts to non-technical users, but it would be good to try since there's value in utilizing one of the two without using both. Besides the obvious applications of unverified and encrypted connections, verified but unencrypted connections could also be useful for situations where encryption isn't needed but it's important to know that the information you're seeing is coming from a trusted source (i.e. stock listings or other public information that you really need to know is genuine).
  
  --
  "Don't blame me, I voted for Kodos!"
31. Re:Just for Google? by kklein · 2008-08-19 14:10 · Score: 2, Interesting
  
  Easy. The lexicogrammar of "begs the question" makes far more sense in its common usage as being synonymous with "raises the question." Some situation seems to be begging for someone to ask a particular question. The original meaning of this idiomatic expression, having to do with circular logic, does not as clearly follow from the individual meanings of those words. Also, to be honest, I have never, ever heard a usage of the original meaning. Ever.
  I am an applied linguist by training and trade, and you know what? I have heard this "incorrectly" used at conferences. Face it. The meaning has changed. No one even knows what the original was.
  "Intensive purposes" is different because it makes no sense. When we say "for all intents and purposes," we are making a large, sweeping, general claim. This is the opposite of what is implied by "intensive purposes," which would denote some sort of specific, focused usage of whatever it is we're talking about.
  Also, someone who uses "intensive purposes" needs their hearing checked. There is no /v/ in there. When someone uses "intensive purposes," it implies that they not only don't listen closely but that they also don't even think about what they are saying. It implies a sort of illiteracy. It does not reflect well on someone's education, because educated people do not talk like that.
  Educated people do, however, use "begs the question" "incorrectly." So it gets a pass.
  Language is one of the clearest tribal identifiers. Standard usage identifies to others that you are the same tribe and affords you the benefits thereof. We can yammer on about elitism, but that's just plain how it works. In every society. Learning to use language in a standard way tells others who have done the same that you are brethren and, like them, have spent the time and effort "correcting" your behavior.
  None of this is really about "correct" usage, it's about "standard" and "accepted" usage. "Begs the question" passes; "intensive purposes" doesn't. The former is an interesting evolution of the usage of an idiomatic phrase; the latter, indication that someone is kinda a moron.
32. Re:Just for Google? by mgiuca · 2008-08-19 14:40 · Score: 2, Funny
  
  YOU'RE
33. Re:Just for Google? by complete+loony · 2008-08-19 16:22 · Score: 2, Interesting
  
  Sure you could encrypt traffic between client and server, but if you can't verify the identity of the server during key exchange, you can't prevent a man-in-the-middle attack which makes the encryption useless.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
3 clicks by pebcak · 2008-08-19 03:31 · Score: 5, Informative

Once you're signed into Gmail: Settings -> Always use https -> Save changes
1. Re:3 clicks by Loether · 2008-08-19 03:53 · Score: 2, Informative
  
  I'm admin for a few domains that use gmail apps. None of mine have that option yet. It may be a rolling update.?
  
  --
  TODO create witty sig.
2. Re:3 clicks by pz · 2008-08-19 04:20 · Score: 2, Informative
  
  Once you're signed into Gmail:
  Settings -> Always use https -> Save changes
  And then you need to reload the page otherwise you're still on http. At least that's what my browser showed.
  
  --
  
  Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
3. Re:3 clicks by blindd0t · 2008-08-19 04:31 · Score: 3, Informative
  
  Thanks for that tip, I hadn't noticed that at the bottom of the settings area before. If, for some reason, you're not sure you'll always have SSL available to you (i.e. you connect from airports or hotels often, which occasionally only allow HTTP/80 outbound), you can use Firefox with the Better GMail plugin and choose to require SSL there.
Google Announcement by ShadowRangerRIT · 2008-08-19 03:32 · Score: 4, Informative

For info on the new setting and how to enable it, see the Gmail blog post.

--
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
A few notes... by nweaver · 2008-08-19 03:32 · Score: 5, Insightful

Mike Perry did a great public service by making this tool and making it available.
This attack also works against yahoo mail, hotmail, etc. Just Yahoo, hotmail, etc don't even OFFER SSL, so well, if you use them, your FSCKed.
And Google has known about this problem for a LONG time. EG, see my blog post from last february!.
Google waited for a year before even giving users the OPTION to be protected when SSL is used, and notice that it was only after they found out about Mike Perry's talk that the option was even added.
Also, as I argue, they got it wrong. The checkbox is good, but most users don't know about it. But if a user MANUALLY enters https://mail.google.com/ I argue that google should INFER that the user wants to be SSL-only, at least until they explicitly log out.

--
Test your net with Netalyzr
1. Re:A few notes... by derrickh · 2008-08-19 04:02 · Score: 5, Insightful
  
  So he's going to release a tool that lets people break into Gmail accounts. And unless you read slashdot, you'd have no idea to go into preferences and flip a switch.
  How is this a public service? For the 99% of the world who dont read SD every day, they're pretty much screwed.
  It's good I'm a nerd and will now flip the magic switch on my gmail account...but it seems like a big f-u to everyone else.
  D
  
  --
  The first, last, and only tech news site on the net
2. Re:A few notes... by Timothy+Brownawell · 2008-08-19 04:23 · Score: 4, Insightful
  
  Maybe the two weeks notice is a hint to google that it might be a good idea to fix the default setting or make all connections encrypted?
3. Re:A few notes... by Dolohov · 2008-08-19 05:03 · Score: 4, Interesting
  
  Mike Perry did a great public service by making this tool and making it available.
  WTF? No he didn't. Pointing out the vulnerability is a a public service, yes. Giving a talk where he outlines the problem? Also a public service. Distributing the means for anyone to make use of this vulnerability (ESPECIALLY when so many major vendors aren't prepared for it yet) is not a public service anymore. It's just arming script kiddies. Ralph Nader was able to do plenty of good without going around ramming into Chevy Corvairs to somehow "drive home" the need for a fix.
Ow ow ow. by zippthorne · 2008-08-19 03:41 · Score: 4, Insightful

all intensive purposes
Is this the road we're going down? Pseudo-homophones of idiomatic phrases?
Yeah, yeah, grammar pedantry is bad. Nevertheless, this stuff hurts to read.

--
Can you be Even More Awesome?!
1. Re:Ow ow ow. by dat+cwazy+wabbit · 2008-08-19 03:50 · Score: 5, Funny
  
  I could of died when I saw that.
2. Re:Ow ow ow. by cetan · 2008-08-19 03:53 · Score: 4, Funny
  
  Most people "could care less."
  Which hurts on many levels...
  
  --
  In Soviet Russia...michael would be rotting in Siberia!
3. Re:Ow ow ow. by Hoi+Polloi · 2008-08-19 03:54 · Score: 5, Funny
  
  Its a waist of time to corect peoples gramar and speling. Your simply not going to brake there bad habits irregardless of how you feal.
  
  --
  It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
4. Re:Ow ow ow. by Lostlander · 2008-08-19 04:01 · Score: 5, Funny
  
  It burns us! Nasty tricksy, little hobbitses.
5. Re:Ow ow ow. by JustOK · 2008-08-19 04:24 · Score: 3, Funny
  
  depends on the version of the neural compiler, and customizations etc
  
  --
  rewriting history since 2109
6. Re:Ow ow ow. by barzok · 2008-08-19 04:25 · Score: 5, Funny
  
  I could care less.
7. Re:Ow ow ow. by geobeck · 2008-08-19 04:54 · Score: 2, Insightful
  
  There should still be some part of a person's brain that stops and says, "That doesn't make any sense..." when the write something like that.
  After listening to (and reading) managerese for so long, that part of the brain shuts down in self defense. If it didn't, managers and marketing people would wonder why tech employees were always running out of meetings screaming.
  
  --
  Find environmentally and socially responsible products on http://buy-right.net
8. Re:Ow ow ow. by jonaskoelker · 2008-08-19 04:59 · Score: 3, Funny
  
  waist of time
  Mmm... ourglass...
9. Re:Ow ow ow. by jonaskoelker · 2008-08-19 05:07 · Score: 4, Funny
  
  I could careless
10. Re:Ow ow ow. by clone53421 · 2008-08-19 05:12 · Score: 3, Funny
  
  People who use "could" instead of "could not" do so out of ignorance or laziness
  ...but NEVER sarcasm.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
11. Re:Ow ow ow. by MrTheBunny · 2008-08-19 06:24 · Score: 2, Funny
  
  I'm dyslexic you intensive clod!
Re:Reverse or reverse? by Intron · 2008-08-19 03:48 · Score: 4, Funny

What is a "reverse engineer?"
A very specialized transmission engineer in Detroit.

--
Intron: the portion of DNA which expresses nothing useful.
But it was NOT secure... by nweaver · 2008-08-19 03:48 · Score: 2, Informative

Until Google added the option, it never actually set the GX cookie as secure, so you could do an active-hijack of any OTHER connection they make so that it does a redirect to http://mail.google.com/ and spits out the cookie in the clear for the attacker to capture.

--
Test your net with Netalyzr
1. Re:But it was NOT secure... by howdoesth · 2008-08-19 04:08 · Score: 5, Funny
  
  Everyone knows hotmail is evil and yahoo is irrelevant.
UNLESS YOU CHECK, you are insecure! by nweaver · 2008-08-19 03:52 · Score: 5, Informative

Unless you SET THE PREFERENCE, you are insecure, even if you MANUALLY type in https://mail.google.com/ always.
Because unless you SET THE PREFERENCE, google does NOT set the session cookie to be SECURE.
This is what Mike Perry's tool does: it takes any of your OTHER connections, redirects it to http://mail.google.com/ so your browser spits out the session cookie anyway, and then can redirect you back (so you don't know what happened).
Google's SSL mode for gmail, UNLESS YOU SET THE PREFERENCE, offers you NO protection against an active adversary. And since someone snooping your traffic at starbucks can just as easily inject packets, IT OFFERS NO PROTECTION EVEN IF YOU MANUALLY TYPE IN HTTPS ALL THE TIME, UNLESS YOU SET THE PREFERENCE!!!!

--
Test your net with Netalyzr
1. Re:UNLESS YOU CHECK, you are insecure! by Anonymous Coward · 2008-08-19 04:01 · Score: 5, Funny
  
  Thank you for WARNING US but DO YOU THINK you really need to SHOUT that much in your SENTENCES?
  I mean, it's not like WE DON'T APPRECIATE your tips, but IT CAN GET A BIT ANNOYING when people keep SHOUTING every other WORDS.
2. Re:UNLESS YOU CHECK, you are insecure! by waztub · 2008-08-19 04:09 · Score: 2, Funny
  
  Wait, I don't think you were clear about one point in particular. Should I or should I not set the preference...?
3. Re:UNLESS YOU CHECK, you are insecure! by Anonymous Coward · 2008-08-19 05:07 · Score: 5, Funny
  
  YES IT STILL WORDS! Unless you SET THE PREFERENCE, you DIE!
  Mike Perry will COME IN TO YOUR HOME and MURDER you, UNLESS YOU SET THE PREFERENCE!
  Even CHUCK NORRIS will get haxx0r3d UNLESS YOU SET THE PREFERENCE.
  ALL YOUR PREFERENCE ARE BELONG TO US.
4. Re:UNLESS YOU CHECK, you are insecure! by clone53421 · 2008-08-19 05:18 · Score: 4, Funny
  
  javascript:void(document.body.style.textTransform="lowercase");
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Gmail Notifier by triplej3000 · 2008-08-19 03:55 · Score: 5, Informative

Selecting 'Always use https' breaks Gmail Notifier. Luckily Google has released a patch for this. Here is a link: http://mail.google.com/support/bin/answer.py?hl=en&answer=9429
Re:Reverse or reverse? by Loki_1929 · 2008-08-19 04:00 · Score: 4, Funny

It's someone who manufactures a problem using only working solutions.
You might also know them as: "politicians".

--
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
Why can't the whole web be HTTPS? by thomasdz · 2008-08-19 04:02 · Score: 5, Interesting

I can understand that back in the web's "stone age" (mid 1990s), having HTTPS for every web site would have seriously slowed down all the computers due to CPU usage, but nowadays is there any real good reason that the whole web can't be HTTPS?
With all the government and ISP snoopings going on, I'm surprised that at least some sites haven't gone that way.
(or is it that embedded browsers like on cell phones can't do SSL?)
TDz.

--
Karma: Excellent. 15 moderator points expire sometime.
1. Re:Why can't the whole web be HTTPS? by Quietust · 2008-08-19 04:23 · Score: 5, Informative
  
  One of the main problems is that HTTPS is fundamentally incompatible with virtual hosts - you connect, do the SSL handshake (and get the server's certificate), verify that the common name on the SSL cert matches the hostname you typed in (to make sure the site is who you think it is, otherwise display big warning messages) and that it is trusted (i.e. complain if it's self-signed), and then you send your HTTP request. The only way it could work would be if an SSL certificate could match multiple hostnames (which I don't believe is the case, though I could be wrong).
  
  Interestingly, net-wide HTTPS would probably make IPv6 a bit more important (since a great deal of web hosting services put dozens of sites on the same machine and same IP address, charging significantly more if you want SSL due to the requirement of having a unique IP address).
  
  --
  * Q
  P.S. If you don't get this note, let me know and I'll write you another.
2. Re:Why can't the whole web be HTTPS? by Timothy+Brownawell · 2008-08-19 04:27 · Score: 3, Informative
  
  Because CA-signed ssl certs cost $$ for often no measurable (as in $$) benefit, HTTPS doesn't work with name-based virtual hosting, and new browsers treat self-signed SSL as evil incarnate.
3. Re:Why can't the whole web be HTTPS? by Atriqus · 2008-08-19 04:47 · Score: 2, Interesting
  
  I found a firefox add-on that makes the browser behave a bit more rationally called perspectives: http://www.cs.cmu.edu/~perspectives/
  
  --
  Hey, look! It's Bono's brother.
4. Re:Why can't the whole web be HTTPS? by salahx · 2008-08-19 05:04 · Score: 5, Informative
  
  This used to be true, but not anymore. Now there's Server Name Indication - RFC3546, that would allow this. However, OpenSSL (and by extension, mod_ssl) does not support it. GNUTLS does, however (and there's a corresponding mod_gnutls for Apache.
5. Re:Why can't the whole web be HTTPS? by psydeshow · 2008-08-19 06:33 · Score: 2, Informative
  
  An SSL Certificate can match multiple hostnames in SSLv3 and TLS, which are both old enough to be in use everywhere.
  There are two methods, depending on what you want (and your level of paranoia): wildcards (match *.example.com) and "Subject Alternative Names" which can match any from a list of domain names.
  The subject alt name is incredibly useful, as the certificate for a physical host can enumerate alternative names for each of its virtual hosts, even if they aren't subdomains of the host's domain.
Author's site by Captain+Segfault · 2008-08-19 04:09 · Score: 5, Informative

Mike Perry's site might (or might not) be a better source than some random blog post that doesn't even link to it.
Uhm? It's Google Mail! by Casandro · 2008-08-19 04:10 · Score: 2, Insightful

I mean it's Google Mail, Google stores your e-mails till all ethernity and will surely hand it out to any dictator waving something which looks like an official document.
It doesn't matter much how secure the login is as the service itself is designed to be a gapping security hole.
don't freak out, requires packet sniffing by YesIAmAScript · 2008-08-19 04:13 · Score: 4, Informative

Yes, this is a vulnerability. But it isn't like every person out there on the internet is going to be able to steal your session cookies in two weeks when the tool is released.
In order to execute this attack, a person would have to be able to sniff your packets and steal the cookies. And since the vast majority of people on the internet have no ability to intercept your traffic, this means in practice, the average person is pretty safe without having to worry about all this.

--
http://lkml.org/lkml/2005/8/20/95
1. Re:don't freak out, requires packet sniffing by blueg3 · 2008-08-19 04:43 · Score: 5, Informative
  
  This is true, except for every wireless access point the attacker can access -- like the ones where people sit in a coffee shop and check their e-mail.
Why does he need to release the tool? by origamy · 2008-08-19 04:20 · Score: 2, Interesting

I don't understand why does someone need to prove a security vulnerability by releasing the tool?
By releasing this tool he will make it available for anyone with bad intentions to implement it. Weeks later we will have issues all over the place because we did not teach our grandparents to enable the checkbox in gmail; or the vulnerability is exploited in other webmail clients. By then, the botnets will be hijacking Gmail accounts to send Spam to everybody
So, really, who benefits of the release of this tool?
1. Re:Why does he need to release the tool? by blueg3 · 2008-08-19 04:23 · Score: 2, Interesting
  
  Google, etc., were notified of this vulnerability a year ago and have not acted on it. Someone with bad intentions could implement it easily using the description of the vulnerability anyway -- a publicly-available working tool will highlight the importance of fixing this problem.
Re:READING helps by Archangel+Michael · 2008-08-19 04:22 · Score: 2, Funny

I reed slashdot, witch is why I spell gooder than any won els.

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I got hacked for sure, plus: Gmail Notifier, Mac? by CaptSaltyJack · 2008-08-19 04:25 · Score: 2, Informative

Now that I've read this tidbit, I'm sure this is how my Gmail account was compromised.
Last week, I noticed some logins from a Blackberry IP, accessing my Gmail via POP3, which I never use. Someone had apparently gone into my account, turned on POP, then set up their phone accordingly. Now, I have to say, my password is completely unguessable (think along the lines of something like %sprTres3005!). Furthermore, my password is not written down anywhere, and has never been used anywhere except Gmail and a couple banking web sites I use. NEVER used on forums, or bullshit misc. online services. Yet, somehow, someone got into my account. I'm convinced this aforementioned tool was how they did it.
I wonder if the Google Notifier for Mac OS doesn't use secure channels, and that's how they got me. The Google Reader Notifier actually does have an option "Always use https" which is good. I don't see that option in the Gmail Notifier, though.
Cache relevancy depletion by DuSTman31 · 2008-08-19 04:25 · Score: 3, Interesting

One thing that I find somewhat counterproductive is that browsers do not save files sent over SSL in their caches.
It's sensible, I suppose, to assume that if something's sent over an SSL channel that it's sensitive and therefore shouldn't be saved, but it would give a speed and bandwidth efficiency hit which would deter usage of SSL for everyday browsing.
You could, of course, have the HTML transmitted over SSL and the supporting images over plain HTTP, but then the browser will scare people by warning that not all content on the page is secure..
I think browsers should start looking at encrypting their cache files, so that stuff such as SSL can be accommodated without breaking caching.
Re: Better, yet, zero clicks! by value_added · 2008-08-19 04:27 · Score: 2, Informative

mutt -f imaps://imap.gmail.com
This is not "use SSL" by blueg3 · 2008-08-19 04:37 · Score: 5, Informative

The summary (and many, many replies) have it all wrong. The point is not that you need to be encrypting all of your traffic to Gmail (for example) with SSL.
The need for SSL-encrypting your session was known with sidejacking. If you use SSL for credential exchange but not for the whole session, your session cookie is transmitted in the clear, and an attacker can sniff it and use your session (as the cookie acts temporarily as a credential). Encrypting the whole session with SSL prevents this. This is well-known at this point.
The subject of this talk was not sidejacking. If the site (Gmail) does not set the secure bit on the session cookie, then your session cookie can be transmitted in the clear, even if all of your intentional communication with Gmail is over SSL! An attacker need only inject a link to the appropriate domain (e.g., mail.google.com) in some other page you request, and the cookie will be sent with that request over HTTP. Only by marking the cookie as secure will the browser refuse to send it over HTTP.
I was at DEFCON - the author is confused by remitaylor · 2008-08-19 04:46 · Score: 5, Informative

The author of this post seems to be really, really confused. There were multiple presentations on ways to hack your Google accounts and Google security flaws, etc.
There was a presentation on howto exploit Google Gadgets (which have access to your local javascript), a few presentations on Cross-Site Request Forgery (CSRF)(which you can do to send your own HTTP requests as the visitor if you have your own image or iframe on the page), and a presentation on hijacking your sessions if you ever access a site over plain-text (non-SSL), and putting the password page on SSL doesn't help (this requires the attacker to be on your local network!!!!!!!).
The title of the post sounds like they're talking about The Middler, a Ruby-based proxy by Jay Beale for intercepting all user data on a shared network, such as a coffee shop, where you can get users to go through your proxy.
If the author is talking about The Middler ... that attacker has to be on your network!!! This is only an issue on untrusted networks.
Jay Beale's talk was the one the mentioned SSL the most, so I'm gonna guess that the author is talking about that, even tho the article seems to mix everything up.
To see the descriptions of the actual talks and whatnot, visit the DEFCON schedule: https://www.defcon.org/html/defcon-16/dc-16-schedule.html
How to turn it ON ALWAYS by chfriley · 2008-08-19 04:46 · Score: 3, Informative

Look under "Settings" --> "General" then at the very bottom it says "Always use https". (It doesn't mention SSL so searching the page for SSL turns up nothing).
1. Re:How to turn it ON ALWAYS by clone53421 · 2008-08-19 05:37 · Score: 2, Informative
  
  From what I've read, a MITM attack could still inject a packet asking for "http://gmail.google.com" and the server would send back the unencrypted cookie. This setting would tell the server that the cookie isn't to be transmitted over an unencrypted connection.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Gmail but not hosted mail by legirons · 2008-08-19 05:43 · Score: 2, Interesting

"Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication."
Unfortunately not available for anyone who has their own domain's email hosted at google :(
Too expensive by Wee · 2008-08-19 05:45 · Score: 2, Insightful

Using SSL for everything is too expensive in terms of computing resources. Gmail gets a staggering amount of traffic as it is, I don't know that they could handle all of it being run through the SSL hardware. I'm just happy the setting is there at all.
-B

--
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Redundant? Yes - Normans and Saxons by onkelonkel · 2008-08-19 06:25 · Score: 5, Informative

Intents and Purposes. Sounds redundant and in fact it is. After the Norman Conquest of Britain, it became customary to use both the Norman (French derived) and Saxon words in certain phrases so everyone would understand. It lingers on to this day especially in legal terms. Cease and Desist. Will and Testament. Intents and Purposes.

--
None of them can see the clouds; The polished wings don't care.
1. Re:Redundant? Yes - Normans and Saxons by Red+Flayer · 2008-08-19 09:30 · Score: 5, Informative
  
  Sure, it's a nautical term, it means a ship can sail into the wind (by) and on a right angle to the wind (large).
  
  The phrase has come to mean that the statement it refers to applies generally (i.e., in a multitude of conditions).
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
Amateur lexicographer? by MisterSquid · 2008-08-19 10:04 · Score: 3, Informative

"Cease" and "desist" do not mean the same thing. Neither do "will" and "testament," nor do "intents" and "purposes." Use a dictionary to verify.
To start you off: "cease" means "to stop" while "desist" means "to refrain from doing."

--
blog
1. Re:Amateur lexicographer? by ArsonSmith · 2008-08-19 11:17 · Score: 2, Informative
  
  stop means "to stop" while stop means "to refrain from doing."
  
  --
  Paying taxes to buy civilization is like paying a hooker to buy love.