A Good Reason To Go Full-Time SSL For Gmail

Ashik Ratnani writes with this snippet from Hungry Hackers: "A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks."

Good thing Slashdot is safe...

Or else someone could hijack my accBILL GATS SI TEH DEVLI!!!!!!!!!

Re:Good thing Slashdot is safe...

[Naughty+Bob]

Good thing Slashdot is safe...

Or else someone could hijack my accBILL GATS SI TEH DEVLI!!!!!!!!!

Yep, looks like slashdot is unaffected for the moment.

Just for Google?

[Toe,+The]

Is there any reason to not use SSL every time one sends a password?

Unfortunately, the general public still seems entirely uneducated about SSL, figuring that passwords must be secure because they appear as bullets on the screen, right?

Re:Just for Google?

[Spad]

Gmail always uses SSL for logins.

Previously if you wanted to maintain SSL for the whole session you had to login via https://mail.google.com/ otherwise it dropped back to http after login. Now you can set it to always use SSL regardless of the URL you visit it from.

Re:Just for Google?

[caramelcarrot]

After me, say it slowly: intents and purposes That way it actually makes sense.

Re:Just for Google?

[Kozar_The_Malignant]

It's not "in tents with porpoises?" I thought it was about cetacean hentai.

Re:Just for Google?

[Zironic]

They don't lie, they assume that if a site is self-signed it has been hijacked which is very resonable, if my bank suddenly changed to self-signed I'd want a proper warning.

Re:Just for Google?

[HungryHobo]

God, I've had some insane conversations with retarded people.

*me**: You know doing what you're doing is terribly terribly insecure, someone might get into your email account!
*Him*: .... ah well, it's not like there's anything important in there. I mean what are they gonna do, email someone in my name?
*me**: ....You have a paypal account right?
*Him*: Ya...
*me**: And it's linked to your email account right?
*Him*: Ya...
*me**: And if you forget your paypal password you can have them send you an email to change it right?
*Him*: Ya....
*me**: And your credit card is linked to your paypal account isn't it?
*Him*: Hmmm...
*me**: So someone with access to your mail account could get hold of your paypal and run up some insane charges buying horse porn.
*Him*: Oh....

It's depressing how people will set up accounts with things like paypal, link them to their email and then dismiss anything about security since "sure my email isn't that important"

Re:Just for Google?

My girlfriend has been missing her period. Should I be worried?

It depends; will the father be financially supporting the baby, or will you be stuck paying the bills?

Re:Just for Google?

[A440Hz]

Actually, it is historical, normal usage to put the period (or comma) inside the quotes, even if the period wasn't in the original quotation. This was originally done for typesetting reasons: putting a period outside the quotes caused type blocks to break. The period inside the quote was better mechanically--less breakage.

Re:Just for Google?

[colourmyeyes]

I read Slashdot because it's a place where a comment about the British rule for placement of punctuation relative to quotation marks is modded "informative."

...in a discussion about using SSL for for an email service.

3 clicks

[pebcak]

Once you're signed into Gmail: Settings -> Always use https -> Save changes

A few notes...

[nweaver]

Mike Perry did a great public service by making this tool and making it available.

This attack also works against yahoo mail, hotmail, etc. Just Yahoo, hotmail, etc don't even OFFER SSL, so well, if you use them, your FSCKed.

And Google has known about this problem for a LONG time. EG, see my blog post from last february!.

Google waited for a year before even giving users the OPTION to be protected when SSL is used, and notice that it was only after they found out about Mike Perry's talk that the option was even added.

Also, as I argue, they got it wrong. The checkbox is good, but most users don't know about it. But if a user MANUALLY enters https://mail.google.com/ I argue that google should INFER that the user wants to be SSL-only, at least until they explicitly log out.

Re:A few notes...

[derrickh]

So he's going to release a tool that lets people break into Gmail accounts. And unless you read slashdot, you'd have no idea to go into preferences and flip a switch.

How is this a public service? For the 99% of the world who dont read SD every day, they're pretty much screwed.

It's good I'm a nerd and will now flip the magic switch on my gmail account...but it seems like a big f-u to everyone else.

D

Re:Ow ow ow.

[dat+cwazy+wabbit]

I could of died when I saw that.

UNLESS YOU CHECK, you are insecure!

[nweaver]

Unless you SET THE PREFERENCE, you are insecure, even if you MANUALLY type in https://mail.google.com/ always.

Because unless you SET THE PREFERENCE, google does NOT set the session cookie to be SECURE.

This is what Mike Perry's tool does: it takes any of your OTHER connections, redirects it to http://mail.google.com/ so your browser spits out the session cookie anyway, and then can redirect you back (so you don't know what happened).

Google's SSL mode for gmail, UNLESS YOU SET THE PREFERENCE, offers you NO protection against an active adversary. And since someone snooping your traffic at starbucks can just as easily inject packets, IT OFFERS NO PROTECTION EVEN IF YOU MANUALLY TYPE IN HTTPS ALL THE TIME, UNLESS YOU SET THE PREFERENCE!!!!

Re:UNLESS YOU CHECK, you are insecure!

Thank you for WARNING US but DO YOU THINK you really need to SHOUT that much in your SENTENCES?

I mean, it's not like WE DON'T APPRECIATE your tips, but IT CAN GET A BIT ANNOYING when people keep SHOUTING every other WORDS.

Re:UNLESS YOU CHECK, you are insecure!

YES IT STILL WORDS! Unless you SET THE PREFERENCE, you DIE!

Mike Perry will COME IN TO YOUR HOME and MURDER you, UNLESS YOU SET THE PREFERENCE!

Even CHUCK NORRIS will get haxx0r3d UNLESS YOU SET THE PREFERENCE.

ALL YOUR PREFERENCE ARE BELONG TO US.

Re:Ow ow ow.

[Hoi+Polloi]

Its a waist of time to corect peoples gramar and speling. Your simply not going to brake there bad habits irregardless of how you feal.

Gmail Notifier

[triplej3000]

Selecting 'Always use https' breaks Gmail Notifier. Luckily Google has released a patch for this. Here is a link: http://mail.google.com/support/bin/answer.py?hl=en&answer=9429

Re:Ow ow ow.

[Lostlander]

It burns us! Nasty tricksy, little hobbitses.

Why can't the whole web be HTTPS?

[thomasdz]

I can understand that back in the web's "stone age" (mid 1990s), having HTTPS for every web site would have seriously slowed down all the computers due to CPU usage, but nowadays is there any real good reason that the whole web can't be HTTPS?
With all the government and ISP snoopings going on, I'm surprised that at least some sites haven't gone that way.
(or is it that embedded browsers like on cell phones can't do SSL?)

TDz.

Re:Why can't the whole web be HTTPS?

[Quietust]

One of the main problems is that HTTPS is fundamentally incompatible with virtual hosts - you connect, do the SSL handshake (and get the server's certificate), verify that the common name on the SSL cert matches the hostname you typed in (to make sure the site is who you think it is, otherwise display big warning messages) and that it is trusted (i.e. complain if it's self-signed), and then you send your HTTP request. The only way it could work would be if an SSL certificate could match multiple hostnames (which I don't believe is the case, though I could be wrong).

Interestingly, net-wide HTTPS would probably make IPv6 a bit more important (since a great deal of web hosting services put dozens of sites on the same machine and same IP address, charging significantly more if you want SSL due to the requirement of having a unique IP address).

Re:Why can't the whole web be HTTPS?

[salahx]

This used to be true, but not anymore. Now there's Server Name Indication - RFC3546, that would allow this. However, OpenSSL (and by extension, mod_ssl) does not support it. GNUTLS does, however (and there's a corresponding mod_gnutls for Apache.

Re:But it was NOT secure...

[howdoesth]

Everyone knows hotmail is evil and yahoo is irrelevant.

Author's site

[Captain+Segfault]

Mike Perry's site might (or might not) be a better source than some random blog post that doesn't even link to it.

Re:Ow ow ow.

[barzok]

I could care less.

This is not "use SSL"

[blueg3]

The summary (and many, many replies) have it all wrong. The point is not that you need to be encrypting all of your traffic to Gmail (for example) with SSL.

The need for SSL-encrypting your session was known with sidejacking. If you use SSL for credential exchange but not for the whole session, your session cookie is transmitted in the clear, and an attacker can sniff it and use your session (as the cookie acts temporarily as a credential). Encrypting the whole session with SSL prevents this. This is well-known at this point.

The subject of this talk was not sidejacking. If the site (Gmail) does not set the secure bit on the session cookie, then your session cookie can be transmitted in the clear, even if all of your intentional communication with Gmail is over SSL! An attacker need only inject a link to the appropriate domain (e.g., mail.google.com) in some other page you request, and the cookie will be sent with that request over HTTP. Only by marking the cookie as secure will the browser refuse to send it over HTTP.

Re:don't freak out, requires packet sniffing

[blueg3]

This is true, except for every wireless access point the attacker can access -- like the ones where people sit in a coffee shop and check their e-mail.

I was at DEFCON - the author is confused

[remitaylor]

The author of this post seems to be really, really confused. There were multiple presentations on ways to hack your Google accounts and Google security flaws, etc.

There was a presentation on howto exploit Google Gadgets (which have access to your local javascript), a few presentations on Cross-Site Request Forgery (CSRF)(which you can do to send your own HTTP requests as the visitor if you have your own image or iframe on the page), and a presentation on hijacking your sessions if you ever access a site over plain-text (non-SSL), and putting the password page on SSL doesn't help (this requires the attacker to be on your local network!!!!!!!).

The title of the post sounds like they're talking about The Middler, a Ruby-based proxy by Jay Beale for intercepting all user data on a shared network, such as a coffee shop, where you can get users to go through your proxy.

If the author is talking about The Middler ... that attacker has to be on your network!!! This is only an issue on untrusted networks.

Jay Beale's talk was the one the mentioned SSL the most, so I'm gonna guess that the author is talking about that, even tho the article seems to mix everything up.

To see the descriptions of the actual talks and whatnot, visit the DEFCON schedule: https://www.defcon.org/html/defcon-16/dc-16-schedule.html

Redundant? Yes - Normans and Saxons

[onkelonkel]

Intents and Purposes. Sounds redundant and in fact it is. After the Norman Conquest of Britain, it became customary to use both the Norman (French derived) and Saxon words in certain phrases so everyone would understand. It lingers on to this day especially in legal terms. Cease and Desist. Will and Testament. Intents and Purposes.

Re:Redundant? Yes - Normans and Saxons

[Red+Flayer]

Sure, it's a nautical term, it means a ship can sail into the wind (by) and on a right angle to the wind (large).

The phrase has come to mean that the statement it refers to applies generally (i.e., in a multitude of conditions).