Gmail contained a long-standing hole in its security, one that received attention at the most recent Black Hat Conference in Las Vegas. Staying signed in to Gmail for convenience meant retaining a cookie for up to two weeks on the computer.
That retention could be a bad thing.
Even though the first login to Gmail happens securely, the rest of the traffic, including passing along that cookie, takes place along a normal http connection unless the Gmail user has picked the new option to force all connections to happen over https.
A hacker named Mike Perry plans to drop a little something into security researchers' laps that enables exploitation of the transmittal of this cookie, as Hacking Thoughts noted:
Perry mentioned that he notified Google about this situation over a year ago and even though eventually it made this option available, he is not happy with the lack of information. “Google did not explain why using this new feature was so important” he said. He continued and explained the implications of not informing the users, “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.”
Fortunately, it's easy enough for Gmail users to protect themselves. Under Settings, scroll down to the bottom of the page, to the section marked Browser Connection. Tick the radio button next to 'Always use https' to safeguard the account against possible cookie theft.
Posts
0 comments:
Post a Comment