Gmail HTTPS Doesn't Protect Account, New Setting Does

Gmail HTTPS Doesn't Protect Account, New Setting Does - Via Threat Level:

Just paranoid-enough Gmail users have long known that logging in via https://mail.google.com keeps the entire emailing session wrapped in cozy,128-bit encryption -- leaving would-be Wi-Fi snoops at a cafe staring at the electronic equivalent of a blended latte.

It's a simple rule: https is your friend, especially when it comes to checking your webmail in a cafe. Without it the contents of your email are readable by anyone running a simple-to-find Wi-Fi monitoring program (if you are using a Wi-Fi connection, that is).

But it turns out that's not enough.

There's also an attack that lets a sniffer grab a cookie through the air and login to your accounts temporarily -- despite not knowing your password. That attack, first demoed at Defcon last year, is about to get very easy, with the promised upcoming release of a tool that makes sliding into someone else's account as easy as ordering a double cap.

And security researcher Mike Perry discovered that simply logging in always through https won't save you from this one.

Thankfully, Google has added the ability to make your Gmail account always require SSL. So if you are a Gmail user, login, go to settings and then look for Browser connection.Select always use https:// unless you have a desktop and a dial-up connection.

Threat Level still highly recommends the Firefox add-on Customize Google, which has plenty of options for forcing encrypted connections with Google sites and for handling their cookies.

UPDATE: CNET blogger Christopher Soghoian writes in to note that the bigger issue is that the https:// option has been there since Gmail debuted in a private beta in 2004, but that only the security kids really know about the option.

"Why doesn't Google have a link on the Gmail front-page letting people know about the existence of the SSL option?" Soghoian asks.

Photo: Flickr/Herby Hönigsperger