Author Topic: Gmail with HTTPS  (Read 7254 times)

0 Members and 4 Guests are viewing this topic.

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Gmail with HTTPS
« on: August 19, 2008, 02:01:59 pm »
http://gmailblog.blogspot.com/2008/07/making-security-easier.html
Google's little blog about it. Apparently there's a hack coming out soon that would allow someone sniffing packets on an unencrypted e-mail session to take advantage of the lack of protection and obtain the session information, therefore bypassing the need for login information.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Gmail with HTTPS
« Reply #1 on: August 19, 2008, 02:40:38 pm »
I just turned it on.  Thanks.  I was under the impression that it was already across SSL the whole time... lol.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Gmail with HTTPS
« Reply #2 on: August 19, 2008, 03:19:01 pm »
That's not really anything new; I know I read a blog post about it about 1-2 months ago.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Gmail with HTTPS
« Reply #3 on: August 19, 2008, 03:22:07 pm »
That's not really anything new; I know I read a blog post about it about 1-2 months ago.

Right.  However, the attack was shown at Defcon and the presenter said he plans to release the tool that automates the process in two weeks from now (from the /. article).  It's a friendly reminder if nothing else. :)

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: Gmail with HTTPS
« Reply #4 on: August 19, 2008, 03:22:26 pm »
That's not really anything new; I know I read a blog post about it about 1-2 months ago.
Yes, but the hack is what's new. It was revealed at DEFCON.
Srsly, RTFA. :P
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Gmail with HTTPS
« Reply #5 on: August 19, 2008, 04:45:40 pm »
That's not really anything new; I know I read a blog post about it about 1-2 months ago.

And if you think about it, you can sniff anybody's cookie if it's transmitted in plaintext and use it...

That goes for not just Gmail, but other mail services, social networking services... the list goes on.

I'm hoping I'm wrong. I'll tunnel everything I do on wireless from now on. :P
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Gmail with HTTPS
« Reply #6 on: August 19, 2008, 04:54:11 pm »
And if you think about it, you can sniff anybody's cookie if it's transmitted in plaintext and use it...

That goes for not just Gmail, but other mail services, social networking services... the list goes on.

I'm hoping I'm wrong. I'll tunnel everything I do on wireless from now on. :P
It's absolutely true. Why wouldn't it be?

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Gmail with HTTPS
« Reply #7 on: August 19, 2008, 04:55:01 pm »
What makes this Gmail thing so special, then? Because someone released a hack to do it?

I should release a hack to steal MySpace/Facebook cookies. I'll be famous!
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Gmail with HTTPS
« Reply #8 on: August 19, 2008, 04:56:09 pm »
Because it has the word "gmail" in it, of course.

"facebook" has the same effect.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Gmail with HTTPS
« Reply #9 on: August 19, 2008, 04:58:05 pm »
gmail doesn't have to use cookies.  The "remember me" checkbox will do this, but without it, I don't think it uses cookies.  This tool hijacks the session by looking for the session ids in the requests, from what I understand.  It's unlikely that it's anything fancy, but it's irrelevant.  This thread is saying "turn on always over https" not "omg look at these sweet hax".

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Gmail with HTTPS
« Reply #10 on: August 19, 2008, 10:32:59 pm »
gmail doesn't have to use cookies.  The "remember me" checkbox will do this, but without it, I don't think it uses cookies.  This tool hijacks the session by looking for the session ids in the requests, from what I understand.  It's unlikely that it's anything fancy, but it's irrelevant.  This thread is saying "turn on always over https" not "omg look at these sweet hax".

The GWT app actually stores the cookie regardless, because when it sends a request it simply reads the session ID from the cookie.

If you don't check remember me, however, the cookie is stored as a session cookie, which is deleted when the browser window/tab closes, except in some special cases such as restoring recently closed tabs in firefox, where the session cookie is reanimated. You are guaranteed, at the very least, to lose the cookie when the application closes cleanly.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Gmail with HTTPS
« Reply #11 on: August 20, 2008, 10:00:42 am »
gmail doesn't have to use cookies.  The "remember me" checkbox will do this, but without it, I don't think it uses cookies.  This tool hijacks the session by looking for the session ids in the requests, from what I understand.  It's unlikely that it's anything fancy, but it's irrelevant.  This thread is saying "turn on always over https" not "omg look at these sweet hax".
A site *always* uses cookies to remember who you are, even if the cookie only lasts for the session. The only alternative is to use trickery, like somebody's cache or ip address or something.

But yeah, I think it's ridiculous that sites like gmail and hotmail don't have SSL on for everybody, by default.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Gmail with HTTPS
« Reply #12 on: August 20, 2008, 11:37:12 am »
gmail doesn't have to use cookies.  The "remember me" checkbox will do this, but without it, I don't think it uses cookies.  This tool hijacks the session by looking for the session ids in the requests, from what I understand.  It's unlikely that it's anything fancy, but it's irrelevant.  This thread is saying "turn on always over https" not "omg look at these sweet hax".
A site *always* uses cookies to remember who you are, even if the cookie only lasts for the session. The only alternative is to use trickery, like somebody's cache or ip address or something.

But yeah, I think it's ridiculous that sites like gmail and hotmail don't have SSL on for everybody, by default.


Passing the session ID around through the URLs works too.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Gmail with HTTPS
« Reply #13 on: August 20, 2008, 11:55:12 am »
gmail doesn't have to use cookies.  The "remember me" checkbox will do this, but without it, I don't think it uses cookies.  This tool hijacks the session by looking for the session ids in the requests, from what I understand.  It's unlikely that it's anything fancy, but it's irrelevant.  This thread is saying "turn on always over https" not "omg look at these sweet hax".
A site *always* uses cookies to remember who you are, even if the cookie only lasts for the session. The only alternative is to use trickery, like somebody's cache or ip address or something.

But yeah, I think it's ridiculous that sites like gmail and hotmail don't have SSL on for everybody, by default.


Passing the session ID around through the URLs works too.

Well, yeah, but that's far worse. :P

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Gmail with HTTPS
« Reply #14 on: August 20, 2008, 12:06:32 pm »
Just saying. :P

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Gmail with HTTPS
« Reply #15 on: August 20, 2008, 01:44:34 pm »
gmail doesn't have to use cookies.  The "remember me" checkbox will do this, but without it, I don't think it uses cookies.  This tool hijacks the session by looking for the session ids in the requests, from what I understand.  It's unlikely that it's anything fancy, but it's irrelevant.  This thread is saying "turn on always over https" not "omg look at these sweet hax".
A site *always* uses cookies to remember who you are, even if the cookie only lasts for the session. The only alternative is to use trickery, like somebody's cache or ip address or something.

But yeah, I think it's ridiculous that sites like gmail and hotmail don't have SSL on for everybody, by default.


Passing the session ID around through the URLs works too.

Certain browsers don't allow global javascript variables, and while there are workarounds to that, they're all far more ugly than using cookies. Every major web app users cookies, period.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Gmail with HTTPS
« Reply #16 on: August 20, 2008, 01:53:29 pm »
gmail doesn't have to use cookies.  The "remember me" checkbox will do this, but without it, I don't think it uses cookies.  This tool hijacks the session by looking for the session ids in the requests, from what I understand.  It's unlikely that it's anything fancy, but it's irrelevant.  This thread is saying "turn on always over https" not "omg look at these sweet hax".
A site *always* uses cookies to remember who you are, even if the cookie only lasts for the session. The only alternative is to use trickery, like somebody's cache or ip address or something.

But yeah, I think it's ridiculous that sites like gmail and hotmail don't have SSL on for everybody, by default.


Passing the session ID around through the URLs works too.

Certain browsers don't allow global javascript variables, and while there are workarounds to that, they're all far more ugly than using cookies. Every major web app users cookies, period.

I know.

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Gmail with HTTPS
« Reply #17 on: August 20, 2008, 02:18:26 pm »
I just turned it on.  Thanks.  I was under the impression that it was already across SSL the whole time... lol.

How were you able to set it so that it redirects you automatically to the secure site? I was thinking about this the other day, because I use GMail Notifier in my tray and it doesn't run HTTPS. Hrm.. guess I have to wait for them to update for that to work secure.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Gmail with HTTPS
« Reply #18 on: August 20, 2008, 02:24:16 pm »
It's an option in the main settings page on the website. I'm not sure about notifier; I use several different flavors of notifiers on different computers, and I'd like to know too :P

I work at an IP company; ethereal is on the standard image that we use for new computers, because it's used by so many. All our switches are managed, etc. It really would be trivial for anyone who works here to hijack my gmail session.
« Last Edit: August 20, 2008, 02:26:05 pm by Camel »

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Gmail with HTTPS
« Reply #19 on: August 20, 2008, 02:33:23 pm »
I just turned it on.  Thanks.  I was under the impression that it was already across SSL the whole time... lol.

How were you able to set it so that it redirects you automatically to the secure site? I was thinking about this the other day, because I use GMail Notifier in my tray and it doesn't run HTTPS. Hrm.. guess I have to wait for them to update for that to work secure.

Does the updater use HTTP?  I could be the case that it's using IMAP with SSL.  I haven't used it in a long time.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Gmail with HTTPS
« Reply #20 on: August 20, 2008, 02:44:28 pm »
Does the updater use HTTP?  I could be the case that it's using IMAP with SSL.  I haven't used it in a long time.

Yes; it's accessing the GWT-RPC service directly with HTTP.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline Explicit

  • Hero Member
  • *****
  • Posts: 717
  • Hail Bender!
    • View Profile
Re: Gmail with HTTPS
« Reply #21 on: August 20, 2008, 03:10:36 pm »
I just turned it on. Thanks. I was under the impression that it was already across SSL the whole time... lol.

How were you able to set it so that it redirects you automatically to the secure site? I was thinking about this the other day, because I use GMail Notifier in my tray and it doesn't run HTTPS. Hrm.. guess I have to wait for them to update for that to work secure.

What I did to solve that problem awhile back was hex edit Gmail Notifier. Run a string search for 'http://mail.google.com/mail/', and from there just change it to 'https://mail.google.com/mail/' without inserting any extra bytes (you're going to overwrite one of the bytes).
Quote
Like all things in life, pumping is just a primitive, degenerate form of bending.

Quote
Hey, I don't tell you how to tell me what to do, so don't tell me how to do what you tell me to do! ... Bender knows when to use finesse.

[13:41:45]<@Fapiko> Why is TehUser asking for wang pictures?
[13:42:03]<@TehUser> I wasn't asking for wang pictures, I was looking at them.
[13:47:40]<@TehUser> Mine's fairly short.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Gmail with HTTPS
« Reply #22 on: August 20, 2008, 03:12:11 pm »
That would be good, but can it handle HTTPS connections?
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Gmail with HTTPS
« Reply #23 on: August 20, 2008, 03:13:58 pm »
What I did to solve that problem awhile back was hex edit Gmail Notifier. Run a string search for 'http://mail.google.com/mail/', and from there just change it to 'https://mail.google.com/mail/' without inserting any extra bytes (you're going to overwrite one of the bytes).

That sounds too simple to be true; I refuse to believe it :)

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline Explicit

  • Hero Member
  • *****
  • Posts: 717
  • Hail Bender!
    • View Profile
Re: Gmail with HTTPS
« Reply #24 on: August 20, 2008, 03:15:27 pm »
Camel, do it. :)
Quote
Like all things in life, pumping is just a primitive, degenerate form of bending.

Quote
Hey, I don't tell you how to tell me what to do, so don't tell me how to do what you tell me to do! ... Bender knows when to use finesse.

[13:41:45]<@Fapiko> Why is TehUser asking for wang pictures?
[13:42:03]<@TehUser> I wasn't asking for wang pictures, I was looking at them.
[13:47:40]<@TehUser> Mine's fairly short.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Gmail with HTTPS
« Reply #25 on: August 20, 2008, 03:16:23 pm »
That would be good, but can it handle HTTPS connections?

I'm assuming it uses a common library to handle its connections.  Most of the ones I've seen support stuff like HTTPS transparently.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Gmail with HTTPS
« Reply #26 on: August 20, 2008, 03:18:53 pm »
Well, I turned on the option to force https, and google notifier is broken now. I suppose I'll have to hex it.

Is the byte following the string known to be unused? It seems likely that it is, since compilers tend to align strings.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline Explicit

  • Hero Member
  • *****
  • Posts: 717
  • Hail Bender!
    • View Profile
Re: Gmail with HTTPS
« Reply #27 on: August 20, 2008, 03:21:20 pm »
Well, I turned on the option to force https, and google notifier is broken now. I suppose I'll have to hex it.

Is the byte following the string known to be unused? It seems likely that it is, since compilers tend to align strings.

I'm assuming it's unused since I haven't experienced anything out of the norm when running the notifier, though it's not a safe assumption to make.

This is on Windows by the way.
« Last Edit: August 20, 2008, 04:00:56 pm by Explicit[nK] »
Quote
Like all things in life, pumping is just a primitive, degenerate form of bending.

Quote
Hey, I don't tell you how to tell me what to do, so don't tell me how to do what you tell me to do! ... Bender knows when to use finesse.

[13:41:45]<@Fapiko> Why is TehUser asking for wang pictures?
[13:42:03]<@TehUser> I wasn't asking for wang pictures, I was looking at them.
[13:47:40]<@TehUser> Mine's fairly short.

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Gmail with HTTPS
« Reply #28 on: August 20, 2008, 06:47:56 pm »
Well, I turned on the option to force https, and google notifier is broken now. I suppose I'll have to hex it.

Is the byte following the string known to be unused? It seems likely that it is, since compilers tend to align strings.

Same thing happened to me.. so I fooled around with it in a hex editor, and now it seems to work. Not sure if it's completely secure though, you'd have to hex it and then sniff the traffic to test. Try it!
« Last Edit: August 20, 2008, 06:59:50 pm by Quik »
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Gmail with HTTPS
« Reply #29 on: August 21, 2008, 12:04:19 pm »
I got lazy and did the edit with vi in text mode; despite the file size changing by one byte, it still works. I've verified that it's using TLSv1.

[edit] Specifically, TLS_RSA_WITH_RC4_128_SHA
« Last Edit: August 21, 2008, 12:06:12 pm by Camel »

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!