Wieners, Brats, Franks, we've got 'em all.
0 Members and 1 Guest are viewing this topic.
Quote from: iago on August 20, 2008, 10:00:42 amQuote from: Sidoh on August 19, 2008, 04:58:05 pmgmail doesn't have to use cookies. The "remember me" checkbox will do this, but without it, I don't think it uses cookies. This tool hijacks the session by looking for the session ids in the requests, from what I understand. It's unlikely that it's anything fancy, but it's irrelevant. This thread is saying "turn on always over https" not "omg look at these sweet hax".A site *always* uses cookies to remember who you are, even if the cookie only lasts for the session. The only alternative is to use trickery, like somebody's cache or ip address or something. But yeah, I think it's ridiculous that sites like gmail and hotmail don't have SSL on for everybody, by default. Passing the session ID around through the URLs works too.
Quote from: Sidoh on August 19, 2008, 04:58:05 pmgmail doesn't have to use cookies. The "remember me" checkbox will do this, but without it, I don't think it uses cookies. This tool hijacks the session by looking for the session ids in the requests, from what I understand. It's unlikely that it's anything fancy, but it's irrelevant. This thread is saying "turn on always over https" not "omg look at these sweet hax".A site *always* uses cookies to remember who you are, even if the cookie only lasts for the session. The only alternative is to use trickery, like somebody's cache or ip address or something. But yeah, I think it's ridiculous that sites like gmail and hotmail don't have SSL on for everybody, by default.
gmail doesn't have to use cookies. The "remember me" checkbox will do this, but without it, I don't think it uses cookies. This tool hijacks the session by looking for the session ids in the requests, from what I understand. It's unlikely that it's anything fancy, but it's irrelevant. This thread is saying "turn on always over https" not "omg look at these sweet hax".
Quote from: Sidoh on August 20, 2008, 11:37:12 amQuote from: iago on August 20, 2008, 10:00:42 amQuote from: Sidoh on August 19, 2008, 04:58:05 pmgmail doesn't have to use cookies. The "remember me" checkbox will do this, but without it, I don't think it uses cookies. This tool hijacks the session by looking for the session ids in the requests, from what I understand. It's unlikely that it's anything fancy, but it's irrelevant. This thread is saying "turn on always over https" not "omg look at these sweet hax".A site *always* uses cookies to remember who you are, even if the cookie only lasts for the session. The only alternative is to use trickery, like somebody's cache or ip address or something. But yeah, I think it's ridiculous that sites like gmail and hotmail don't have SSL on for everybody, by default. Passing the session ID around through the URLs works too.Certain browsers don't allow global javascript variables, and while there are workarounds to that, they're all far more ugly than using cookies. Every major web app users cookies, period.
I just turned it on. Thanks. I was under the impression that it was already across SSL the whole time... lol.
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min[20:21:15] xar: that was funny
Quote from: Sidoh on August 19, 2008, 02:40:38 pmI just turned it on. Thanks. I was under the impression that it was already across SSL the whole time... lol.How were you able to set it so that it redirects you automatically to the secure site? I was thinking about this the other day, because I use GMail Notifier in my tray and it doesn't run HTTPS. Hrm.. guess I have to wait for them to update for that to work secure.
Does the updater use HTTP? I could be the case that it's using IMAP with SSL. I haven't used it in a long time.
Like all things in life, pumping is just a primitive, degenerate form of bending.
Hey, I don't tell you how to tell me what to do, so don't tell me how to do what you tell me to do! ... Bender knows when to use finesse.
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz[17:32:54] * xar sets mode: +o newby[17:32:58] <xar> new rule[17:33:02] <xar> me and newby rule all
Quote from: CrAz3D on June 30, 2008, 10:38:22 amI'd bet that you're currently bloated like a water ballon on a hot summer's day.That analogy doesn't even make sense. Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT.
I'd bet that you're currently bloated like a water ballon on a hot summer's day.
What I did to solve that problem awhile back was hex edit Gmail Notifier. Run a string search for 'http://mail.google.com/mail/', and from there just change it to 'https://mail.google.com/mail/' without inserting any extra bytes (you're going to overwrite one of the bytes).
That would be good, but can it handle HTTPS connections?
Well, I turned on the option to force https, and google notifier is broken now. I suppose I'll have to hex it.Is the byte following the string known to be unused? It seems likely that it is, since compilers tend to align strings.
