News:

Holy shit, it's 2018 2019 2020 2021 2022 2023 2024, and the US isn't a fascist country! What a time to be alive.

Main Menu

Gmail with HTTPS

Started by deadly7, August 19, 2008, 02:01:59 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1 2 All
User actions

deadly7

August 19, 2008, 02:01:59 PM
http://gmailblog.blogspot.com/2008/07/making-security-easier.html
Google's little blog about it. Apparently there's a hack coming out soon that would allow someone sniffing packets on an unencrypted e-mail session to take advantage of the lack of protection and obtain the session information, therefore bypassing the need for login information.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
[17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Sidoh

#1
August 19, 2008, 02:40:38 PM
I just turned it on.  Thanks.  I was under the impression that it was already across SSL the whole time... lol.

MyndFyre

#2
August 19, 2008, 03:19:01 PM
That's not really anything new; I know I read a blog post about it about 1-2 months ago.
Quote from: Joe on January 23, 2011, 11:47:54 PM
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Quote from: Rule on May 26, 2009, 02:02:12 PMOur species really annoys me.

Sidoh

#3
August 19, 2008, 03:22:07 PM
Quote from: MyndFyre on August 19, 2008, 03:19:01 PM
That's not really anything new; I know I read a blog post about it about 1-2 months ago.

Right.  However, the attack was shown at Defcon and the presenter said he plans to release the tool that automates the process in two weeks from now (from the /. article).  It's a friendly reminder if nothing else. :)

deadly7

#4
August 19, 2008, 03:22:26 PM
Quote from: MyndFyre on August 19, 2008, 03:19:01 PM
That's not really anything new; I know I read a blog post about it about 1-2 months ago.
Yes, but the hack is what's new. It was revealed at DEFCON.
Srsly, RTFA. :P
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
[17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Newby

#5
August 19, 2008, 04:45:40 PM
Quote from: MyndFyre on August 19, 2008, 03:19:01 PM
That's not really anything new; I know I read a blog post about it about 1-2 months ago.

And if you think about it, you can sniff anybody's cookie if it's transmitted in plaintext and use it...

That goes for not just Gmail, but other mail services, social networking services... the list goes on.

I'm hoping I'm wrong. I'll tunnel everything I do on wireless from now on. :P
- Newby
http://www.x86labs.org

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote from: Rule on June 30, 2008, 01:13:20 PM
Quote from: CrAz3D on June 30, 2008, 10:38:22 AM
I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

iago

#6
August 19, 2008, 04:54:11 PM
Quote from: Newby on August 19, 2008, 04:45:40 PM
And if you think about it, you can sniff anybody's cookie if it's transmitted in plaintext and use it...

That goes for not just Gmail, but other mail services, social networking services... the list goes on.

I'm hoping I'm wrong. I'll tunnel everything I do on wireless from now on. :P
It's absolutely true. Why wouldn't it be?

Newby

#7
August 19, 2008, 04:55:01 PM
What makes this Gmail thing so special, then? Because someone released a hack to do it?

I should release a hack to steal MySpace/Facebook cookies. I'll be famous!
- Newby
http://www.x86labs.org

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote from: Rule on June 30, 2008, 01:13:20 PM
Quote from: CrAz3D on June 30, 2008, 10:38:22 AM
I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

iago

#8
August 19, 2008, 04:56:09 PM
Because it has the word "gmail" in it, of course.

"facebook" has the same effect.

Sidoh

#9
August 19, 2008, 04:58:05 PM
gmail doesn't have to use cookies.  The "remember me" checkbox will do this, but without it, I don't think it uses cookies.  This tool hijacks the session by looking for the session ids in the requests, from what I understand.  It's unlikely that it's anything fancy, but it's irrelevant.  This thread is saying "turn on always over https" not "omg look at these sweet hax".

Camel

#10
August 19, 2008, 10:32:59 PM
Quote from: Sidoh on August 19, 2008, 04:58:05 PM
gmail doesn't have to use cookies.  The "remember me" checkbox will do this, but without it, I don't think it uses cookies.  This tool hijacks the session by looking for the session ids in the requests, from what I understand.  It's unlikely that it's anything fancy, but it's irrelevant.  This thread is saying "turn on always over https" not "omg look at these sweet hax".

The GWT app actually stores the cookie regardless, because when it sends a request it simply reads the session ID from the cookie.

If you don't check remember me, however, the cookie is stored as a session cookie, which is deleted when the browser window/tab closes, except in some special cases such as restoring recently closed tabs in firefox, where the session cookie is reanimated. You are guaranteed, at the very least, to lose the cookie when the application closes cleanly.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

iago

#11
August 20, 2008, 10:00:42 AM
Quote from: Sidoh on August 19, 2008, 04:58:05 PM
gmail doesn't have to use cookies.  The "remember me" checkbox will do this, but without it, I don't think it uses cookies.  This tool hijacks the session by looking for the session ids in the requests, from what I understand.  It's unlikely that it's anything fancy, but it's irrelevant.  This thread is saying "turn on always over https" not "omg look at these sweet hax".
A site *always* uses cookies to remember who you are, even if the cookie only lasts for the session. The only alternative is to use trickery, like somebody's cache or ip address or something.

But yeah, I think it's ridiculous that sites like gmail and hotmail don't have SSL on for everybody, by default.

Sidoh

#12
August 20, 2008, 11:37:12 AM
Quote from: iago on August 20, 2008, 10:00:42 AM
Quote from: Sidoh on August 19, 2008, 04:58:05 PM
gmail doesn't have to use cookies.  The "remember me" checkbox will do this, but without it, I don't think it uses cookies.  This tool hijacks the session by looking for the session ids in the requests, from what I understand.  It's unlikely that it's anything fancy, but it's irrelevant.  This thread is saying "turn on always over https" not "omg look at these sweet hax".
A site *always* uses cookies to remember who you are, even if the cookie only lasts for the session. The only alternative is to use trickery, like somebody's cache or ip address or something.

But yeah, I think it's ridiculous that sites like gmail and hotmail don't have SSL on for everybody, by default.


Passing the session ID around through the URLs works too.

iago

#13
August 20, 2008, 11:55:12 AM
Quote from: Sidoh on August 20, 2008, 11:37:12 AM
Quote from: iago on August 20, 2008, 10:00:42 AM
Quote from: Sidoh on August 19, 2008, 04:58:05 PM
gmail doesn't have to use cookies.  The "remember me" checkbox will do this, but without it, I don't think it uses cookies.  This tool hijacks the session by looking for the session ids in the requests, from what I understand.  It's unlikely that it's anything fancy, but it's irrelevant.  This thread is saying "turn on always over https" not "omg look at these sweet hax".
A site *always* uses cookies to remember who you are, even if the cookie only lasts for the session. The only alternative is to use trickery, like somebody's cache or ip address or something.

But yeah, I think it's ridiculous that sites like gmail and hotmail don't have SSL on for everybody, by default.


Passing the session ID around through the URLs works too.

Well, yeah, but that's far worse. :P

Sidoh

#14
August 20, 2008, 12:06:32 PM
Just saying. :P
Print
Go Up Pages1 2 All
User actions