[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Gmail/SSL



On Sun, Mar 9, 2008 at 5:23 PM, Jonathan Addington <madjon@xxxxxxxxx> wrote:
> I've been following the conversation regarding Gmail and SSL bits in
> other threads because, as you can tell, I use Gmail, and was under the
> impression that https:// will keep everything over an SSL connection.

an update of note: Gmail now supports an account option to enforce the
secure only bit on session cookies and keeps your entire gmail session
on SSL.  this makes attacks like Mike Perry's active side jacking
impossible, as the session cookie is no longer sent in the clear when
http:// non-SSL links are injected into browser content.

to enable this feature:
- at top of page select "Settings"
- scroll to bottom of section for "Browser connection:" preference
- select "Always use https"

this will pass the Secure / secureonly option when settings the GX=...
session cookie used to identify your authenticated session.  this
cookie will then never be sent over plain-text connections, protecting
you from passive / active side jacking attacks.

be sure to use a somewhat modern browser that supports secure only
cookies.  you can also verify correct operation with the "Live HTTP
Headers" plugin for Firefox.

best regards,