[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Gmail/SSL
On Sat, Aug 9, 2008 at 2:47 PM, coderman <coderman@xxxxxxxxx> wrote:
> On Sun, Mar 9, 2008 at 5:23 PM, Jonathan Addington <madjon@xxxxxxxxx> wrote:
>> I've been following the conversation regarding Gmail and SSL bits in
>> other threads because, as you can tell, I use Gmail, and was under the
>> impression that https:// will keep everything over an SSL connection.
>
> an update of note: Gmail now supports an account option to enforce the
> secure only bit on session cookies and keeps your entire gmail session
> on SSL.  this makes attacks like Mike Perry's active side jacking
> impossible, as the session cookie is no longer sent in the clear when
> http:// non-SSL links are injected into browser content.
>
> to enable this feature:
> - at top of page select "Settings"
> - scroll to bottom of section for "Browser connection:" preference
> - select "Always use https"
>
> this will pass the Secure / secureonly option when settings the GX=...
> session cookie used to identify your authenticated session.  this
> cookie will then never be sent over plain-text connections, protecting
> you from passive / active side jacking attacks.
>
> be sure to use a somewhat modern browser that supports secure only
> cookies.  you can also verify correct operation with the "Live HTTP
> Headers" plugin for Firefox.
>
> best regards,
>
This is also on the Gmail blog, which notes that going to
https://mail.google.com always had the same effect. (At least
hopefully!)
-- 
madjon@xxxxxxxxx
Calendar (usually up to date):
http://www.google.com/calendar/embed?src=madjon%40gmail.com&ctz=America/Chicago&pvttk=715ccc706e1e426d956ad8d6f7f9b16a