[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Gmail/SSL

I've been following the conversation regarding Gmail and SSL bits in
other threads because, as you can tell, I use Gmail, and was under the
impression that https:// will keep everything over an SSL connection.
So after reading the threads that suggested otherwise I decided to
investigate.

I shut down my Tor server, and blocked most forwarded traffic from my
router, logged out of Gmail, and closed Firefox. Then I Started up
Wireshark, opened up Firefox, logged onto Gmail, looked at a couple of
message, labeled one spam, and sent one as a test. Then I just let it
sit for about four hours.

After going through the Wireshark log (which took a bit!) the only
non-SSL/TLS traffic from Gmail I could find looked like this:

<snip>
ET /safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.11&version=goog-white-domain:1:30,goog-white-url:1:371,goog-black-url:1:19069,goog-black-enchash:1:46040
HTTP/1.1
Host: sb.google.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11)
Gecko/20071204 Ubuntu/7.10 (gutsy) Firefox/2.0.0.11
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PREF=ID=2ebc725f67fb2226:TM=1185368577:LM=1204091083:FV=2:GM=1:S=wxIX6A2MoEz-E_jQ;
NID=7=idUEA3RlV2HdMJnwhlss9BlI_xHRanyp-YhurpGmW2VRTJRbQtFLMGUCaA4DM2EbxvWUdUmDM4QocyqrcNaAzeezJah8ZVR025-cv7ZI1pmmQFGztHdIOpBmOrAHmnnb;
rememberme=true; TZ=360; GMAIL_RTT=199;
SID=DQAAAHkAAADzxZbZSOLdabfqK8Sg1BqQiOfOHP_vmkzA86-1aZ6g6qK4ny6F2kgvPQk2w2L6NXGwI7d6eN7TC1ZT2otnoPuen1GljghnYC6w9F6o56AB1UB_LIaHO1CfI5VgfDr_JTUBy29vzneXPb6EbemlUPJ8tq0p_Kp6ysh90MNmjupnRw

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Cache-Control: public,max-age=600
Server: TrustRank Frontend
Content-Length: 40363
Date: Fri, 07 Mar 2008 19:48:54 GMT

[goog-black-enchash 1.46041 update]
-181A72096A3A5F5A6B5CE3D22D4990DC
+1ADDDA4E33D074B417D9032C0074E54B.Z1YySDViZ1cwW70PPccj6T76+VSLmilYHD4snvGWoJZDwmAzbDdxaDCGZQsJiCtQadFG7eZ2X6DeDa1bmIm2rUV+UkvCzR7eyfQ+raZEmhGeN+mJMsQnhgwogxfy
+32B06F940FF6E48A2FE609B51E416C58.ckkydGZxM2uxa3j+ksQIJoP044ACSApNlQwR1Hx3orZ+53tHaJmUOAxHjOP9ApeQzZjxW/2iepjX+SVeDnkMLSu6at81oCpjXI8cfBkYg1ntKazdBBraDzoh31YCI5mgLgj2iybtFg==
-409CA5195CFE1F8B615C0CF72343DE19
</snip>

Except that the whole thing was ~41kb.

So, while not an exhaustive study by any means, it *does* look like
Gmail will stick to SSL, or some type of encryption (I have no idea
what "goog-blacl-enchash" means, but it certainly isn't plaintext).

If anyone wants to look through the packet dump let me know, it's
about 4mb uncompressed after I filtered out traffic that I knew wasn't
from Google (from a cron job I have going), I'd be glad to post it
somewhere.

-madjon

Running Ubuntu 7.10, all latest patches/updates
Wireshark 0.99.6
Behind a wrtg54 router running Tomato firmware.

-- 
madjon@xxxxxxxxx