Las Vegas — Last week, Google launched a new feature called SSL for its Gmail to combat a tool that automatically steals IDs of non-encrypted sessions into Google Mail accounts has been presented at the recent Defcon conference, in Las Vegas, according to Hacking Truths.
Users who do not switch it on now face a grim situation to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.
Gmail is an eternal beta, and though there was no formal announcement for the new feature, and in any case it was offered as an option, which was largely ignored.
But now, even though when a user logs in a standard way, Gmail forces the authentication over SSL (Secure Socket Layer), alerting that you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.
Now, once you log in and check your Gmail’s settings, the last option under the “General” tab lets you “always use https” when accessing Gmail. It is a fairly new option, and it might sound strange, as they really took a year to issue a fix. And, if you click the “learn more” link, the text provided by Google actually sounds like its’ discouraging users from enabling the feature, stating:
“Please note that selecting “Always use https” will prevent you from accessing Gmail via HTTP (Hypertext Transfer Protocol). In addition, it may make Gmail a bit slower. If you trust the security of your network, you can turn this feature off at any time.”
In practice, this means that not having the “always use https” option checked, especially if you are accessing Gmail through a wireless hotspot, or any other un-secure network, has become a hazard, and is not recommended. Google has been fairly silent about this, letting users decide what they want to do.
The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID.
If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https://mail.google.com before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.