Hackszine.com: HOWTO: secure Gmail to prevent session hijacking

HOWTO: secure Gmail to prevent session hijacking

By default, after logging into Gmail with a secure https connection, you are forwarded to an unencrypted url with some session data that tells Gmail and other Google services that you've authenticated successfully.

The problem is that anyone sniffing your wireless (or wired) connection can listen to that session information and use it to impersonate you. This could mean reading your email, pulling previously entered addresses from Google maps, or opening up your Google Docs or Analytics information. This session "sidejacking" was recently demonstrated at the 2007 Black Hat conference, where the presenter, Robert Graham, took control of an audience member's account during a live presentation.

Safely Connecting to Gmail
If you're using public, unencrypted, or WEP-encrypted WiFi, there's a way to force Gmail to use an encrypted connection. If you manually navigate to https://gmail.google.com/, your connection will remain encrypted after logging in. This does not work for https://www.google.com/gmail, so make sure to use the right address.

Log Out Before Leaving Gmail
This part sucks. Your authentication cookies will still be set for the google.com domain. If you navigate to any other Google properties after logging into secure Gmail, your session information will be spilled for any WiFi sniffer to see. This probably includes going to any site that runs adsense... which is almost every site available via the internet tubes.

So, to safely use Gmail:

close all other browser tabs and windows before going to secure Gmail
don't click any URLs in emails or navigate to any other sites while Gmail is open
sign off before continuing to browse the web (might not hurt to also flush any cookies)

Posted by Jason Striegel | Aug 10, 2007 04:05 AM
Gmail | Permalink | Comments (4)

Comments

Newest comments listed first.

Posted by: pwestbro on August 10, 2007 at 12:49 PM

You can also use the Better Gmail Firefox Add-on to enable this as well

http://lifehacker.com/software/gmail/lifehacker-code-better-gmail-firefox-extension-251923.php

Posted by: jason_striegel on August 10, 2007 at 2:01 PM

Thanks pwestbro. I haven't had a chance to check this yet, but I think the same rules still apply with the Firefox add-on. Ie. you still need to have everything else closed while using Gmail, and you need to sign off/clear cookies before navigating away. Otherwise, those session cookies will still be transmitted when you visit any google.com property.

Posted by: tms10000 on August 12, 2007 at 5:01 PM

Will is force the XmlHttp traffic over ssl too? Gmail will check and fetch your email asynchronously, and I don't think it matters if the page that execute the code was served over ssl, the data it fetches is still unencrypted. You may thwart the sidejacking but you can't prevent someone to snoop on your email. Much like unencrypted POP3.

Posted by: Adi Roiban on December 25, 2007 at 3:11 AM

I have watched xmlHTTP requrest and they are also handled over HTTPS