• Post Information
  • Date: Wednesday, August 20, 2008 Time: 10:54 am Category: Email, How-To, Security, The Internet Tagged Email, gmail, https, mashable, Security Discussion: 0 Comments

• Post Navigation
  • « Students: Welcome Back!
  • My Introduction to Facebook »

Many of us, students, faculty and staff alike, use Gmail for our personal/non-University email.  This post on Mashable today relays a security hole that is easily fixed in your Gmail settings.  For those of you who are accessing Gmail in a public place, take a minute to go to your Gmail settings and tell it to use “https” rather than just “http.”  The latter is faster, but not secure.

Here’s the original post from Mashable:

Be Careful if You Access Gmail Through a Public Hotspot

August 20, 2008 — 01:53 AM PDT — by Stan Schroeder

If you check Gmail’s settings, the last option under the “General” tab lets you “always use https” when accessing Gmail. It’s a fairly new option, and it might sound strange; isn’t Gmail secured by SSL (Secure Socket Layer) by default (hence switching to “https://gmail.com” when you type in “gmail.com” in your browser)?

The answer is: yes and no. Once you log in, Gmail reverts back to an unencrypted connection, since SSL connections are slower than regular ones. This means that whatever you do on Gmail is unencrypted from now on, and someone sniffing traffic on your network can easily obtain sensitive data.

Of course, not everyone has the skills to do that, so the chances of it actually happening are pretty small. Or, better put, they were small until now. As reported by Hacking Truths, a tool has been presented at DEFCON that makes stealing session IDs from Gmail a relatively easy affair. And once someone has your session ID, he/she can log in to your Gmail account without authentication.

In practice, this means that not having the “always use https” option checked, especially if you’re accessing Gmail through a wireless hotspot, or any other unsecure network, has become a hazard, and is not recommended. Google has been fairly silent about this, letting users decide what they want to do, but I’ve switched to SSL and I recommend you do, too, especially if you use Gmail for business purposes.