Security Basics mailing list archives
Re: Gmail and https
From: krymson () gmail com
Date: 11 Feb 2008 20:32:24 -0000
Yup! You're correct! Not sure why they do this. Maybe they want to not use system resources to encrypt everything beyond the login. I imagine when you scale up to Google-size, it becomes a huge requirement. They may also be making a risk assessment and deciding your email content is not as important as the authentication to the email system. It doesn't help that the page constantly refreshes... Errata Security [1] last year came out with a side-jacking tool that can snag session cookies from a public network and steal your session. Gmail was thought to be secure to this using SSL, but that is not true as the info is transmitted later through the refreshing of Gmail, unencrypted. Should Google always use SSL? Not sure I could answer that, but I would suggest making sure you are always using SSL (https) through Gmail. [1] http://erratasec.blogspot.com/2008/01/more-sidejacking.html <- snip -> Hi, I notices recently that gmail after you logon the header in the address bar is http not https? is that normal?
Current thread:
- RE: Gmail and https, (continued)
- RE: Gmail and https Murda Mcloud (Feb 12)
- RE: Gmail and https Joe Klein (Feb 12)
- Re: Gmail and https Security Basic (Feb 13)
- Re: Gmail and https Steven D. Ellison (Feb 11)