Security Basics mailing list archives

Re: Gmail and https

From: krymson () gmail com
Date: 11 Feb 2008 20:32:24 -0000

Yup! You're correct!

Not sure why they do this. Maybe they want to not use system resources to encrypt everything beyond the login. I 
imagine when you scale up to Google-size, it becomes a huge requirement. They may also be making a risk assessment and 
deciding your email content is not as important as the authentication to the email system. It doesn't help that the 
page constantly refreshes...

Errata Security [1] last year came out with a side-jacking tool that can snag session cookies from a public network and 
steal your session. Gmail was thought to be secure to this using SSL, but that is not true as the info is transmitted 
later through the refreshing of Gmail, unencrypted.

Should Google always use SSL? Not sure I could answer that, but I would suggest making sure you are always using SSL 
(https) through Gmail.


[1] http://erratasec.blogspot.com/2008/01/more-sidejacking.html


<- snip ->
Hi,
I notices recently that gmail after you logon the header in the
address bar is http not https?
is that normal?

Current thread:

RE: Gmail and https, (continued)
- - - RE: Gmail and https Murda Mcloud (Feb 12)
    - RE: Gmail and https Joe Klein (Feb 12)
    - Re: Gmail and https Security Basic (Feb 13)
- Re: Gmail and https Manuel Arostegui Ramirez (Feb 11)
- Message not available
  - Re: Gmail and https Steven D. Ellison (Feb 11)
- RE: Gmail and https Lee Hilt (Feb 11)
- Re: Gmail and https Mike Preston - Technomonk Industries (Feb 11)
- Re: Gmail and https Matt Snell (Feb 11)
- Re: Gmail and https Wesley McGrew (Feb 11)
- Re: Gmail and https steve menard (Feb 12)
- Re: Gmail and https krymson (Feb 11)