Do You Use GMail? If so, please read:

[lwood]

[Edit: I invite anyone reading this to dig through the comments for good ancillary advice, and some insightful commentary from fxchip]

Hello, folks--earlier this month, at a well-known conference, there was announced a tool that can hack into any GMail account, regardless of how good your password is, as long as the data is flitting around unencrypted.

That's bad, m'kay?

Google has always had it so that your login credentials flit around encrypted, but once that's done, drops you to an unencrypted session (for long reasons that work out to "it's cheaper that way" for several kinds of "cheaper"). This will leave you quite open to this tool when it's released into the wild at the end of the month.

However, there's help! Google has just made it so that you can choose to have all your GMail traffic encrypted, and I would recommend this to any GMail user, even if you think "oh, my e-mail isn't that important". It's really easy to fix this. Actually, they should fix the dodgamn underlying bug, but leaving that aside for now, here's what you can do:

Simply log into GMail, and click on the Settings link over in the top right corner. At the bottom of this screen is a section labelled "Browser Connection", which by default is set to "Don't always use https". Change this to "Always use https", then click the "Save changes" button directly below. That "should" keep you safe from people using this fascinating new toy.

Enjoy!

-- Lorrie

Comments

[razorsharpblade.livejournal.com]

Thanks for the heads up Lorrie! Do you mind if I link to this on my LJ??

[lwood.livejournal.com]

You're welcome--please do!

-- Lorrie

[nicanthiel.livejournal.com]

Thanks very much for the heads-up :)

[lwood.livejournal.com]

You're welcome!

-- L

[ex-ciannait.livejournal.com]

Thanks for the tip!!

[lwood.livejournal.com]

You're welcome!

-- Lorrie

[netdancer.livejournal.com]

Thanks for the heads-up, much appreciated. I'll pass this on to my Flist.

[lwood.livejournal.com]

You're welcome!

-- L

[narfi.livejournal.com]

Thanks. I'll make sure others know.

[lwood.livejournal.com]

Excellent!

[erynn999.livejournal.com]

I can has https. I shall pass the word.

[lwood.livejournal.com]

Huzzah!

[knittingwoman.livejournal.com]

I'll do this too. Gmail is my back up e-mail and the one I use for public stuff these days. I use a local freenet as well but it is a PITA sometimes and that's when I use gmail.
If I were looking for a different (free) web based e-mail are there are any others you would recommend?

[lwood.livejournal.com]

Heh--I have owned my own e-mail for years, and give out accounts to anyone whom I trust reasonably who would like one. I don't charge, and I come with webmail access. So, I'd recommend me, but I don't have a lot of the kickass features that GMail has.

-- Lorrie

[lishi3-complex.livejournal.com]

Saw this on Lupa's LJ; thanks for the warning!

[lwood.livejournal.com]

You're welcome!

Hi, I came here from Lupa's journal.

[tlttlotd.livejournal.com]

There are also a couple of Firefox plugins that automatically turn on SSL support with Google services (like CustomizeGoogle (https://addons.mozilla.org/en-US/firefox/addon/743) and Gmail Manager (https://addons.mozilla.org/en-US/firefox/addon/1320)). You can also throw https:// in front of most Google URLs. The services that support SSL will use it, the ones that don't will redirect you to the non-encrypted verison of the site.

Also beware of other applications that don't use SSL or TLS to access Google services when they use your credentials, like Mozilla Sunbird (a calendaring application with Google Calendar support; it caches your username and password if you let it) and various e-mail applications (SSL support for POP3 and IMAP can be turned on when accessing your Gmail account but many people forget that sending e-mail through their relays also requires your credentials, and forget to turn on TLS support in their outgoing SMTP server settings).

No matter how you cut it, if your login credentials go over an untrusted network and someone's running a packet sniffer, it's game over.

Re: Hi, I came here from Lupa's journal.

[sleepingwolf.livejournal.com]

Also here via Lupa and, as a reminder, triskele, though I stop in here now and then.

https:// helps, but the problem is that the cookie isn't properly secured. Without the cookie being secured, it's possible for the "fascinating new toy" to tell your browser temporarily that it is going to http://www.gmail.com/ to retrieve an image, and your browser will helpfully supply your cookie, even if you're using https.

(ETA triskele's role in reminding me to take care of this.)

[abhasana.livejournal.com]

*@)#$! I don't even like gmail in the first place.

[lwood.livejournal.com]

I had a libertarian crankyfit when it was made known that my e-mail was being parsed for ad value. Still...I worked at Hotmail for nigh unto two years, and someone's got to pay for all this stuff.

So I own my own e-mail server and installed a webmail package there instead. 8-)

-- Lorrie

[bellacrow.livejournal.com]

thanks!

[lwood.livejournal.com]

welcome!

[ardaniel]

Do note that you've got to log out and back in for the change to take effect, or at least I did. Just clicking the button doesn't make you any safer.

Also, MobileMe, the Apple version of same, doesn't even have a *way* to let you always use SSL on the web app-- so if you've got a me.com email address, you want to stick to using Mail.app instead of the MobileMe webmail.

[lwood.livejournal.com]

It sorted me when I reloaded the page, actually, but relogging is a good idea in any case.

-- L

[fireba11.livejournal.com]

Thanks for the info - I just applied the "fix" on my own account.

And... I didn't get to see you this time (was just out in SF for a few days), but would very much like to the next time I'm out!

[lwood.livejournal.com]

Excellent all around!

[thorn-and-calyx.livejournal.com]

Thanks, sweetling! I'm all snuggled in well-armoured https goodness. *hugs*

[lwood.livejournal.com]

Hoorah! *hugs*

[brownkitty.livejournal.com]

Done, and thank you :)

[lwood.livejournal.com]

You're welcome!

[faeryl.livejournal.com]

Thank you muchly! :-) Account settings have been changed.

[lwood.livejournal.com]

You're welcome!

-- L

[sk4p.livejournal.com]

Another friend of Lupa's: much appreciated.

[lwood.livejournal.com]

You're welcome!

-- Lorrie

[djedet.livejournal.com]

Followed a link to this! Thank you so much!

[lwood.livejournal.com]

You're welcome!

[emberleo.livejournal.com]

Ah! Good to know. I have implemented the recommended change in both my accounts.

Danke!

--Ember--

[lwood.livejournal.com]

Bitte!

[synabetic.livejournal.com]

I, too, followed a link to this. Done and thank you!!!1 :)

Cheers,
Steve

[lwood.livejournal.com]

You're welcome! Nice icon!

-- L

thanks, and a question

[anne-jumps.livejournal.com]

This seems to render the Gmail Notifier inoperable -- is there a way around that or is it just a tough break?

Re: thanks, and a question

[sleepingwolf.livejournal.com]

There is a workaround (http://mail.google.com/support/bin/answer.py?hl=en&answer=9429).

[illuviel.livejournal.com]

Thanks for the heads-up. Posting a link here, if you don't mind.

[lwood.livejournal.com]

No worries, please do.

-- L

[averysmallthing.livejournal.com]

Thanks. Going to regurgitate the info in my LJ with credit.

[lwood.livejournal.com]

Excellent!

[sabethea.livejournal.com]

Thank you for this. lupabitch linked to it, and as I have three gmail accounts I am particularly grateful (and going to link to it myself, as I see you don't mind that happening. If for some reason a total stranger linking to this post makes you hugely angry, please tell me and I'll remove it).

[lwood.livejournal.com]

You're welcome, please do, no, I am a grownup and besides, more "thanks!" comments are more ego-boo. *grin*

-- Lorrie

Another gmail user

[(Anonymous)]

I have a gmail account so when someone on my FTH listserve sent me your link I checked it out immediately. Thanks much. I'd like to post your link on my blog.

Re: Another gmail user

[lwood.livejournal.com]

You're welcome--please do!

-- Lorrie