Google last week introduced a security setting designed to protect GMail users sessions from getting hijacked. The setting is provided as an option in the "settings" page of your GMail account. If you haven’t enabled the "Always use HTTPS" option, it’s time to do so now due to the emergence of an automated cookie stealing tool demonstrated at the Defcon hacker conference last week.
In the words of Brian Krebs "To put this attack in perspective, consider the following scenario. You log into your GMail account on a wireless hotspot at the local coffee bar, being careful to do so by clicking on a bookmark that sends you to https://mail.google.com. In between reading your e-mail, for example, you surf over to another trusted Web site. A bad guy who has hijacked the establishment’s network sees that you’ve requested a new Web page and appends a tiny image at htp://mail.google.com to the new page you requested. Bingo. Your browser will spit out the Gmail cookie with your credentials."
Google recommends selecting the ‘Always use HTTPS’ option in GMail any time your network may be non-secure. To secure your GMail "Sign in to your GMail account", Click "Settings" on top of the page menu and scroll down to "Browser connection"
Why Google has not made this as a default option is a mystery? Your mail browsing could become a bit slower through the SSL protocol, could that be the reason? or Google thinks every user logs in from a secure trusted network?
Better still use any modern secure email client that allows you to access your Webmail through SSL like Mozilla Thunderbird and you will be protected against cookie stealing attacks. Use the Webmail only when you don’t have access to your client like when you are on the road. When using the Webmail, always open a new browser window and remember to manually signout of your account and close the browser window.