Alert: Enable "Always use https" setting in GMail

Google last week introduced a security setting designed to protect GMail users sessions from getting hijacked. The setting is provided as an option in the "settings" page of your GMail account. If you haven’t enabled the "Always use HTTPS" option, it’s time to do so now due to the emergence of an automated cookie stealing tool demonstrated at the Defcon hacker conference last week.
Read more

If you enjoyed this post, make sure you subscribe to my RSS feed!

Security: How secure is a Gmail account?

"At the last DefCon event, one of the attendees, ‘Hamster’ showed off how the cookies sent by your computer when signing into a Google account can be copied, allowing the account to be cloned by the hacker, and all the implications that carried.
Read more

If you enjoyed this post, make sure you subscribe to my RSS feed!

Google Mail vulnerable to sidejacking despite SSL

"According to security researcher and CEO of Errata Security Robert Graham, Google’s JavaScript code makes HTTP requests in the background via an XMLHttpRequest. By default, these requests are SSL-encrypted—but if SSL fails, they change to nonencrypted mode. When a user attempts to connect to a WiFi hotspot, Google Mail attempts to connect with SSL both enabled and disabled. Even if the attempt fails, session-ID cookies are still transmitted to the router, and can therefore be captured by anyone sitting nearby with an appropriately configured software suite.
Read more

If you enjoyed this post, make sure you subscribe to my RSS feed!