Why You Should Turn Gmail’s SSL Feature On Now

Let’s talk security and why you should take advantage of Gmail’s recent SSL feature, and why you might want to be careful using other non-SSL webmail services.

But first, make sure your connection is secured using SSL.

How do you know a connection is secured by SSL? The handy “s” after “http” will tell you. For example, https://mail.google.com is encrypted while http://mail.google.com is not. You can force an encryption by adding the “s” yourself, or by turning on “Always use https” from the Browser Connection settings of your Gmail account.

Why? Because without it, anyone can easily hack someone’s account and in two weeks it is going to get even easier. Mike Perry, a reverse engineer from San Francisco, announced his intention to release his Gmail Account Hacking Tool to the public. According to a quote at Hacking Truths, Perry mentioned he was unimpressed with how Google presented the SSL feature as less-than-urgent. It is urgent, and here’s why.

Before Gmail released the ability to automatically encrypt your Gmail connections, your browser/server interactions went something like this:

Your Browser: Hey there Gmail, I want in. Here’s my encrypted login.

Gmail Servers: Hey there, browser. I see your encrypted login fits what I have here. If you want to keep talking to me, I will need to see proof of your login, but don’t bother encrypting it for me. Here is your unencrypted email.

Your Browser: Great. I want to read this particular email, my Gmail login is: webmonkey@wired.com and my password is: monkeylove. My name is John Hanks Doe and my social security number is 123-45-6789.

Gmail Servers: Sure, here you go. I see you are leaving for vacation with the house unlocked this weekend. Say, is this your credit card information?

Guy packet sniffing your wi-fi from Starbucks: Cool!

It’s a little more complex than that (and a little less goofy and dramatic), but the theory is sound. Using encryption at login only is the equivalent of setting up a toll booth in the desert.

Here’s the exploit: All it takes to steal someone’s Gmail login account is to intercept any transaction since every single one, even images, pass a cookie which contains the session information.

Spoof the session, and you get free reign to the account — including the ability to change your password. Every non-SSL session is in plain text. With a little determination, any bored, disaffected youth could read your email and change your password within a day. Is it really that easy? Here’s a useful tutorial we found via Google search. When the Gmail Account Hacking Tool is eventually released, it couldn’t be any easier.

With SSL, however, the interaction looks something like this:

Your Browser: xz6RV-BRJViqzNJROECslw

Gmail Servers: jx3iC96D3kuZ_IWNrK461w

Your Browser: PxIryG_P3_3_vRENZdWxMQ

The real thing would be even longer in length, and perfectly unreadable. SSL requires a key generated on your end and on the Gmail server’s end. There’s no way for the local guy at Starbucks to get those keys and unencrypt the data by packet sniffing.

Makes you feel a little vulnerable knowing all your public information was so nakedly exposed over the past few years, huh? Did Google know about this?

It turns out they were well aware of it. The reason Google didn’t grant users the SSL feature before, according to Perry, was because SSL is expensive. It takes a lot of bandwidth and time on both the receiver and transmitter sides to generate keys and encrypt data. Slower data connections would experience a lagging Gmail experience.

Packet sniffing for session information is not a new thing, and is bound to get even more familiar due to how easy it is. Keep in mind, it is not just Gmail which passes account information outside of SSL encrypted connections. There are many sites around the internet that are still vulnerable to this exploit. Protecting your wifi connection with WEP isn’t foolproof either. Your best bet is to use SSL whenever you are transferring information valuable to you, and to avoid sites that don’t use it at all.

[Thanks to Hacking Truths for the tip.]

See Also: