A hacker working on a way to access Yahoo Mail via IMAP, recently discovered that Yahoo’s desktop e-mail client is sending your password as plain text. That’s bad news for those of you using the desktop client over public wifi connections, where just about anyone with the know-how can see your unencrypted traffic.
Zimbra, creators of what is now the Yahoo Mail desktop client, responded to the news by assuring users that a fix is already in the code and just needs to be pushed out. The problem however seems to be primarily on Yahoo’s end, since the IMAP servers appear to refuse secure connections.
This issue has been addressed from Yahoo mail server side and the patches have just been rolled out to all servers. We added related support in desktop client code and it’s in the next release. Once we roll out the next release, server will phase out the old way of authentication. The new way of authentication will not send password over clear channels.
In the mean time we would suggest sticking with the web-based e-mail client when you’re working on public or otherwise insecure internet connections.
High on our list of dream e-mail features is something to stop us from sending an e-mail without the attachments we claim to be including. Well, if you’re a Gmail user, that feature is now available through an awesome new Labs feature: Forgotten Attachment Detector.
Forgotten Attachment Detector (which you can enable in the Labs section of your Gmail settings) adds a warning if you use the word “attached” in an e-mail, but don’t actually attach any files. The warning acts just like the existing warnings when you forget to write a subject or add a recipient for your e-mail.
Obvious it’s not perfect. If you write an e-mail telling someone how attached you are to your new kitten, yes, it will prompt you to upload a file. Similarly, if you tell someone to “see the files in this message” the filter will miss the cue, but at least some of the time, it should help remind you to actually attach your files.
Now if you just had a “recall” button to stop those late-night, alcohol-soaked rants…
Let’s talk security and why you should take advantage of Gmail’s recent SSL feature, and why you might want to be careful using other non-SSL webmail services.
But first, make sure your connection is secured using SSL.
How do you know a connection is secured by SSL? The handy “s” after “http” will tell you. For example, https://mail.google.com is encrypted while http://mail.google.com is not. You can force an encryption by adding the “s” yourself, or by turning on “Always use https” from the Browser Connection settings of your Gmail account.
Why? Because without it, anyone can easily hack someone’s account and in two weeks it is going to get even easier. Mike Perry, a reverse engineer from San Francisco, announced his intention to release his Gmail Account Hacking Tool to the public. According to a quote at Hacking Truths, Perry mentioned he was unimpressed with how Google presented the SSL feature as less-than-urgent. It is urgent, and here’s why.
Before Gmail released the ability to automatically encrypt your Gmail connections, your browser/server interactions went something like this:
Your Browser: Hey there Gmail, I want in. Here’s my encrypted login.
Gmail Servers: Hey there, browser. I see your encrypted login fits what I have here. If you want to keep talking to me, I will need to see proof of your login, but don’t bother encrypting it for me. Here is your unencrypted email.
Your Browser: Great. I want to read this particular email, my Gmail login is: firstname.lastname@example.org and my password is: monkeylove. My name is John Hanks Doe and my social security number is 123-45-6789.
Gmail Servers: Sure, here you go. I see you are leaving for vacation with the house unlocked this weekend. Say, is this your credit card information?
Guy packet sniffing your wi-fi from Starbucks: Cool!
It’s a little more complex than that (and a little less goofy and dramatic), but the theory is sound. Using encryption at login only is the equivalent of setting up a toll booth in the desert.
Here’s the exploit: All it takes to steal someone’s Gmail login account is to intercept any transaction since every single one, even images, pass a cookie which contains the session information.
Spoof the session, and you get free reign to the account — including the ability to change your password. Every non-SSL session is in plain text. With a little determination, any bored, disaffected youth could read your email and change your password within a day. Is it really that easy? Here’s a useful tutorial we found via Google search. When the Gmail Account Hacking Tool is eventually released, it couldn’t be any easier.
With SSL, however, the interaction looks something like this:
Your Browser: xz6RV-BRJViqzNJROECslw
Gmail Servers: jx3iC96D3kuZ_IWNrK461w
Your Browser: PxIryG_P3_3_vRENZdWxMQ
The real thing would be even longer in length, and perfectly unreadable. SSL requires a key generated on your end and on the Gmail server’s end. There’s no way for the local guy at Starbucks to get those keys and unencrypt the data by packet sniffing.
Makes you feel a little vulnerable knowing all your public information was so nakedly exposed over the past few years, huh? Did Google know about this?
It turns out they were well aware of it. The reason Google didn’t grant users the SSL feature before, according to Perry, was because SSL is expensive. It takes a lot of bandwidth and time on both the receiver and transmitter sides to generate keys and encrypt data. Slower data connections would experience a lagging Gmail experience.
Packet sniffing for session information is not a new thing, and is bound to get even more familiar due to how easy it is. Keep in mind, it is not just Gmail which passes account information outside of SSL encrypted connections. There are many sites around the internet that are still vulnerable to this exploit. Protecting your wifi connection with WEP isn’t foolproof either. Your best bet is to use SSL whenever you are transferring information valuable to you, and to avoid sites that don’t use it at all.
Monday, we wrote about Gmail’s seemingly unprecedented outage and the resulting panic on Twitter. Okay, sure, the world did not end as we prophesied — our emergency cyanide pills are left untouched on the shelf waiting for the big day.
The service was restored in time, and the panic on Twitter has since subsided to a distant quell of fear-mongoring, strange prophecies and naysaying.
Still, Gmail’s outage was a pretty big deal for cloud computing. You may not have your entire customer service department on Gmail or may not be a paying customer using Google Apps, but there are hundreds (if not thousands?) of companies that are.
Google knows it too. Vice president of engineering Jeff Huber hit the Twitter tubes and updated everyone soon after Gmail was restored to browsers everywhere:
Ow. Painful afternoon for Gmail users. Sorry. We’ll be working on better/faster communications, and of course making that not happen again. – Jeff Huber
The Gmail Blog followed up with an even more official response titled “We Feel Your Pain and We’re Sorry.”
Many of you had trouble accessing Gmail for a couple of hours this afternoon, and we’re really sorry. The issue was caused by a temporary outage in our contacts system that was preventing Gmail from loading properly. Everything should be back to normal by the time you read this.
We heard loud and clear today how much people care about their Gmail accounts. We followed all the emails to our support team and user group, we fielded phone calls from Google Apps customers and friends, and we saw the many Twitter posts. (We also heard from plenty of Googlers, who use Gmail for company email.) We never take for granted the commitment we’ve made to running an email service that you can count on.
They are really, really sorry, and many of us appreciate it. For a few hours of our day, Gmail users lives came to a halt — that is, if you use email. According to a Pew Internet and American Life study 55% of us do everyday. It’s the most used internet application out there and so it is easy to see why people would get upset. We’re not even considering the addition of IM use, which is embedded in the Gmail service.
In some cases, when email is down, companies bleed money by the second — money used to pay employees twiddling their thumbs, lost orders, losses repairing the damage from the downtime, etc…
A lot of people probably lost big-time money yesterday by offloading their IT departments to Google. For them, yeah, it’s a pretty big deal — but one of the trade-offs of moving computing to the cloud.
Others reacted to the outage by urging self-restraint and perspective. Many dream of the kind of uptime Gmail has compared to their ISPs or local area networks.
Droopycom commented on our initial post with one perspective:
“On a personal level, I had more outages from my ISP, than from Gmail. On a professional level, I have had more outages at work because of power outage, ISP outages, company servers outage, or just my damn workstation crashing, than I had Gmail outages. Its not the end of the world. Its much better than a lot of stuff.”
In other words, if you can host e-mail servers with the efficiency Google has, hats off to you. For those of us who get their e-mail for free via Gmail, our only option is asking for our money back.
Google has changed a longstanding and controversial behavior in the company’s mail app — Gmail no longer automatically adds everyone you e-mail to your contact list. If by chance you liked that behavior, Gmail will still keep track of all the people you send messages to, but the list is cordoned off in a new “suggested contacts” list.
To get them or any new ones back, there’s a new option to move your “suggested contacts” into the address book, but according to early reports the old behavior is essentially gone.
Based on feedback from previous Monkey_Bites posts, most users will likely welcome the changes — particularly since, with old behavior, even addresses like those from bulk mailing lists would clutter up your address book.
As with most new Gmail features the address book changes appeared to be rolling out in phases. So far my account hasn’t been updated, if yours has let us know what you think.