All posts tagged ‘ssl’

File Under: privacy, Security

Why Wait for Google? Use Encrypted Search Today

Google appears to be expanding the use of its encrypted search page, automatically redirecting some Chrome users to the HTTPS version of Google search. The company has also expanded the number of Google search tools that work with the encrypted page to include Google Image Search, Google Instant and Google Instant Preview.

Using Google search over SSL means that your search terms are encrypted, so prying eyes can’t see what you’re searching for, nor can they see the results you get back. Google’s efforts to provide an encrypted search page are just one part of a broader move afoot on the web to shift more traffic over to the more secure HTTPS protocol.

Why all the fuss about HTTPS? Well, every time you search Google or log in to Twitter or Facebook over a plain HTTP connection, you expose your data to the world. It’s a bit like writing your username and password on a postcard and dropping it in the mailbox. There is a better way, the secure version of HTTP — HTTPS. That extra “S” in the URL means your connection is secure, and it’s much harder for anyone else to see what you’re doing. Think of the extra “S” as the envelop that keeps prying eyes from looking at your postcards.

Although the HTTPS version of Google does, in Google’s words, “provide you with a more secure and private search experience,” it’s worth noting that it doesn’t stop Google from tracking your search terms and other data.

Google Operating System, which tracks all things Google, dug up a post on the Google Support Forums where a Google employee says that Google is “running an experiment with some percentage of Chrome 14 users where we send them to SSL search.” That means that some Chrome users may find themselves using the HTTPS search page without even realizing they are.

Chrome 14 is still in beta, so in order for this to affect you, you’ll need to be using the beta channel.

Of course even if you aren’t part of Google’s effort to expand Google Search over SSL, doesn’t mean you can’t configure your browser to use the HTTPS search page by default. Firefox fans can just install the HTTPS Everywhere extension. Chrome and Chromium users can simply right-click the URL bar, choose “edit search engines” and then look for the Google entry. Just click edit, add an “s” to the end of the “http” and you’re done. Internet Explorer users can head to the IE add-ons page and create a new search provider using the form.

Photo: Joffley/Flickr/CC

See Also:

Why You Should Turn Gmail’s SSL Feature On Now

Let’s talk security and why you should take advantage of Gmail’s recent SSL feature, and why you might want to be careful using other non-SSL webmail services.

But first, make sure your connection is secured using SSL.

How do you know a connection is secured by SSL? The handy “s” after “http” will tell you. For example, https://mail.google.com is encrypted while http://mail.google.com is not. You can force an encryption by adding the “s” yourself, or by turning on “Always use https” from the Browser Connection settings of your Gmail account.

Why? Because without it, anyone can easily hack someone’s account and in two weeks it is going to get even easier. Mike Perry, a reverse engineer from San Francisco, announced his intention to release his Gmail Account Hacking Tool to the public. According to a quote at Hacking Truths, Perry mentioned he was unimpressed with how Google presented the SSL feature as less-than-urgent. It is urgent, and here’s why.

Before Gmail released the ability to automatically encrypt your Gmail connections, your browser/server interactions went something like this:

Your Browser: Hey there Gmail, I want in. Here’s my encrypted login.

Gmail Servers: Hey there, browser. I see your encrypted login fits what I have here. If you want to keep talking to me, I will need to see proof of your login, but don’t bother encrypting it for me. Here is your unencrypted email.

Your Browser: Great. I want to read this particular email, my Gmail login is: webmonkey@wired.com and my password is: monkeylove. My name is John Hanks Doe and my social security number is 123-45-6789.

Gmail Servers: Sure, here you go. I see you are leaving for vacation with the house unlocked this weekend. Say, is this your credit card information?

Guy packet sniffing your wi-fi from Starbucks: Cool!

It’s a little more complex than that (and a little less goofy and dramatic), but the theory is sound. Using encryption at login only is the equivalent of setting up a toll booth in the desert.

Here’s the exploit: All it takes to steal someone’s Gmail login account is to intercept any transaction since every single one, even images, pass a cookie which contains the session information.

Spoof the session, and you get free reign to the account — including the ability to change your password. Every non-SSL session is in plain text. With a little determination, any bored, disaffected youth could read your email and change your password within a day. Is it really that easy? Here’s a useful tutorial we found via Google search. When the Gmail Account Hacking Tool is eventually released, it couldn’t be any easier.

With SSL, however, the interaction looks something like this:

Your Browser: xz6RV-BRJViqzNJROECslw

Gmail Servers: jx3iC96D3kuZ_IWNrK461w

Your Browser: PxIryG_P3_3_vRENZdWxMQ

The real thing would be even longer in length, and perfectly unreadable. SSL requires a key generated on your end and on the Gmail server’s end. There’s no way for the local guy at Starbucks to get those keys and unencrypt the data by packet sniffing.

Makes you feel a little vulnerable knowing all your public information was so nakedly exposed over the past few years, huh? Did Google know about this?

It turns out they were well aware of it. The reason Google didn’t grant users the SSL feature before, according to Perry, was because SSL is expensive. It takes a lot of bandwidth and time on both the receiver and transmitter sides to generate keys and encrypt data. Slower data connections would experience a lagging Gmail experience.

Packet sniffing for session information is not a new thing, and is bound to get even more familiar due to how easy it is. Keep in mind, it is not just Gmail which passes account information outside of SSL encrypted connections. There are many sites around the internet that are still vulnerable to this exploit. Protecting your wifi connection with WEP isn’t foolproof either. Your best bet is to use SSL whenever you are transferring information valuable to you, and to avoid sites that don’t use it at all.

[Thanks to Hacking Truths for the tip.]

See Also: