AOH :: ISNQ5168.HTM

SSL Gmail Not As Safe As You Thought




SSL Gmail Not As Safe As You Thought
SSL Gmail Not As Safe As You Thought



http://blog.wired.com/27bstroke6/2008/01/ssl-gmail-not-a.html 

By Kim Zetter 
Wired.com
January 31, 2008

One of the big stories at DefCon last year was a security researcher's 
demonstration of wirelessly sniffing users' session cookies while they 
accessed their e-mail accounts or conducted e-commerce transactions via 
wireless networks. The attack allowed a hacker access to the victim's 
Gmail or Hotmail account without needing to decipher the user's 
password.

Now the security researcher who presented that info has found that even 
using SSL HTTPS to access your Gmail account -- which was touted at the 
time as a surefire way to protect Gmail users against such an attack -- 
is vulnerable to this hack.

Robert Graham of Errata Security says he's been able to grab session 
cookies even when users access their account in a presumably secure 
manner. He describes the vulnerability on his blog [1]:

    In theory, using the HTTPS version of Gmail should protect you by 
    going to https://mail.google.com/mail, but this doesn't work as you 
    think. The JavaScript code uses an XMLHttpRequest object to make 
    HTTP requests in the background. These are also SSL encrypted by 
    default - but they become unencrypted if SSL fails.

    When you open your laptop and connect to a WiFi hotspot, it usually 
    presents you with a login page, or a page that forces you to accept 
    their terms and conditions. During this time, SSL will be blocked. 
    Gmail will therefore backoff and attempt non-SSL connections. These 
    also fail - but not before disclosing the cookie information that 
    allow hackers to sidejack your account.

[1] http://erratasec.blogspot.com/2008/01/more-sidejacking.html 


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 

Site design & layout copyright © 1986-2014 CodeGods