Aug 20 2008
If the possibility of ending up on the Wall of Sheep at Defcon and Black Hat wasn’t enough for you, Mike Perry is about to release a tool that automatically steals the Gmail ID’s of any non-encrypted sessions it finds. If you’re surfing on the free, public wi-fi at your local coffee shop, anyone with a modicum of computer skills will be able to sniff your traffic with this tool and take over your account. Of course, this has been possible for quite some time, but this tool brings the difficulty down to something the average script kiddy can do rather than having to be Robert Graham.
Gmail has been capable of running on SSL for quite some time, but it’s not something that’s enabled by default. I always typed the https in by hand, but I don’t completely trust that method. I’ve used Better Gmail2 in the past, but that doesn’t like FireFox 3 for some reason. There are also a number of scripts for GreaseMonkey that force Gmail to use SSL, but now Gmail has made it an option on the settings page. It’s on the bottom of the page and easy to miss if you’re not looking closely.