Aug 20 2008
Force Gmail to use HTTPS
If the possibility of ending up on the Wall of Sheep at Defcon and Black Hat wasn’t enough for you, Mike Perry is about to release a tool that automatically steals the Gmail ID’s of any non-encrypted sessions it finds. If you’re surfing on the free, public wi-fi at your local coffee shop, anyone with a modicum of computer skills will be able to sniff your traffic with this tool and take over your account. Of course, this has been possible for quite some time, but this tool brings the difficulty down to something the average script kiddy can do rather than having to be Robert Graham.
Gmail has been capable of running on SSL for quite some time, but it’s not something that’s enabled by default. I always typed the https in by hand, but I don’t completely trust that method. I’ve used Better Gmail2 in the past, but that doesn’t like FireFox 3 for some reason. There are also a number of scripts for GreaseMonkey that force Gmail to use SSL, but now Gmail has made it an option on the settings page. It’s on the bottom of the page and easy to miss if you’re not looking closely.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
I’ve been doing this for ages just by going to https://mail.google.com/. It never goes back to HTTP because all of the links don’t have the protocol in them. It’s cool that they made it an option but it was always there for you if you wanted it.
I’ve never been 100% sure that even if you tell it to use https that it’s using it in all cases. I haven’t ever seen it drop to plain HTTP, but I’ll be the first to admit I’m not always watching for that.
I just think it’s a good thing they’ve made this an option, since if you’re like me and you’re reading your email on 3-4 different computers in a day, you want to make sure you’re running on SSL every time. And yes, all those are computers I have control over, one desktop, two laptops and occasionally my wife’s desktop.
Martin
Sadly, this feature does not seem to have disseminated to the Apps for Domains / Universities as my student email does not have it yet. But it’s still SSL from beginning to end if you choose to go to https domain, in fact the university explicitly starts off SSL so it never leaves SSL mode.
Yahoo/MSN Mail have SSL on login but all email is plain http, sadly. Though of the two I only use Yahoo mail. So it’s a cool feature that Google added.
The CustomizeGoogle extension for Firefox 3 also one to set each Google service they use to use always use HTTPS. Seems to work pretty good so far.
While this is an excellent tip, the problem becomes a bit more complicated for users which use an aggregation mail service, which is usually their old ISP mail, configured to pull off e-mail from all other e-mail addresses and dump them in a single account.
These services are not new, and the operator rarely bothers to implement anything better then POP3 or HTTP, so all you need to do is set-up an aggregation account and all your passwords will start flying in the open
Bozidar Spirovski
http://www.shortinfosec.net
[...] Network Security Blog… Force Gmail to use HTTPS Martin McKeay explains how users can protect themselves from having Gmail login data stolen when [...]
I didn’t know this was a standard part of gmail and I certainly did not think using it was just a matter of adding an s to the url. I did know that the s denoted a secure connection but not that it was usable with gmail.
Thanks
Much appreciated.
I will use it everywhere now.
Graham