Aug 20 2008

Force Gmail to use HTTPS

Published by at 6:11 am under Encryption,Hacking,Security Advisories

If the possibility of ending up on the Wall of Sheep at Defcon and Black Hat wasn’t enough for you, Mike Perry is about to release a tool that automatically steals the Gmail ID’s of any non-encrypted sessions it finds. If you’re surfing on the free, public wi-fi at your local coffee shop, anyone with a modicum of computer skills will be able to sniff your traffic with this tool and take over your account. Of course, this has been possible for quite some time, but this tool brings the difficulty down to something the average script kiddy can do rather than having to be Robert Graham.

Gmail has been capable of running on SSL for quite some time, but it’s not something that’s enabled by default. I always typed the https in by hand, but I don’t completely trust that method. I’ve used Better Gmail2 in the past, but that doesn’t like FireFox 3 for some reason. There are also a number of scripts for GreaseMonkey that force Gmail to use SSL, but now Gmail has made it an option on the settings page. It’s on the bottom of the page and easy to miss if you’re not looking closely.

There’s no reason not to use HTTPS if you’re anywhere other than your home network. And quite frankly, there’s no real reason not to use it at home too. Google’s excuse that it might slow down your connection is pretty lame and if that’s the only reason you’re not using HTTPS, you need to rethink whether you should be accessing Gmail at all when remote.
[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

7 responses so far

7 Responses to “Force Gmail to use HTTPS”

  1. Skyeon 20 Aug 2008 at 10:56 am

    I’ve been doing this for ages just by going to https://mail.google.com/. It never goes back to HTTP because all of the links don’t have the protocol in them. It’s cool that they made it an option but it was always there for you if you wanted it.

  2. Martinon 20 Aug 2008 at 11:09 am

    I’ve never been 100% sure that even if you tell it to use https that it’s using it in all cases. I haven’t ever seen it drop to plain HTTP, but I’ll be the first to admit I’m not always watching for that.

    I just think it’s a good thing they’ve made this an option, since if you’re like me and you’re reading your email on 3-4 different computers in a day, you want to make sure you’re running on SSL every time. And yes, all those are computers I have control over, one desktop, two laptops and occasionally my wife’s desktop.

    Martin

  3. Skyeon 20 Aug 2008 at 11:16 am

    Sadly, this feature does not seem to have disseminated to the Apps for Domains / Universities as my student email does not have it yet. But it’s still SSL from beginning to end if you choose to go to https domain, in fact the university explicitly starts off SSL so it never leaves SSL mode.

    Yahoo/MSN Mail have SSL on login but all email is plain http, sadly. Though of the two I only use Yahoo mail. So it’s a cool feature that Google added.

  4. Tomon 20 Aug 2008 at 12:28 pm

    The CustomizeGoogle extension for Firefox 3 also one to set each Google service they use to use always use HTTPS. Seems to work pretty good so far.

  5. Bozidar Spirovskion 20 Aug 2008 at 11:14 pm

    While this is an excellent tip, the problem becomes a bit more complicated for users which use an aggregation mail service, which is usually their old ISP mail, configured to pull off e-mail from all other e-mail addresses and dump them in a single account.

    These services are not new, and the operator rarely bothers to implement anything better then POP3 or HTTP, so all you need to do is set-up an aggregation account and all your passwords will start flying in the open :)

    Bozidar Spirovski
    http://www.shortinfosec.net

  6. […] Network Security Blog… Force Gmail to use HTTPS Martin McKeay explains how users can protect themselves from having Gmail login data stolen when […]

  7. Graham Murrayon 07 Oct 2008 at 1:13 pm

    I didn’t know this was a standard part of gmail and I certainly did not think using it was just a matter of adding an s to the url. I did know that the s denoted a secure connection but not that it was usable with gmail.

    Thanks

    Much appreciated.
    I will use it everywhere now.

    Graham

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: