Gmail/SSL

Jonathan Addington madjon at gmail.com
Sat Aug 9 20:22:21 UTC 2008


On Sat, Aug 9, 2008 at 2:47 PM, coderman <coderman at gmail.com> wrote:
> On Sun, Mar 9, 2008 at 5:23 PM, Jonathan Addington <madjon at gmail.com> wrote:
>> I've been following the conversation regarding Gmail and SSL bits in
>> other threads because, as you can tell, I use Gmail, and was under the
>> impression that https:// will keep everything over an SSL connection.
>
> an update of note: Gmail now supports an account option to enforce the
> secure only bit on session cookies and keeps your entire gmail session
> on SSL.  this makes attacks like Mike Perry's active side jacking
> impossible, as the session cookie is no longer sent in the clear when
> http:// non-SSL links are injected into browser content.
>
> to enable this feature:
> - at top of page select "Settings"
> - scroll to bottom of section for "Browser connection:" preference
> - select "Always use https"
>
> this will pass the Secure / secureonly option when settings the GX=...
> session cookie used to identify your authenticated session.  this
> cookie will then never be sent over plain-text connections, protecting
> you from passive / active side jacking attacks.
>
> be sure to use a somewhat modern browser that supports secure only
> cookies.  you can also verify correct operation with the "Live HTTP
> Headers" plugin for Firefox.
>
> best regards,
>

This is also on the Gmail blog, which notes that going to
https://mail.google.com always had the same effect. (At least
hopefully!)


-- 
madjon at gmail.com

Calendar (usually up to date):
http://www.google.com/calendar/embed?src=madjon%40gmail.com&ctz=America/Chicago&pvttk=715ccc706e1e426d956ad8d6f7f9b16a



More information about the tor-talk mailing list