Friday, August 3, 2007

Securing Gmail on unsecure networks

I found this article disturbing, and helpful:

http://www.tgdaily.com/content/view/33207/108/

This article shows a hack that if you are on a unsecured network where the packets can be sniffed, like an ethernet network or unsecured wireless network, then your gmail could be easily compromised as the hacker can easily sniff your session id out of the data stream and then basically clone your session on the gmail server using your session id and then having full access to your email account.

This pertains to other webmail applications as well and other general web applications that rely on session ids (which is almost all of them now)

To protect yourself from this (with gmail anyway) simply goto https://mail.google.com instead of http://mail.google.com (notice the https://) when logging into your gmail, if you are using google to host your email domain then you'll need to go to https://mail.google.com/a/yourdomain.com.

Doing this (adding the https://) will make it so that your entire session is encrypted with SSL making it such that someone sniffing your traffic won't be able to get your session id's. As for you out there who don't believe that this really solves the problem, then you don't understand SSL, and that's ok just trust me.

You should get in the habit of doing this especially when you are using public wifi hotspots, or even if you are on an ethernet network where you don't know what else is on the network (like a sniffing computer or even a wireless access point connected to the ethernet network). Hotels would be a perfect example of a place where it would be easy to sniff out this kind of information.

Anyway, as an avid gmail user I found this helpful, and I thought I would pass it along.

1 comments:

Anonymous said...

thank you.