Log in

No account? Create an account
Lorrie [userpic]
Do You Use GMail? If so, please read:

[Edit: I invite anyone reading this to dig through the comments for good ancillary advice, and some insightful commentary from fxchip]

Hello, folks--earlier this month, at a well-known conference, there was announced a tool that can hack into any GMail account, regardless of how good your password is, as long as the data is flitting around unencrypted.

That's bad, m'kay?

Google has always had it so that your login credentials flit around encrypted, but once that's done, drops you to an unencrypted session (for long reasons that work out to "it's cheaper that way" for several kinds of "cheaper"). This will leave you quite open to this tool when it's released into the wild at the end of the month.

However, there's help! Google has just made it so that you can choose to have all your GMail traffic encrypted, and I would recommend this to any GMail user, even if you think "oh, my e-mail isn't that important". It's really easy to fix this. Actually, they should fix the dodgamn underlying bug, but leaving that aside for now, here's what you can do:

Simply log into GMail, and click on the Settings link over in the top right corner. At the bottom of this screen is a section labelled "Browser Connection", which by default is set to "Don't always use https". Change this to "Always use https", then click the "Save changes" button directly below. That "should" keep you safe from people using this fascinating new toy.


-- Lorrie

Page 1 of 4[1][2][3][4]

Thanks for the heads up Lorrie! Do you mind if I link to this on my LJ??

You're welcome--please do!

-- Lorrie

Thanks very much for the heads-up :)

You're welcome!

-- L

Thanks for the tip!!

You're welcome!

-- Lorrie

Thanks for the heads-up, much appreciated. I'll pass this on to my Flist.

You're welcome!

-- L

Thanks. I'll make sure others know.


(no subject) - (Anonymous)


I'll do this too. Gmail is my back up e-mail and the one I use for public stuff these days. I use a local freenet as well but it is a PITA sometimes and that's when I use gmail.
If I were looking for a different (free) web based e-mail are there are any others you would recommend?

Heh--I have owned my own e-mail for years, and give out accounts to anyone whom I trust reasonably who would like one. I don't charge, and I come with webmail access. So, I'd recommend me, but I don't have a lot of the kickass features that GMail has.

-- Lorrie

Saw this on Lupa's LJ; thanks for the warning!

You're welcome!

Hi, I came here from Lupa's journal.

There are also a couple of Firefox plugins that automatically turn on SSL support with Google services (like CustomizeGoogle and Gmail Manager). You can also throw https:// in front of most Google URLs. The services that support SSL will use it, the ones that don't will redirect you to the non-encrypted verison of the site.

Also beware of other applications that don't use SSL or TLS to access Google services when they use your credentials, like Mozilla Sunbird (a calendaring application with Google Calendar support; it caches your username and password if you let it) and various e-mail applications (SSL support for POP3 and IMAP can be turned on when accessing your Gmail account but many people forget that sending e-mail through their relays also requires your credentials, and forget to turn on TLS support in their outgoing SMTP server settings).

No matter how you cut it, if your login credentials go over an untrusted network and someone's running a packet sniffer, it's game over.

(no subject) - (Anonymous)   Expand  

*@)#$! I don't even like gmail in the first place.

I had a libertarian crankyfit when it was made known that my e-mail was being parsed for ad value. Still...I worked at Hotmail for nigh unto two years, and someone's got to pay for all this stuff.

So I own my own e-mail server and installed a webmail package there instead. 8-)

-- Lorrie



Do note that you've got to log out and back in for the change to take effect, or at least I did. Just clicking the button doesn't make you any safer.

Also, MobileMe, the Apple version of same, doesn't even have a *way* to let you always use SSL on the web app-- so if you've got a me.com email address, you want to stick to using Mail.app instead of the MobileMe webmail.

It sorted me when I reloaded the page, actually, but relogging is a good idea in any case.

-- L

Thanks for the info - I just applied the "fix" on my own account.

And... I didn't get to see you this time (was just out in SF for a few days), but would very much like to the next time I'm out!

Excellent all around!

Thanks, sweetling! I'm all snuggled in well-armoured https goodness. *hugs*

Hoorah! *hugs*

Done, and thank you :)

You're welcome!

Page 1 of 4[1][2][3][4]