Network News

X My Profile
View More Activity

Gmail Gains Two New Security Features

Google this month rolled out two new security features to its free Gmail service. The first should protect users against people who might be lurking on your network trying to snoop or hijack your inbox. The other makes it easy for users to tell if they are signed on in more than one location and then remotely sign that machine out of your account.

When you log in to your Gmail account, by typing http://mail.google.com into a Web browser, Gmail automatically switches you over to an https:// login - or secure sockets layer (SSL) - page that encrypts the authentication process so that anyone sniffing the local network cannot simply snag your username and password.

The trouble is that if you initially log in to Gmail using a plain http:// (unencrypted) session, Gmail will pop you back into an unencrypted session after that temporary switch to https:// for the login. Google says it leaves the option up to the user because encrypting and decrypting every single action in Gmail takes extra time (although the extra time is unlikely to be noticeable to most users), and some users logging in from a trusted connection may prefer a speedier unencrypted session.

But staying logged in under a http:// setting could pose problems since Google will keep you logged in for an indeterminate amount of time by placing a session identifier (session ID) and a cookie on your system. And, as security researchers at last year's Black Hat hacker conference in Las Vegas showed, it is possible for attackers on a wireless network to capture the authentication files needed to keep a user logged in. During a public demo, the researchers showed how they could use those intercepted files to log in to the victim's account and stay logged in until that user affirmatively logged out.

While users can already avoid this situation by manually forcing https:// mode (i.e., typing https:// instead of http:// when logging in), Google has added a setting to Gmail that lets users always use SSL. To do this, log in and click "Settings" at the top of your inbox. Then scroll down to the bottom and select the radio button next to "Always use https".

Google also now includes a notice at the bottom of your inbox that should tell you if your account is logged in at another location. Click the "details" button next to this message to see the Internet address of the other computer that's signed in, and then click the "Sign out all other sessions" to remotely sign out that other location.

By Brian Krebs  |  July 28, 2008; 11:15 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Man Gets 4 Years for ID Theft, Software Piracy
Next: Critical Security Updates Available for RealPlayer

Comments

Sounds like a good start...but why even offer the option of non-https?

It should be impossible to login to Gmail unless it's an https session.

Give end-users a chance to screw up (i.e. always using http) and they will!

Posted by: Nick | July 28, 2008 12:17 PM | Report abuse

This sounds like a great idea, though I agree the option to use non-SSL gmail is pretty ridiculous. Now only Google can read my mail! ;)

Not that it stops me. Gmail is by far the best internet email there is and I've used them all...Hotmail, Yahoo, MailCity then Lycos after they bought out MailCity, VT webmail; there are more I'm sure. I even prefer Gmail to remote Outlook.

Anyway, now this has become a serious digression. Go Gmail!

Posted by: hokiealumnus | July 28, 2008 1:25 PM | Report abuse

Bk> it is possible for attackers on a wireless network to capture the authentication files needed to keep a user logged in.

It's not a file. It's a cookie.

And it's possible for attackers on *any* broadcast medium, including normal ethernet, to observe cookies in transit. The problem is not specific to wireless networks.

Posted by: antibozo | July 28, 2008 2:08 PM | Report abuse

Note that if you check "Always use https" option in the settings, your Gmail Notifier will not work.

Annoying.

Posted by: Deaf.Randy | July 28, 2008 2:10 PM | Report abuse

The only one who really benefits from allowing unencrypted sessions is Google. The decreased speed of one encrypted session is pretty much not measurable by the end user, but encrypting hundreds or thousands more sessions at a time would put a drag on Google's servers. I'm a big Google fanboy, but I don't see any other plausible explanation for allowing unencrypted sessions.

Also, while I love the idea of being able to track multiple sessions, couldn't a compromised account be kept compromised by running a script to cancel other sessions if they show up? Sounds like it's a wash, mostly a convenience for those who leave themselves logged on to public terminals, but not a particularly strong security measure.

Posted by: The Cosmic Avenger | July 28, 2008 2:14 PM | Report abuse

"It's not a file. It's a cookie."

Um...unless browsers have come up with some magic way of remembering this information, a cookie is a file or a portion thereof.

Posted by: hokiealumnus | July 28, 2008 3:19 PM | Report abuse

hokiealumnus> Um...unless browsers have come up with some magic way of remembering this information, a cookie is a file or a portion thereof.

Um... no it isn't. A cookie is an abstraction. A concrete representation may or may not be stored in a file, depending on the browser and its cookie settings. Calling a cookie a file is like calling a URL a file. Sure, it might be stored in a file, just as URLs may be (e.g. browser history), but to call a cookie a "file" completely misses the abstraction.

Cookies are collections of name=value pairs that, like URLs, are received and sent in HTTP requests and responses. The difference is that, instead of going in the main request line ("GET uri http-version"), cookies are transmitted in Cookie: and Set-Cookie: headers.

The gmail cookies contain a unique session identifier which identifies a record in a database on the gmail servers, which contains the identity previously established through authentication. This is a standard practice, and cookies are used in favor of setting the session id as a URL parameter to avoid putting the session ID in people's browser histories.

Posted by: antibozo | July 28, 2008 4:31 PM | Report abuse

I should also say that using the wording "capture the authentication files", as Bk did, implies that the vulnerability has to do with remote file access (it doesn't), rather than the ability to observe network traffic in transit (it does).

In other words, I think Bk needs to spend a little more time playing with Wireshark.

Posted by: antibozo | July 28, 2008 4:35 PM | Report abuse

I think the reason wireless was singled out was that you are more likely to expose yourself to more people while using wireless, whether at BlackHat or Starbucks, than on a wired network.

I completely agree that all Gmail connections should be https: but I won't complain too much as I changed my settings several days ago and still cannot believe that Google offers IMAP for Gmail. Free IMAP does make up for a lot of shortcomings!

Posted by: OhioMC | July 28, 2008 5:29 PM | Report abuse

For those like me that don't like webmail, but prefer an e-mail client (such as Outlook), Gmail by default instructs you to use encrypted POP3 and SMTP connections:

http://mail.google.com/support/bin/answer.py?answer=75291

That way your e-mail client isn't passing your credentials in plain text everytime it hits Google's servers whether sending or receiving.

Posted by: TJ | July 28, 2008 6:13 PM | Report abuse

It would be interesting to note if the https is also used by the "Gmail Notifier" that sits in the windows taskbar.

Oddly, after I set this to Always use https today, the taskbar notifier has stopped working, saying "cannot connect to your mailbox, service temporarily unavailable". That is an odd conicidence.

Posted by: Anonymous User | July 28, 2008 6:18 PM | Report abuse

I just did a check, turned off the https setting, and the Gmail Notifier starts working immediately.

That is no coincidence. So I guess that means it was sending the password unsecured for a long time.

Posted by: Anonymous User | July 28, 2008 6:42 PM | Report abuse

"Oddly, after I set this to Always use https today, the taskbar notifier has stopped working, saying "cannot connect to your mailbox, service temporarily unavailable". That is an odd conicidence."

Posted by: Anonymous User | July 28, 2008 6:18 PM

"I just did a check, turned off the https setting, and the Gmail Notifier starts working immediately."

Posted by: Anonymous User | July 28, 2008 6:42 PM

I believe I noted that already. :) I'm still looking for a workaround, and will post it if I ever find one.

Posted by: Deaf.Randy | July 28, 2008 6:51 PM | Report abuse

That particular issue has been reported to Google. Let's see how long before they come up with a fix.

Posted by: Deaf.Randy | July 28, 2008 7:05 PM | Report abuse

OhioMC> I think the reason wireless was singled out was that you are more likely to expose yourself to more people while using wireless, whether at BlackHat or Starbucks, than on a wired network.

I wonder if that's true. Note that there are several orders of magnitude more wired systems than wireless ones.

Posted by: antibozo | July 28, 2008 7:13 PM | Report abuse

antibozo, I completely agree with your entire post; it's correct. If a browser allows cookies, beit for the session only (temporary file deleted when the browser closes) or for an indefinite period, the information is stored in a file. That was my only point. It may have been a misnomer, but BK was still technically correct.

Posted by: hokiealumnus | July 29, 2008 12:01 PM | Report abuse

I have always used the https://mail.google.com log in since I learned of its availability almost a year ago.

Initially the secure login was available for primarily mobile use, but it was obviously available for landline, DSL & cable also.

Posted by: bruce R | July 29, 2008 12:13 PM | Report abuse

Earthlink has advised me that Microsoft security update KB951748 has caused a number of issues and they are suggesting that their users uninstall it.

Any observations from others on this update?

Posted by: bruce R | July 29, 2008 12:17 PM | Report abuse

Posted by: Bk | July 29, 2008 12:18 PM | Report abuse

There is a workaround for the GMail notifier problem. Uninstall Google's GMail Notifier, since it's broken anyway, and download the notifier for Firefox at, https://addons.mozilla.org/en-US/firefox/addon/173. This is working very well for me since I always have Firefox running and it uses https. It also has an audible notification if you choose to use it. Once it's in the browser, right click on the icon for options. Not sure if there is anything out there for the less secure IE7 browsers.

Posted by: BELphotos | July 29, 2008 12:58 PM | Report abuse

Nice info there, BELphotos. Thanks for the comment.

Posted by: Bk | July 29, 2008 2:16 PM | Report abuse

BELPhotos: Thanks for the helpful info, but if I had my browser running, it'd be on Gmail already. :) I was trying to find a workaround for the notifier application that didn't require you to have your browser up and running.

Posted by: Deaf.Randy | July 29, 2008 3:41 PM | Report abuse

If only choosing the «always use https» option in Gmail didn't interfere with the functioning of the «Send to Gmail» button on the Google Toolbar for Firefox ! Don't let that right hand know what the left is doing !...

Henri

Posted by: M Henri Day | July 29, 2008 5:05 PM | Report abuse

Posted by: pachocco1 | July 29, 2008 6:33 PM | Report abuse

Webmail has always bothered me. Isn't it safer to use a secure e-mail client than a web browser? Example, Outlook 2003 can be configured to read all mail as plain text (no active content that could be executed) as well as block any automatic download of pictures or web beacons in an HTML message (can breach your privacy or present a security risk). Whereas, web browsers by nature read and execute active content and use cookies that can be used to track you. Seems like a secure e-mail client using an encrypted POP3 connection is a safer option. And in this case, Google wouldn't be able to target ads to your e-mail client.

Posted by: Tim | July 30, 2008 11:55 PM | Report abuse

I received some feedback from the Google Team regarding this problem:

Thank you for your report. We are aware of this problem, and our engineers are working diligently to find a solution.

If you've set Gmail to always use https and you're using the Gmail Notifier on a PC, you'll need to install an additional file.

1. Visit http://google.com/mail/help/downloads/notifier_https.reg
2. Open the file.
3. Double click on the notifier_https.reg file.
4. Click 'yes' when you're asked to confirm if you want to add the information to the registry.
5. Restart the Notifier.

If you decide you no longer want to use the https setting, you'll need to install the other file included in the download to reset the Notifier. Use the same method as above with notifier_https_undo.reg.

Posted by: Deaf.Randy | July 31, 2008 8:40 PM | Report abuse

In related news,
Free and Open Source, easy to use, e-mail application called Zimbra Desktop can be used for offline Gmail, Yahoo mail, IMAP etc.
http://www.zimbra.com/products/desktop.html

I also made howto for Parsix Linux:
http://www.parsix.org/html/index.php?module=pnWikka&tag=ZimbraDesktop

Posted by: Xet7 | August 4, 2008 2:48 PM | Report abuse

Additional note:
Zimbra Desktop is available for Linux, Windows and Mac.

Posted by: Xet7 | August 4, 2008 2:50 PM | Report abuse

What about logging into youtube using google account?? this procedure is also unsafe??

Posted by: Tom | August 11, 2008 7:05 AM | Report abuse

As a web developer, why they would even offer a non-secure solution is beyond me.

It's like being a home builder and advertising that locks on the front door are optional on new homes.

Posted by: Dave | August 11, 2008 10:40 AM | Report abuse

@deaf.randy && @pachocco1 - not sure if the following workaround can be done in windows but Mac users can do the following:

1)Pull down the Notifier menu (either Calendar or Gmail), hold down Command and Option, and click Preferences on the menu.
2) You’ll see a hidden settings editor. Enter SecureAlways in the Key field (upper and lower case must be entered as shown) and 1 in the Value field, then click Set.
3)Quit Notifier and start it up again. From now on, all connections with both Gmail & Gcal will be https.

http://www.macosxhints.com/article.php?story=200707030100345

Also, the notice of being logged into other locations is a good idea but is problematic because it’s WAAAAAAAAY down at the bottom and if your display cap is set to 100, you will never notice it. I didn’t notice it until it until I read about it here. Filed under ‘feel good security’, like the so called security questions that people can look up or guess if they know you.

Posted by: chancegarcia | August 11, 2008 10:46 AM | Report abuse

The https option is not available to hosted domain users of gmail.

Posted by: Raw | August 12, 2008 7:46 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company