Comments on: Protect yourself now if you use Gmail

By: Ian M

Ian M — Mon, 18 Aug 2008 13:38:00 +0000

This isn’t available for people who use Google Apps, although the paid-for Premier Edition will have it.

By: Gmail et attaques HDM « Stemp

Gmail et attaques HDM « Stemp — Sat, 16 Aug 2008 15:46:19 +0000

[...] Shawn Wilsher : Protect yourself now if you use Gmail [...]

By: Peng’s links for Saturday, 16 August « I’m Just an Avatar

Peng’s links for Saturday, 16 August « I’m Just an Avatar — Sat, 16 Aug 2008 14:48:22 +0000

[...] Wilsher: Protect yourself now if you use Gmail. I thought I had posted this when I came across it elsewhere recently, but it looks like I posted [...]

By: Frank Hecker

Frank Hecker — Sat, 16 Aug 2008 12:27:24 +0000

A couple of points worth noting: First, to my knowledge this capability is not yet available for people (like me) who use Google Apps instead of regular Gmail. (I don’t see the new setting when using my Google Apps account, but do see it using my old Gmail account.)

Second, if you want additional confirmation that you are connected via SSL and using the right domain, use about:config and change the setting for browser.identity.ssl_domain_display from 0 (the default) to 1. This will cause the domain “google.com” to be displayed in the area to the left of the location bar when you are connected to Gmail via SSL.

When you connect to other SSL sites you’ll see their domains as well. Also, if Google had spent a little more money on an Extended Validation SSL certificate, you’d see a green identity button with “Google, Inc. (US)” (similar to what you see if you connect to PayPal), and you wouldn’t have had to mess with about:config.

By: Steve Lee

Steve Lee — Sat, 16 Aug 2008 10:59:58 +0000

Strange it’s not there for me (or anywhere in the settings); google mail (UK) in google apps.
Shame as I often wonder if AJAX connections are https or not as the browser doesn’t give you much of a clue there.

By: Wladimir Palant

Wladimir Palant — Sat, 16 Aug 2008 10:42:30 +0000

The really important thing about this option is that it will flag the cookies so that they will only be sent over HTTPS. If you “only” use https://mail.google.com/ as your entry point for GMail without setting this option, you access everything via HTTPS as well – but a MITM can easily inject an image linking to http://mail.google.com/ on some unrelated (and unencrypted) page which will give him the cookies in clear text. So he will still be able to hijack your session.

By: Chaz6

Chaz6 — Sat, 16 Aug 2008 09:43:58 +0000

This option does not seem to be available for Google Apps for Domains users :-(

By: Jesse Ruderman

Jesse Ruderman — Sat, 16 Aug 2008 08:38:44 +0000

You should select this setting even if you’re careful to always access Gmail using the https URL. The reason is that it makes your login cookie https-only. I wish Google made this more clear. See http://voices.washingtonpost.com/securityfix/2008/08/new_tool_automates_cookie_stea.html

By: Gordon P. Hemsley

Gordon P. Hemsley — Sat, 16 Aug 2008 08:05:48 +0000

That must be a new feature. I don’t recall seeing that setting before, and I didn’t already have a preference selected when I went to look for it. (Both radio buttons were empty.)

By: Da Scritch

Da Scritch — Sat, 16 Aug 2008 07:10:39 +0000

I tryed, but pidgin lost instantly all access to Gtalk/Jabber. Google seems to have lot of works for doing this not-to-late conversion