Skip navigation

So, I’m sitting here at the office because my apartment has no power. I’m bored out of my mind, so I wrote up a handy little tid-bit of information for those of you using Gmail.

For those of your who use GMail (and if you don’t, why not?!), I’m going to strongly suggest you protect yourself from man-in-the-middle attacks by setting the https only mode in Gmail. A MITM attack can steal your login credentials, as well as anything else you transmit in the clear over the Internet (which is pretty much everything) and is easier than you might think.

To do this, open your gmail settings (found at the top right of the page).

Ensure that you have the general tab selected (it’s the leftmost tab).

Scroll down to the bottom to the browser connections section, and make sure you select “always use https”. Feel free to click on the link as well to learn more.

Firefox 3 will always let you know that a page is being transmitted over https by turning the area to the left of the location bar (called the identity button) blue like so:

This is a serious issue. If you have any questions about this, or this type of attack, feel free to ask and I’ll be happy to answer (or find out the answer if I don’t know). Security is serious business, and I want you to be as safe as you can be.

8 Comments

  1. I tryed, but pidgin lost instantly all access to Gtalk/Jabber. Google seems to have lot of works for doing this not-to-late conversion

    • Gordon P. Hemsley
    • Posted August 16, 2008 at 03:05 (3:05 am)
    • Permalink

    That must be a new feature. I don’t recall seeing that setting before, and I didn’t already have a preference selected when I went to look for it. (Both radio buttons were empty.)

  2. You should select this setting even if you’re careful to always access Gmail using the https URL. The reason is that it makes your login cookie https-only. I wish Google made this more clear. See http://voices.washingtonpost.com/securityfix/2008/08/new_tool_automates_cookie_stea.html

    • Chaz6
    • Posted August 16, 2008 at 04:43 (4:43 am)
    • Permalink

    This option does not seem to be available for Google Apps for Domains users :-(

  3. The really important thing about this option is that it will flag the cookies so that they will only be sent over HTTPS. If you “only” use https://mail.google.com/ as your entry point for GMail without setting this option, you access everything via HTTPS as well – but a MITM can easily inject an image linking to http://mail.google.com/ on some unrelated (and unencrypted) page which will give him the cookies in clear text. So he will still be able to hijack your session.

  4. Strange it’s not there for me (or anywhere in the settings); google mail (UK) in google apps.
    Shame as I often wonder if AJAX connections are https or not as the browser doesn’t give you much of a clue there.

  5. A couple of points worth noting: First, to my knowledge this capability is not yet available for people (like me) who use Google Apps instead of regular Gmail. (I don’t see the new setting when using my Google Apps account, but do see it using my old Gmail account.)

    Second, if you want additional confirmation that you are connected via SSL and using the right domain, use about:config and change the setting for browser.identity.ssl_domain_display from 0 (the default) to 1. This will cause the domain “google.com” to be displayed in the area to the left of the location bar when you are connected to Gmail via SSL.

    When you connect to other SSL sites you’ll see their domains as well. Also, if Google had spent a little more money on an Extended Validation SSL certificate, you’d see a green identity button with “Google, Inc. (US)” (similar to what you see if you connect to PayPal), and you wouldn’t have had to mess with about:config.

    • Ian M
    • Posted August 18, 2008 at 08:38 (8:38 am)
    • Permalink

    This isn’t available for people who use Google Apps, although the paid-for Premier Edition will have it.


2 Trackbacks/Pingbacks

  1. […] Wilsher: Protect yourself now if you use Gmail. I thought I had posted this when I came across it elsewhere recently, but it looks like I posted […]

  2. By Gmail et attaques HDM « Stemp on 16 Aug 2008 at 10:46 am

    […] Shawn Wilsher : Protect yourself now if you use Gmail […]

Comments are closed.