[ExI] nasty hijacking of mygmailaccount...extropian.pharmer at gmail.com

Harvey Newstrom mail at HarveyNewstrom.com
Wed Jun 24 00:19:56 UTC 2009 

Somebody mentioned that Google mail is not hackable.  Ha!  It is severely 
insecure, and easily hijackable, as are most webmail systems.  Reference 
this article from the BBC:

 BBC NEWS
Google tackled on e-mail security

Google has been asked to explain why it is not making its Gmail e-mail 
service more secure.

In an open letter to Google boss Eric Schmidt, security experts, lawyers, 
and privacy advocates ask why Gmail users are "needlessly" being put at 
risk.

The 38 signatories want Google to start using the secure version of the HTTP 
protocol to protect Gmail users.

In response, Google said it was considering trials of the secure system with 
a select group of users.

Secure session

"As more of us end up using insecure internet access - such as wi-fi in 
coffee shops, libraries, and so forth - there's a real risk of session 
hijacking," said Ben Edelman, a signatory of the letter and assistant 
professor at Harvard Business School.

When users sign on to Gmail, their login name and password are encrypted as 
the data passes back and forth using the secure version of HTTP known as 
HTTPS.

However, said Mr Edelman, this is turned off once sign-on is completed. A 
similar system works for Google Docs and Calendar.

The risk, he said, was from hi-tech criminals who snoop on the unencrypted 
data passing back and forth to steal ID files called "session cookies" 
generated when these applications start being used.

Mr Edelman said that using the cookies could let a criminal pose as a user. 
In Gmail's case, this could mean they might send e-mails in the owner's 
name, abuse their identity, change a password, or hijack an account.

"It's a frightening prospect," said Mr Edelman.

The open letter pointed out that Google used HTTPS to protect the data of 
users of its Health and Voice applications.

While Google does make it possible to use HTTPS all the time when signed on 
to Gmail, Docs, or Calendar the option was so hard to find that few would 
use it, suggested the letter.

It pointed out that most users retain default options and were likely to be 
leaving themselves at risk.

"...unless the security issue is well known and salient to consumers, they 
will not take steps to protect themselves by enabling HTTPS," said the 
letter.

If Google took the step to turn on HTTPS all the time, the risks would be 
removed.

In response, Google said it was looking into whether it made sense to use 
HTTPS all the time in Gmail. But, it said, before it did so it wanted to be 
sure that the average user experience of Gmail was not markedly changed by 
turning it on.

It feared that enabling the encryption would slow down response times as 
data was scrambled and unscrambled on a PC and Google's mail servers.

"We're planning a trial in which we'll move small samples of different types 
of Gmail users to HTTPS to see what their experience is, and whether it 
affects the performance of their e-mail," said Google.

Mr Edelman said it was not just Google that was putting users at risk. Every 
webmail company faced the same problem and should do more to protect the its 
users .

He said it was a problem that would get more acute as services move towards 
so called "cloud computing".

"Many of the systems we have built for authentication and session 
maintenance assume no man-in-the-middle attack," he said.
Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/8107556.stm

Published: 2009/06/19 10:46:54 GMT

© BBC MMIX


--
Harvey Newstrom <www.HarveyNewstrom.com>

More information about the extropy-chat mailing list