[ExI] nasty hijacking of mygmailaccount...extropian.pharmer at gmail.com
Harvey Newstrom
mail at HarveyNewstrom.com
Wed Jun 24 00:19:56 UTC 2009
Somebody mentioned that Google mail is not hackable. Ha! It is severely
insecure, and easily hijackable, as are most webmail systems. Reference
this article from the BBC:
BBC NEWS
Google tackled on e-mail security
Google has been asked to explain why it is not making its Gmail e-mail
service more secure.
In an open letter to Google boss Eric Schmidt, security experts, lawyers,
and privacy advocates ask why Gmail users are "needlessly" being put at
risk.
The 38 signatories want Google to start using the secure version of the HTTP
protocol to protect Gmail users.
In response, Google said it was considering trials of the secure system with
a select group of users.
Secure session
"As more of us end up using insecure internet access - such as wi-fi in
coffee shops, libraries, and so forth - there's a real risk of session
hijacking," said Ben Edelman, a signatory of the letter and assistant
professor at Harvard Business School.
When users sign on to Gmail, their login name and password are encrypted as
the data passes back and forth using the secure version of HTTP known as
HTTPS.
However, said Mr Edelman, this is turned off once sign-on is completed. A
similar system works for Google Docs and Calendar.
The risk, he said, was from hi-tech criminals who snoop on the unencrypted
data passing back and forth to steal ID files called "session cookies"
generated when these applications start being used.
Mr Edelman said that using the cookies could let a criminal pose as a user.
In Gmail's case, this could mean they might send e-mails in the owner's
name, abuse their identity, change a password, or hijack an account.
"It's a frightening prospect," said Mr Edelman.
The open letter pointed out that Google used HTTPS to protect the data of
users of its Health and Voice applications.
While Google does make it possible to use HTTPS all the time when signed on
to Gmail, Docs, or Calendar the option was so hard to find that few would
use it, suggested the letter.
It pointed out that most users retain default options and were likely to be
leaving themselves at risk.
"...unless the security issue is well known and salient to consumers, they
will not take steps to protect themselves by enabling HTTPS," said the
letter.
If Google took the step to turn on HTTPS all the time, the risks would be
removed.
In response, Google said it was looking into whether it made sense to use
HTTPS all the time in Gmail. But, it said, before it did so it wanted to be
sure that the average user experience of Gmail was not markedly changed by
turning it on.
It feared that enabling the encryption would slow down response times as
data was scrambled and unscrambled on a PC and Google's mail servers.
"We're planning a trial in which we'll move small samples of different types
of Gmail users to HTTPS to see what their experience is, and whether it
affects the performance of their e-mail," said Google.
Mr Edelman said it was not just Google that was putting users at risk. Every
webmail company faced the same problem and should do more to protect the its
users .
He said it was a problem that would get more acute as services move towards
so called "cloud computing".
"Many of the systems we have built for authentication and session
maintenance assume no man-in-the-middle attack," he said.
Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/8107556.stm
Published: 2009/06/19 10:46:54 GMT
© BBC MMIX
--
Harvey Newstrom <www.HarveyNewstrom.com>
More information about the extropy-chat
mailing list