noel alanguilan

there exist a tool that can “automaticaly steal ids of non-encrypted sessions and breaks into google mail accounts” and it will be released to the public in a few weeks. the tool was presented in the recent hackers’ conference in las vegas called defcon. click on the link above if you want more technical details.

essentially what the tool does is to allow a hacker (unsuspecting or otherwise) to get into your gmail account and do what s/he pleases — like change the password. scary stuff.

the solution is simple enough — encrypt your entire gmail session and not just the login portion. to do that both the server (google mail) and the client (your browser) have to talk to each other via ssl (secure sockets layer) all the time. fortunately, google was informed of the vulnerability about a year ago so they took steps to implement ssl on their side of the fence. browsers has ssl-support built in.

all you have to is to add an “s” to the “http” portion of the google mail address making it look like “https” (without the quotes of course) and you’re done. preferably, you should do this at the start of your gmail session when you log in.

related posts

• worm on april fool’s and other things
• flash cookie manager
• gmail: always use https
• yahoo booboo 2008.06.25
• detecting bogus e-mails

you can follow any responses through the rss 2.0 feed. you can leave a response, or trackback from your own site.