MrBill
04-23-2009, 01:28 AM
This is from today's Windows Secrets. The part in RED is what you need to do. I just did all 5 of my accounts.
Gmail's sea-surf hole can't be closed by SSL
Some reports on the Web, such as an article (http://windowssecrets.com/links/qezz377q74bed/f6ad29h/?url=news.softpedia.com%2Fnews%2FGmail-Accounts-Automatic-Hacking-Tool-Presented-at-Defcon-91747.shtml) at Softpedia.com, say using https during your Gmail sessions blocks CSRF attacks on the service.
Unfortunately, that's not the case for this Gmail hole, according to ISA's Aguilera. In an e-mail interview conducted in Aguilera's native Spanish, he said the flaw allows a hacker to take advantage of an encrypted session (the following is my translation from the original language):
"In this vulnerability, the attacker causes the victim to generate, invisible to the victim, a request to the server (in which request the victim's authenticated session cookie is also transmitted).
"When the server receives the request, it sees that it comes from an authenticated session (the victim's), and thus is unable detect that, in reality, the request was instigated by the attacker.
"In other words, it's as if the victim/user actually created the request to the server, and the fact that the communication is encrypted is unrelated and doesn't prevent the attack."
Using https does prevent traffic sniffing and so-called man-in-the-middle attacks, so you should enable it regardless of whether Gmail's CSRF hole is ever patched.
To benefit from encryption when accessing Gmail, you should configure the service to use SSL by default. To do so, click Settings in the top-right corner of the main Gmail window, select Always use https in the "Browser connection" section at the bottom of the General tab, and click Save Changes.
Using encryption will slow Gmail's performance slightly, but this small price is worth it. The https protocol will encrypt not just your sign-in sessions but also the contents of your e-mails when they're sent between your browser and Google's servers.
Gmail's sea-surf hole can't be closed by SSL
Some reports on the Web, such as an article (http://windowssecrets.com/links/qezz377q74bed/f6ad29h/?url=news.softpedia.com%2Fnews%2FGmail-Accounts-Automatic-Hacking-Tool-Presented-at-Defcon-91747.shtml) at Softpedia.com, say using https during your Gmail sessions blocks CSRF attacks on the service.
Unfortunately, that's not the case for this Gmail hole, according to ISA's Aguilera. In an e-mail interview conducted in Aguilera's native Spanish, he said the flaw allows a hacker to take advantage of an encrypted session (the following is my translation from the original language):
"In this vulnerability, the attacker causes the victim to generate, invisible to the victim, a request to the server (in which request the victim's authenticated session cookie is also transmitted).
"When the server receives the request, it sees that it comes from an authenticated session (the victim's), and thus is unable detect that, in reality, the request was instigated by the attacker.
"In other words, it's as if the victim/user actually created the request to the server, and the fact that the communication is encrypted is unrelated and doesn't prevent the attack."
Using https does prevent traffic sniffing and so-called man-in-the-middle attacks, so you should enable it regardless of whether Gmail's CSRF hole is ever patched.
To benefit from encryption when accessing Gmail, you should configure the service to use SSL by default. To do so, click Settings in the top-right corner of the main Gmail window, select Always use https in the "Browser connection" section at the bottom of the General tab, and click Save Changes.
Using encryption will slow Gmail's performance slightly, but this small price is worth it. The https protocol will encrypt not just your sign-in sessions but also the contents of your e-mails when they're sent between your browser and Google's servers.