Sunday, 7 September 2008

Secure your Gmail / Google Mail from cookie theft

While logged in to services like your Web mail, Facebook or Amazon account, if you happen to visit a certain kind of (unbeknownst to you) malicious webpage e.g. by clicking a link from another webpage or in an email, it may be possible for bad hackers who are on the same network to steal your login cookie and then use it to log in as you - even if you're using an encrypted secure wireless connection, and you signed in via an encrypted https (secure http) Web browser connection. (I'd previously blogged about some risks of using public wi fi when some but not all browser connections are https.)

Heise Security explained in more detail how it's done. Essentially if the cookie is sent via an unencrypted http connection (i.e. if a service authenticates via cookies and their server doesn't set the secure flag) - which it seems is currently the case with Facebook and Amazon as well as Google's Gmail - then the cookie can be intercepted and misused.

They helpfully point out that when Google recently added an option to Settings to always use https, mainly for the protection of Gmail / Google Mail users who often use unencrypted public wifi connections (my emphasis), "this option also causes the server to set the secure flag, exclusively restricting the Google Mail session cookie to encrypted connections."

So, bottom line: if you use GoogleMail / Gmail, you should protect your cookies and yourself by securing your Gmail properly.

How to do that? Login to Gmail, go to Settings (link at the top of the page), scroll down towards the end of the General tab, and under "Browser connection" select "Always use https" and Save Changes:

There's no downside I can think of to doing that, and it'll be much better for your security.

I don't know if the same issue arises with Hotmail or Yahoo! Mail, and I don't know what the solution is for Amazon and Facebook etc - try as much as possible to avoid logging in to those sites when you're on a wireless network / WLAN (and maybe even other networks), I guess!

No comments: