A Consuming Experience

Blogging, internet, software, mobile, telecomms, gadgets, technology, media and digital rights from the perspective of a consumer / user, including reviews, rants and random thoughts. Aimed at intelligent non-geeks, who are all too often unnecessarily disenfranchised by excessive use of tech jargon, this blog aims to be informative and practical without being patronising. With guides, tutorials, tips - and the occasional ever so slightly naughty observation.

Add this blog to Del.icio.us, Digg or Furl | Create Watchlist for this blog

Add this blog to my Technorati Favorites!

Secure your Gmail / Google Mail from cookie theft

Sunday, September 07, 2008
Deutsch | Español | Français | Italiano | Português | 日本語 | 한국어 | 汉语

Add this post to Del.icio.us, Digg or Furl | Create Watchlist

While logged in to services like your Web mail, Facebook or Amazon account, if you happen to visit a certain kind of (unbeknownst to you) malicious webpage e.g. by clicking a link from another webpage or in an email, it may be possible for bad hackers who are on the same network to steal your login cookie and then use it to log in as you - even if you're using an encrypted secure wireless connection, and you signed in via an encrypted https (secure http) Web browser connection. (I'd previously blogged about some risks of using public wi fi when some but not all browser connections are https.)

Heise Security explained in more detail how it's done. Essentially if the cookie is sent via an unencrypted http connection (i.e. if a service authenticates via cookies and their server doesn't set the secure flag) - which it seems is currently the case with Facebook and Amazon as well as Google's Gmail - then the cookie can be intercepted and misused.

They helpfully point out that when Google recently added an option to Settings to always use https, mainly for the protection of Gmail / Google Mail users who often use unencrypted public wifi connections (my emphasis), "this option also causes the server to set the secure flag, exclusively restricting the Google Mail session cookie to encrypted connections."

So, bottom line: if you use GoogleMail / Gmail, you should protect your cookies and yourself by securing your Gmail properly.

How to do that? Login to Gmail, go to Settings (link at the top of the page), scroll down towards the end of the General tab, and under "Browser connection" select "Always use https" and Save Changes:

There's no downside I can think of to doing that, and it'll be much better for your security.

I don't know if the same issue arises with Hotmail or Yahoo! Mail, and I don't know what the solution is for Amazon and Facebook etc - try as much as possible to avoid logging in to those sites when you're on a wireless network / WLAN (and maybe even other networks), I guess!

Labels: , , ,

Links to this post on:

  • Icerocket -
  • Blogpulse
  • Bloglines
  • Delicious
  • Google Blog Search -

Create link here by posting on Blogger

0 Comment(s):

Post a Comment | Subscribe to all comments on all posts

| Previous Post »
| Previous Post »
| Previous Post »
| Previous Post »
| Previous Post »
| Previous Post »
| Previous Post »
| Previous Post »
| Previous Post »