Turn on permanent SSL for Gmail

Mike Perry of San Fransisco has developed a tool to break into Gmail accounts that are not using an SSL connection.  He presented details of his creation at Defcon 16, and is planning to release the tool over the next two weeks.

Part of the problem arises because when you go to the Gmail login page, the system logs you in using SSL, but then reverts back to an unencrypted connection to transfer the rest of the data to you.

To change the settings in Gmail permanently:

Log into your account using https://mail.google.com.
Click on “Settings” on the top right hand corner of the page.
Scroll down to the bottom of the page and find the “Browser Connection” option.
Select the option “Always use https”
Click “Save Changes”

Google also notes that it is important to end each of your Gmail sessions by clicking Sign out at the top of any Gmail page and to close all Gmail browser windows.

There is currently no free fix for users who use Gmail with their own domain.

Mike Perry writes more about why Google’s “fix” is not adequate given the threat.

Update August 27,2008:  Also read about how this affects the “Gmail for Mobile” application here.


Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: