digg

Facebook Connect Join Digg About

Secure Gmail From Sniffers

ffldlife.blogspot.com This article looks at the potential security risks associated with using gmail, especially in the workplace where traffic may be monitored. It investigates how to keep the HTTP-SSL connection open for more then just login credentials, but for the whole gmail session to read, write and chat without worrying about prying eyes.

Who dugg this? Made popular Jul 3, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

83 Comments

show profanity settings
expand all
  • inactive, on 10/12/2007, -0/+20Like most large websites that use SSL google offloads SSL to embedded network systems, those systems usually implement SSL in hardware. While these systems are not cheap, google can afford them and they remove all encryption overhead from googles actual servers.
  • looksliketrent, on 10/12/2007, -2/+16This is nothing new.
    https://mail.google.com/

    They even have a note on it in their help section.
    https://mail.google.com/support/bin/answer.py?answer=8155

  • rocke86, on 10/12/2007, -1/+12You can also do the same thing with Google Calander. I have been using CustomizeGoogle which has settings to automatically use the SSL feature with gmail and the calendar.
    http://www.customizegoogle.com/

    If both you and your recipient use gmail with ssl enabled you can be fairly certain your mail is not being monitored. That is if you trust Google.
  • pkulak, on 10/12/2007, -2/+11It would be safe to say that the only people who went to this much trouble to get SSL, want it badly enough to justify Google giving it to them. But in the end, it's a 10-pound deadbolt on a screen door. Ounce that email is sent, it goes all over the web in plain text.
  • inactive, on 10/12/2007, -0/+8You've never had to give them any real information, you stooge. You're just typing in your real info as a kneejerk reaction to seeing an entry for such info. Pavlov's bell tolls for thee.
  • john608, on 10/12/2007, -4/+12Google, like any site out there needs to keep the SSL transaction to a minimum. SSL on the server side is a CPU intesive process, so it just kills their servers if they had everyone doing this. I wonder how long before google tries to keep this kind of thing from working.
  • MasteRR, on 10/12/2007, -0/+7It might be paranoia, but when all it takes is adding a single letter to an address/bookmark, why not do it? It doens't hurt.
  • MasteRR, on 10/12/2007, -0/+6Very true, but the server to server connections are much less likely to be sniffed by your work's netadmin or that little cracker at the coffee shop running ethereal.
  • warfang, on 10/12/2007, -0/+6Well this allows me to use gmail at work now :)
  • PaisteUser, on 10/12/2007, -0/+5I'm surprised people aren't more critical of how the even bigger e-mail sites handle encryption; Hotmail, Yahoo, AOL, they all use plain text when communicating with your web browser. I find it nice to actually find an e-mail service where my webmail session is actually fully SSL encrypted. Other e-mail providers should take note of this, as this is one of the reasons I use Gmail as my primary e-mail service.
  • pdxaaron, on 10/12/2007, -0/+5And I'm sure your employer just loves the fact that you are connecting their machine within their domain to a private email service bypassing your companies antivirus / antispam filters. Good Times.
  • m00nmaster, on 10/12/2007, -0/+5"And I'm sure your employer just loves the fact that you are connecting their machine within their domain to a private email service bypassing your companies antivirus / antispam filters."

    Not to mention posting unencrypted on Digg.
  • ethicalhacker, on 10/12/2007, -0/+4It's too bad you can't do something like that for Digg. Yes, everything is public once it get's posted, but sometimes you don't want anyone on you're network to know where it came from...
  • CypherXero, on 10/12/2007, -1/+5Use SSH. All traffic is encrypted. End of Story.
  • rxnonu, on 10/12/2007, -0/+4No, they're delivering the content in the protocol you requested. If you ask for an uncrypted http session (by specifying "http://"), then that's what it should deliver. If you ask for an encrypted http session (by specifying "https://"), that's what it delivers.
  • DontSayFanboy, on 10/12/2007, -1/+5HA, I love how someone digged you down for pointing out that this is well known and even advertised in their FAQ. Seems everyone here who post a "well...duh?" has gotted digged down. Way to go, retarded digg readers! Keep on getting all your information from Digg and never ever read the docs.
  • shockme17, on 10/12/2007, -1/+5why are so many stories that are on the front page about topics that have been known for years now?!

    this is ridiculous
  • koick, on 10/12/2007, -0/+3"This article looks at the potential security risks..."bla bla bla could have been boiled down to one line (indeed, even a single letter): https://mail.google.com (don't forget the 's').
  • SoberEmu, on 10/12/2007, -1/+4FYI, this was explained on Security Now, episode 19
    Transcript: http://www.grc.com/sn/SN-019.txt
  • h3r2on, on 10/12/2007, -0/+3ditto!
  • spacebar14, on 10/12/2007, -0/+3So basically...
    Use https instead of http.
    Wow, didn't need an entire article to say that.
  • nu11, on 10/12/2007, -0/+3I wish that when I log into Gmail using the SSL version that when I click on the "Calendar" link at the top of the page it would continue in SSL mode. It defaults back to unencrypted mode. ugh.
  • inactive, on 10/12/2007, -0/+3I thought the article was stupid at first. I forgot that the customizegoogle extension was installed!

    There's also a greasemonkey script out there that lets you login via ssl for yahoo email. Someone will correct me if I'm wrong.

  • Primedeath, on 10/12/2007, -2/+5Cell-phone number? Hah I registered for free, no private information ;p.
  • dukeinlondon, on 10/12/2007, -0/+3No such concern here. gmail is blocked. but my obscure webmail from a french newspaper still works and USB mass storage devices work just fine. IT security people are just kidding themselves.
  • diggitydank, on 10/12/2007, -0/+2Same, here. I heard about this a while back and have been using it ever since. Good information for anybody that was unaware of the https:// for google.
  • MasteRR, on 10/12/2007, -0/+2Well it reduces server load and network traffic slightly, I think. And with the number of users they have it might actually make a difference.
  • PaisteUser, on 10/12/2007, -0/+2Not everything is transported around the world un-encrypted. The organization I work with for example sends SMTP traffic with TLS encryption.
  • socket, on 10/12/2007, -0/+2If they're sniffing your local segment you're screwed. You can transparently MITM an SSL encrypted connection.
  • dougal1985, on 10/12/2007, -0/+2 Maybe saving some CPU cycles, but as someone has said above, they probably have SSL implemented in hardware rather than software, saving load on their critical servers.
  • alexr, on 10/12/2007, -0/+2Agreed. I don't think I've ever accessed gmail over http. Even their pop servers are over SSL.
  • NJank, on 10/12/2007, -0/+2"Your e-mails are not much more secure through your use of SSL to access Google"

    wrong. depending on who you're trying te be secure from, they're much more secure. (i.e., the local leg)
  • battybattybatt, on 10/12/2007, -0/+2Who in security didn't already know this?
  • bubba., on 10/12/2007, -0/+2I agree... I mean come on folks, https is secure, and http is not. Must be a really slow news day for crap like this to make it to the front page.
  • M2Ys4U, on 10/12/2007, -0/+2Only for login... it reverts to http otherwise.
  • inactive, on 10/12/2007, -0/+2I use meebo.com, and after reading this decided to check the URL - it was "http" by default. I tried "https" and was granted a secure session for both login and the chat session...so, I guess the moral is - try to use https wherever applicable.
  • directorblue, on 10/12/2007, -0/+1Just be aware that more and more companies are cracking SSL to monitor webmail, P2P, telephony, etc. Blog post here:

    http://directorblue.blogspot.com/2006/07/think-your-ssl-traffic-is-secure-if.html

  • zeth, on 10/12/2007, -0/+1@shokk
    If you proxy the SSL connection, the client usually gets the certificate for the proxy and not the end-point. Most browsers will tell you that the URL of the remote host does not match the common name in the certificate.
  • Cyggie, on 10/12/2007, -0/+1I think the whole point of this is not to secure your email when it travel around the world... but to keep the bored company IT guy from looking into your personal email when you have to send something to your friend while you're at work... if you really have a need to hide all your email traffic... you'll probably have to use PGP or something similar...
  • tmvander, on 10/12/2007, -0/+1And this whole time I thought adding the 's' was just common sense.
  • Inbal, on 10/12/2007, -0/+1It wasn't a "well... duh?" comment, it was a "Google offered this itself, they aren't just being cheap" comment.
  • hervey, on 10/12/2007, -0/+1I use this FF extension: http://www.customizegoogle.com/
    - go to Options
    - and CHECK Secure (switch to https) in Gmail Tab.
  • jknight, on 10/12/2007, -0/+1I actually looked at the comments for something about customizegoogle.

    Its my favorite extension as it does more than force an https connection for all gmail communications. Highly recommended.
    Other features: lets you search for the same query on other engines from the google results page. kinda cool. Reminds me of the old yahoo pages (near the bottom)
  • Dracker, on 10/12/2007, -0/+1In reply to shokk:

    Unless you were referred by someone else to GMail, there is a step in the registration where Google texts messages you a number to enter. I'm not exactly comfortable with knowledge of how much information Google has about me, hence why GMail shouldn't be used as a truely secure and anonymous mail service.

    But, if you still don't believe me ... check https://www.google.com/accounts/SmsMailSignup1

    I wonder why information is put out, then someone says it isn't true, then people bury one of the comments without checking the facts.
  • jacks0n, on 10/12/2007, -0/+1"how long before google tries to keep this kind of thing from working."
    ...You mean stops it from being 'safe'? No. No, can't happen. But they're "not evil"!
    Impossible.

    < sarcasm / >
  • TheIguana, on 10/12/2007, -0/+1I have always used http-ssl when using Gmail. Pretty cool trick, plus it keeps all those nosey kids out of your business.

    Iggy :)
  • jonnyeh, on 10/12/2007, -0/+1@pkulak: What if the person you are sending to is also on gmail? Then the email never hits the internet (until the recipient looks at it)
  • Andechs, on 10/12/2007, -0/+1The new version of Gmail Notifier will also let you keep the https connection.
  • MasteRR, on 10/12/2007, -0/+1I've been using this since I heard about it about 6 months ago. Too bad it doesn't work with every service I use.
  • Fetching more discussions...
    Show 51 - 84 of 84 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.