digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

Secure Gmail From Sniffers

ffldlife.blogspot.com — This article looks at the potential security risks associated with using gmail, especially in the workplace where traffic may be monitored. It investigates how to keep the HTTP-SSL connection open for more then just login credentials, but for the whole gmail session to read, write and chat without worrying about prying eyes.

Bury
show profanity settings
expand all
  • john608, on 10/12/2007, -4/+12Google, like any site out there needs to keep the SSL transaction to a minimum. SSL on the server side is a CPU intesive process, so it just kills their servers if they had everyone doing this. I wonder how long before google tries to keep this kind of thing from working.
    • KippyRules, on 10/12/2007, -0/+20Like most large websites that use SSL google offloads SSL to embedded network systems, those systems usually implement SSL in hardware. While these systems are not cheap, google can afford them and they remove all encryption overhead from googles actual servers.
    • pkulak, on 10/12/2007, -2/+11It would be safe to say that the only people who went to this much trouble to get SSL, want it badly enough to justify Google giving it to them. But in the end, it's a 10-pound deadbolt on a screen door. Ounce that email is sent, it goes all over the web in plain text.
    • shokk, on 10/12/2007, -0/+1You should look into gateway appliances like BlueCoat that proxy the SSL connection and keep it open to sniff the pipe while it talks to the remote end for you. All this without your knowing that Google is not your actual endpoint. Your ISP could be using one of the larger versions or something more sophisticated and you wouldn't know the difference. Bluecoat isn't even the only one in this product space.
    • M2Ys4U, on 10/12/2007, -0/+1@pkulak: If it's the immediate network you're worried about, then this is good (slagging off your boss... or worse IT support! Unless you ARE IT support of course.)
    • jonnyeh, on 10/12/2007, -0/+1@pkulak: What if the person you are sending to is also on gmail? Then the email never hits the internet (until the recipient looks at it)
    • zeth, on 10/12/2007, -0/+1@shokk
      If you proxy the SSL connection, the client usually gets the certificate for the proxy and not the end-point. Most browsers will tell you that the URL of the remote host does not match the common name in the certificate.
    • jacks0n, on 10/12/2007, -0/+1"how long before google tries to keep this kind of thing from working."
      ...You mean stops it from being 'safe'? No. No, can't happen. But they're "not evil"!
      Impossible.

      < sarcasm / >
  • rocke86, on 10/12/2007, -1/+12You can also do the same thing with Google Calander. I have been using CustomizeGoogle which has settings to automatically use the SSL feature with gmail and the calendar.
    http://www.customizegoogle.com/

    If both you and your recipient use gmail with ssl enabled you can be fairly certain your mail is not being monitored. That is if you trust Google.
    • jknight, on 10/12/2007, -0/+1I actually looked at the comments for something about customizegoogle.

      Its my favorite extension as it does more than force an https connection for all gmail communications. Highly recommended.
      Other features: lets you search for the same query on other engines from the google results page. kinda cool. Reminds me of the old yahoo pages (near the bottom)
    • abuser, on 10/12/2007, -4/+0Yeah I've been using it with GMail for about a year now.

      And these bozos are "investigating" how to keep the HTTPS connection open... Hilarious!
    • Andechs, on 10/12/2007, -0/+1The new version of Gmail Notifier will also let you keep the https connection.
  • Dracker, on 10/12/2007, -5/+2I already use Tor - http://tor.eff.org/ - to anonymize and encrypt the client-server connection for GMail. If the server itself were end-to-end encrypted, there could be a lot more security.

    Not that GMail is the best place for secure email. After all, you had to give your name and cell phone # when you registered.
    • Primedeath, on 10/12/2007, -2/+5Cell-phone number? Hah I registered for free, no private information ;p.
    • shokk, on 10/12/2007, -0/+8You've never had to give them any real information, you stooge. You're just typing in your real info as a kneejerk reaction to seeing an entry for such info. Pavlov's bell tolls for thee.
    • Dracker, on 10/12/2007, -0/+1In reply to shokk:

      Unless you were referred by someone else to GMail, there is a step in the registration where Google texts messages you a number to enter. I'm not exactly comfortable with knowledge of how much information Google has about me, hence why GMail shouldn't be used as a truely secure and anonymous mail service.

      But, if you still don't believe me ... check https://www.google.com/accounts/SmsMailSignup1

      I wonder why information is put out, then someone says it isn't true, then people bury one of the comments without checking the facts.
  • MasteRR, on 10/12/2007, -0/+1I've been using this since I heard about it about 6 months ago. Too bad it doesn't work with every service I use.
    • diggitydank, on 10/12/2007, -0/+2Same, here. I heard about this a while back and have been using it ever since. Good information for anybody that was unaware of the https:// for google.
  • sujal, on 10/12/2007, -6/+1Isn't this sort of silly? your email is on the third party web site, and your receipts shouldn't have the full card number anyway. I'm all for privacy and I take it and security fairly seriously, but this seems on the very fringes of paranoia. Of course, if it makes you feel better and Google doesn't mind, go right ahead and do this.
    • MasteRR, on 10/12/2007, -0/+7It might be paranoia, but when all it takes is adding a single letter to an address/bookmark, why not do it? It doens't hurt.
    • ViperDaimao, on 10/12/2007, -1/+2You missed the point. It's explicitly stated in the article and summary here that this would be to keep any sniffers at your work from reading your email.
  • ezrider0, on 10/12/2007, -1/+1I was most concerned when I wrote it that my employer might be sniffing my network traffic. I work in very secure environment and don't want them monitoring my gmail chats. paranoia is critical!
    • pdxaaron, on 10/12/2007, -0/+5And I'm sure your employer just loves the fact that you are connecting their machine within their domain to a private email service bypassing your companies antivirus / antispam filters. Good Times.
    • m00nmaster, on 10/12/2007, -0/+5"And I'm sure your employer just loves the fact that you are connecting their machine within their domain to a private email service bypassing your companies antivirus / antispam filters."

      Not to mention posting unencrypted on Digg.
    • dukeinlondon, on 10/12/2007, -0/+3No such concern here. gmail is blocked. but my obscure webmail from a french newspaper still works and USB mass storage devices work just fine. IT security people are just kidding themselves.
  • droud, on 10/12/2007, -2/+1E-mails are transported around the world (and to Google) over a completely unencrypted transport mechanism called SMTP. Your e-mails are not much more secure through your use of SSL to access Google.
    • PaisteUser, on 10/12/2007, -0/+2Not everything is transported around the world un-encrypted. The organization I work with for example sends SMTP traffic with TLS encryption.
    • MasteRR, on 10/12/2007, -0/+6Very true, but the server to server connections are much less likely to be sniffed by your work's netadmin or that little cracker at the coffee shop running ethereal.
    • miguelrdp, on 10/12/2007, -0/+1well, there is such a thing as Encrypted SMTP, don't know if big providers use it or not but it exists.
    • socket, on 10/12/2007, -3/+4Yah it's call SMTP with TLS. Like the fellow above mentioned dummy. In my opinion you have very little to gain from encryption on that level. If you take care of it at the application layer then none of that nonsense is needed. This allows the end users to duke it out how they want to implement their encryption schemes. It lets the providers do what they're best at... moving data, fast. In instead of wasting time trying to agree on something they'll never really agree on.
    • miguelrdp, on 10/12/2007, -1/+2Obviously my comment about encrypted SMTP was written at the same time as "the fellow above", or I wouldn't have mentioned it, dummy :P
      I agree that if you really want security you should use something like PGP but the problem is with the massification of the email and internet, an end user might not be aware that it exists, or how to use it! So it may be up to the mail providers to try and give their best effort in regard to security of the packets. On the other hand, people have to be educated about the complex issues that arise when using an inherently unsafe protocol to exchange important messages.
    • NJank, on 10/12/2007, -0/+2"Your e-mails are not much more secure through your use of SSL to access Google"

      wrong. depending on who you're trying te be secure from, they're much more secure. (i.e., the local leg)
  • PaisteUser, on 10/12/2007, -0/+5I'm surprised people aren't more critical of how the even bigger e-mail sites handle encryption; Hotmail, Yahoo, AOL, they all use plain text when communicating with your web browser. I find it nice to actually find an e-mail service where my webmail session is actually fully SSL encrypted. Other e-mail providers should take note of this, as this is one of the reasons I use Gmail as my primary e-mail service.
  • rxnonu, on 10/12/2007, -10/+1https://mail.google.com/mail/

    That will stay SSL encrypted for the entire session. As long as it's open. Forever.

    Off to read the article now though...
    • rxnonu, on 10/12/2007, -3/+0Yeah, that's what the article says. Additionally I tried to find a similiar workaround for Yahoo Mail, but did not succeed.
    • CraigJ, on 10/12/2007, -4/+2uh, thanks for the info... BTW, did you read the article?
    • doodlebumm, on 10/12/2007, -1/+2This is the method that I've been using for months. As an added benefit, the chats that come through the mail interface are encrypted, too.
  • nu11, on 10/12/2007, -0/+3I wish that when I log into Gmail using the SSL version that when I click on the "Calendar" link at the top of the page it would continue in SSL mode. It defaults back to unencrypted mode. ugh.
    • Inbal, on 10/12/2007, -0/+1I don't know what Calendar link on GMail you're talking about, but see the Google Customize discussion above to automatically open GMail and Google Calendar on https.
  • socket, on 10/12/2007, -0/+2If they're sniffing your local segment you're screwed. You can transparently MITM an SSL encrypted connection.
    • ezrider0, on 10/12/2007, -0/+1True, but that is expensive to monitor in real time. Also in regards to the prior comment about my empolyer liking I use gmail at work. We are encouraged to use web-based email for all personal emails while at work, thus keeping our work emails uncluttered with personal stuff. Using gmail/talk is allowed, I just wanted to make sure it was secure.
    • staticsage, on 10/12/2007, -0/+0I thought to perform a MITM, they would have to accept your certificate. Is it different in a corporate environment?
  • falafelboy, on 10/12/2007, -0/+3I thought the article was stupid at first. I forgot that the customizegoogle extension was installed!

    There's also a greasemonkey script out there that lets you login via ssl for yahoo email. Someone will correct me if I'm wrong.

  • Recluse, on 10/12/2007, -5/+4Who doesn't know about this?
  • warfang, on 10/12/2007, -0/+6Well this allows me to use gmail at work now :)
  • Chromoly, on 10/12/2007, -1/+0Knowing nothing about greasemonky or how to write a firefox extension, it would be nice if there was a script that tried to force https for every address one types or clicks through.
  • abuser, on 10/12/2007, -3/+0Yes, you genius, now you can do that!
    Before evil Google didn't let you do that but now they hacked it and you are free!
  • okvol, on 10/12/2007, -0/+1However, if your company runs a proxy that has an encryption card for SSL intercept, this won't help. Check out the SSL Intercept options of a Bluecoat ProxySG.
  • CypherXero, on 10/12/2007, -1/+5Use SSH. All traffic is encrypted. End of Story.
    • h3r2on, on 10/12/2007, -0/+3ditto!
    • kraka40, on 10/12/2007, -1/+0Dude .. ssh is not the solution .. if you want an encrypted tunnel from a web client to a web server you need to use SSL unless there is an SSH server outside your corporate firewall and you are savy enough to forward your google HTTP traffic through ...

      Geez
  • bsinclair2006, on 10/12/2007, -2/+2Yes to Google! http://www.oozm.com/Google_Everything
  • ethicalhacker, on 10/12/2007, -0/+4It's too bad you can't do something like that for Digg. Yes, everything is public once it get's posted, but sometimes you don't want anyone on you're network to know where it came from...
  • ethicalhacker, on 10/12/2007, -0/+1I'd like to see them encrypt searches and results, too. I don't think it will happen any time soon, but it would be nice to have a secure search engine if you're on a network you don't trust.
  • looksliketrent, on 10/12/2007, -2/+16This is nothing new.
    https://mail.google.com/

    They even have a note on it in their help section.
    https://mail.google.com/support/bin/answer.py?answer=8155

    • DontSayFanboy, on 10/12/2007, -1/+5HA, I love how someone digged you down for pointing out that this is well known and even advertised in their FAQ. Seems everyone here who post a "well...duh?" has gotted digged down. Way to go, retarded digg readers! Keep on getting all your information from Digg and never ever read the docs.
    • Inbal, on 10/12/2007, -0/+1It wasn't a "well... duh?" comment, it was a "Google offered this itself, they aren't just being cheap" comment.
  • estrabd, on 10/12/2007, -0/+2I use meebo.com, and after reading this decided to check the URL - it was "http" by default. I tried "https" and was granted a secure session for both login and the chat session...so, I guess the moral is - try to use https wherever applicable.
  • minc3d, on 10/12/2007, -0/+1Security Now from the TWIT podcast show covered this a while back and Ive been doing it ever since. A good read though because a lot more people should be doing this! Google has more than enough server power..... let's not worry about that.
  • shockme17, on 10/12/2007, -1/+5why are so many stories that are on the front page about topics that have been known for years now?!

    this is ridiculous
    • bubba., on 10/12/2007, -0/+2I agree... I mean come on folks, https is secure, and http is not. Must be a really slow news day for crap like this to make it to the front page.
    • alexr, on 10/12/2007, -0/+2Agreed. I don't think I've ever accessed gmail over http. Even their pop servers are over SSL.
    • koick, on 10/12/2007, -0/+3"This article looks at the potential security risks..."bla bla bla could have been boiled down to one line (indeed, even a single letter): https://mail.google.com (don't forget the 's').
  • SoberEmu, on 10/12/2007, -1/+4FYI, this was explained on Security Now, episode 19
    Transcript: http://www.grc.com/sn/SN-019.txt
  • spacebar14, on 10/12/2007, -0/+3So basically...
    Use https instead of http.
    Wow, didn't need an entire article to say that.
  • TheIguana, on 10/12/2007, -0/+1I have always used http-ssl when using Gmail. Pretty cool trick, plus it keeps all those nosey kids out of your business.

    Iggy :)
  • MASH007, on 10/12/2007, -2/+0Wait Wait Wait, when I type in gmail.com, it automatically goes to the https site. Whats this fuss about it automatically switching to http? Even if i type in http://www.gmail.com, it STILL changes go https:... this article is BS!
    • M2Ys4U, on 10/12/2007, -0/+2Only for login... it reverts to http otherwise.
  • Lazerbeak, on 10/12/2007, -0/+0another good tip is coat your computer cable wires in foil, this stops the FBI from sniffing the signal with their secret special device
  • battybattybatt, on 10/12/2007, -0/+2Who in security didn't already know this?
  • battybattybatt, on 10/12/2007, -4/+1Who in security didn't already know this? test 2
  • battybattybatt, on 10/12/2007, -3/+1edit counter resets on use of browser back button (is that an oops? or a feature?) NO:

    Pop Quiz - why should it matter when I am commenting on or editing myself? That part can be fixed, I think/hope.
  • battybattybatt, on 10/12/2007, -3/+1OK, well I was commenting myself virtually, and there is no excuse (or fix) for that. Sorry. But, Editing myself, there is an excuse and we shouldn't be forced to take the Pop-Quiz in those cases!

    Acually, the counter does reset, but only in code, not in "server reality".

    -----Update to the Update, I just noticed that the 60 second timer imposed is a handy guide to how often I shouldn't be commenting! Now that is something I need.
  • bowenr, on 10/12/2007, -0/+1People also have to take into account using anything unencrypted on a wireless hotspot is particularly dangerous. I for one will use a VPN connection whenever transferring any information. Not that I am particularly paranoid about someone looking, but with a wireless connection you never really know who is out there listening.
  • hashkaran, on 10/12/2007, -0/+1118 days old story talking about the same thing
    http://digg.com/security/How_to_have_secure_chat_session_through_GMail
  • Cyggie, on 10/12/2007, -0/+1I think the whole point of this is not to secure your email when it travel around the world... but to keep the bored company IT guy from looking into your personal email when you have to send something to your friend while you're at work... if you really have a need to hide all your email traffic... you'll probably have to use PGP or something similar...
  • hervey, on 10/12/2007, -0/+1I use this FF extension: http://www.customizegoogle.com/
    - go to Options
    - and CHECK Secure (switch to https) in Gmail Tab.
  • directorblue, on 10/12/2007, -0/+1Just be aware that more and more companies are cracking SSL to monitor webmail, P2P, telephony, etc. Blog post here:

    http://directorblue.blogspot.com/2006/07/think-your-ssl-traffic-is-secure-if.html

  • tmvander, on 10/12/2007, -0/+1And this whole time I thought adding the 's' was just common sense.
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.