Attention Gmail users: Change your settings to https!

Here is some advice from one of our network security gurus at the UO -- easy to do and well worth doing, just in case.

-------- Original Message --------
Subject: deptcomp: Gmail vulnerability and a workaround
Date: Wed, 20 Aug 2008 12:04:13 -0700
From: Josh Ward

I'm not sure how many of you have been following the session
vulnerability that turned up in gmail last week or so.

If you're not using an encrypted connection to log in to gmail, you are
vulnerable to someone intercepting your session cookie. At this point,
they have the keys to your account and can impersonate you or change
account settings.

A friend of mine at google mailed me these simple directions to get
around the vulnerability (and increase overall security):

The directions are simple:
-=-
How To:
1. Login to Gmail
2. Click on 'Settings' in the upper right corner
3. At the bottom of the Settings page, locate "Browser Connection"
4. Click the button next to "Always use https"
5. Click "save changes" at the bottom of the page.
6. Logout
7. Login
=-=

From now on your Gmail session will be encrypted which is a good thing
for a number of reasons.

Please pass this on to anyone who know know who uses Gmail.

Thanks!

-Josh
--
Josh Ward
Security Engineer - University of Oregon - Network Services
P. 541.346.1651 F. 541.346.4397
U of O Security Hotline: 541.346.5837
PGP Fingerprint: CFB6 62C0 370B AD6D BA33 6034 8FFB 4A49 297F 6A4C
=============
follow-up:

Josh,

Good information with one caveat. Enabling persistent https will prevent Gmail notifier from accessing your account. You'll have to install a registry patch on Windows to fix this issue.

The patch and more information can be found here:

http://mail.google.com/support/bin/answer.py?answer=9429&topic=13383

Not sure if it breaks on Macs or not, but here is some information that may help:

http://osxdaily.com/2007/07/12/how-to-use-secure-https-with-gmail-notifier/

--
Tristan Waddington
EMU Marketing
Assistant Web Developer