On Thu, 06 Aug 2009 00:07:57 -0400 Nick Lidakis <nlida...@verizon.net> wrote:
> On Wed, Aug 05, 2009 at 07:45:48AM -0400, Zachary Uram wrote: > > > 2) How do I make my laptop more secure so others on wifi network can't > > steal or sniff my packets? > > > > If you're using Gmail over wifi you should be logging in with > https:gmail.com. Using https encrypts not just the login but the entire > session. You should see, in Firefox, the little yellow lock in the > lower right hand corner of the screen to validate this. I don't think that this is correct: "A security researcher at the Defcon hacker conference in Las Vegas on Saturday demonstrated a tool he built that allows attackers to break into your inbox even if you are accessing your Gmail over a persistent, encrypted session (using https:// versus http://). When you log in to Gmail, Google's servers will place what's called a "session cookie," or small text file, on your machine. The cookie identifies your machine as having presented the correct user name and password for that account, and it can allow you to stay logged in to your account for up to two weeks if you don't manually log out (after which the cookie expires and you are forced to present your credentials again). The trouble is that Gmail's cookie is set to be transmitted whether or not you are logged in with a secure connection. Now, cookies can be marked as "secure," meaning they can only be transmitted over your network when you're using a persistent, encrypted (https://) session. Any cookies that lack this designation, however, are sent over the network with every Web page request made to the Web server of the entity that set the cookie -- regardless of which of the above-described methods a Gmail subscriber is using to read his mail. As a result, even if you are logged in to Gmail using a persistent, encrypted https:// session, all that an attacker sniffing traffic on your network would need do to hijack your Gmail account is force your browser to load an image or other content served from http://mail.google.com. After that, your browser would cough up your session cookie for Gmail, and anyone recording the traffic on the network would now be able to access your Gmail inbox by simply loading that cookie on their machine." http://voices.washingtonpost.com/securityfix/2008/08/new_tool_automates_cookie_stea.html And see: http://fscked.org/blog/fully-automated-active-https-cookie-hijacking The correct fix (from the WaPo article): "Web sites can say, 'Only transmit cookies for the https:// version of these image elements, but Gmail, Facebook, Amazon and a whole bunch of other sites just don't do this," Perry said. I should note here that this attack is hardly new. Perry said he told Google about this problem a year ago, about the same time he posted an alert to the Bugtraq security mailing list about it. Late last month, Google finally announced a new setting for Gmail users labeled "Always Use https://";. While people who have selected this option are immune from this attack, many Gmail users may errantly assume that they are just as protected if they start the login process by typing a persistent, encrypted connection ( https://mail.google.com) into their browser. Without checking the new "Always Use https://"; setting in Gmail, users remain vulnerable to this attack. "Google did not explain why using this new feature was so important," Perry said. "This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they're secure but they're really not."" And see: http://fscked.org/blog/how-properly-provide-mixed-http-and-https-support Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
