Hackers at Defcon demonstrated a tool to hack into GMail accounts by snooping unencrypted data (man-in-the-middle attack) with cookie which Google GMail uses for everything other than login by default.
Google introduced the ability to optionally encrypt any transmission to / from GMail and not just the login sequence. Previously GMail used to encrypt the login sequence only. All other data was transmitted unencrypted over the wire making such hacking possible. Every email, every article that you are reading on your GMail account is transmitted unencrypted over the web.
This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks.
How can you protect your GMail account from hacking?
The solution is surprisingly simple. After logging in to GMail go to Settings (General tab). At the bottom of the page you will notice Browser Connection. Change it to Always use https. Now save the settings. In Google's words:
To enable this feature in Gmail:
1. Sign in to Gmail.
2. Click Settings at the top of any Gmail page.
3. Set 'Browser Connection' to 'Always use https.'
4. Click Save Changes.
5. Reload Gmail.
That's all you need to protect your GMail account from getting hacked. However there are few caveats.
1. GMail may become slightly slower. Personally I think it is an acceptable cost for security but you decide.
2. Gmail Notifier users must download a patch for GMail Notifier (Gmail Notifier is a downloadable application that alerts you whenever you have new Gmail messages) to work with this setting.
3. You may see errors in the Gmail for mobile application from enabling this setting.
Hope you like this post, give me comments about this post and my blog.
0 comments:
Post a Comment