![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
If you have a Google Mail (Gmail) account, go to the page, log in, click on Settings|General, go down to Browser Connections and click on "Always use https" if you haven't already. Do it now.
Apparently someone named Mike Perry was concerned that this feature was optional and people were not using it. So concerned, in fact, that he has (again apparently) released to the public a tool by which accounts not thus protected can be easily hacked. There was (again apparently) a two-week warning.
Thus far the facts, as I understand them. Thanks to
pbristow for bringing this to my attention.
I have found many things on the web that have made me angry. This is one. If it is generally accepted that hacking email accounts is a bad thing, an evil action, then it is evil no matter what the excuse. Deliberately releasing wolves into the village to get people to put up stronger shutters is not morally acceptable. Depending on timing, this person may or may not be ultimately responsible for
sibylle's Gmail account being hacked and all the distress and hassle attendant thereupon, to name just one case known to me personally. There is no justification. NONE! If all the above is true as I understand it, then the man should be punished to the full extent of whatever law exists to deal with data thieves.
I resent being railroaded, stampeded, bushwhacked or hornswoggled. I am perfectly capable of abandoning the net altogether if this is how things are done. I have plenty else to do.
I will be watching most carefully for any further signs of this kind of criminal irresponsibility masquerading as "public spirit." I suggest everyone who reads this does likewise.
Apparently someone named Mike Perry was concerned that this feature was optional and people were not using it. So concerned, in fact, that he has (again apparently) released to the public a tool by which accounts not thus protected can be easily hacked. There was (again apparently) a two-week warning.
Thus far the facts, as I understand them. Thanks to
![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
I have found many things on the web that have made me angry. This is one. If it is generally accepted that hacking email accounts is a bad thing, an evil action, then it is evil no matter what the excuse. Deliberately releasing wolves into the village to get people to put up stronger shutters is not morally acceptable. Depending on timing, this person may or may not be ultimately responsible for
![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
I resent being railroaded, stampeded, bushwhacked or hornswoggled. I am perfectly capable of abandoning the net altogether if this is how things are done. I have plenty else to do.
I will be watching most carefully for any further signs of this kind of criminal irresponsibility masquerading as "public spirit." I suggest everyone who reads this does likewise.
no subject
Date: 2008-09-09 06:57 am (UTC)And amen with bells on to all of the above.
***not impressed by Mr. Perry...!***
no subject
Date: 2008-09-09 07:10 am (UTC)no subject
Date: 2008-09-09 08:17 am (UTC)And Google has done it again with Chrome. Check out ZDNet's article on that. Same deal, nasty scum exploit holes which shouldn't have been there in the first place. http://blogs.zdnet.com/security/?p=1865
no subject
Date: 2008-09-09 08:47 am (UTC)no subject
Date: 2008-09-09 10:01 am (UTC)no subject
Date: 2008-09-09 11:13 am (UTC)The problem was that it was an option only if you went to a preferences page, and even then it wasn't exactly obvious. By default, if you created a gmail account the option was set to HTTP, you had to take special action to change it.
The thing is that there was no excuse at all for them to use non-secure HTTP for the rest of the site. Since you had to use HTTPS to log in they could just have easily stayed with HTTPS for the rest of the session (if your browser couldn't support HTTPS -- and as far as I know all browsers available now can -- then you couldn't have logged on at all).
This contrasts with LJ, which allows you to log in using non-secure HTTP if you need to and then the rest of the transactions are all HTTP regardless of how you logged on. In LJ's case they would need to remember which was used for logging in (or whether the person was logged in at all) and use that, which would make the generation of links more difficult. Or stop supporting HTTP entirely.
no subject
Date: 2008-09-09 10:08 am (UTC)1) if you don't use wifi, this doesn't affect you (directly)
2) when you type a login name and password into a webpage (or any other personal information), the URL for the webpage should begin "https" (note the "s") otherwise you are sending your password and details across the internet in plain text and it can be read by any node that the data passes through.
3) Google were sending back a "ok, you're logged in, we'll remember you passed authentication" cookie which *can* be set to only be sent over a secure encrypted https connection, but Google didn't bother, so anyone that could see that packet (e.g. a wifi sniffer) could catch that cookie and for the next few days login as you to GMail.
4) Mike Perry pointed this out to Google a year ago and they did nothing. Only after threatening to release the tool at this years DefCon (hackers conference) did Google finally agree to fix the cookie problem with they said they would do by the 4th and Mike Perry agreed to wait to release his tool until they fixed that hole.
5) It's a known problem with secure sites since 1997 when the secure cookie flag was added to stop this very problem and most banks and such do this properly, Mike was pointing out that Google, Amazon, Twitter and several other sites *should* have got this right, had ignored him and were still leaving their sites vulnerable.
6) as far as I can tell from his website the tool (Cookie Monster) is still being used as a lever to get the big sites to make their connections secure.
It's more like someone pointing out that the bank leaves their back door open at night and everyone's money could be stolen. And the bank does nothing. So the warning is given again, and the bank does nothing. So then an announcement is put in the paper saying "the bank is vulnerable and I've told them how to fix it, and they can't be bothered. Next week I'll print how someone can take all your money out of the bank" and now the bank is finally paying attention. Whether Mike Perry would have actually released the tool is an interesting question (once the sites are fixed then it shouldn't be an issue)
Oh, and Google should never have allowed people to login without using a secure login page, it's just asking for trouble as there are too many nasty people out there on the net.
At least Mike Perry made it very public and (on his website and at the presentation which made it into the Washington Post and many other major media outlets) said which sites needed to be fixed and offered to wait to release the tool until they got the sites sorted out.
So, yes, releasing the tool is bad ... but he could have just sold it to the Russians/Chinese/Spammers last year (many of whom already know about this cookie and/or wifi weakness and have been using it to hijack ebay accounts etc.)
Typing your password into a screen in a webcafe or wifi hotspot is a bit like shouting out your password in a foreign language and hoping no-one is listening or understands the language. It's *much* better to make sure you always use secure/encrypted connections, especially when using wifi, but for that matter, anytime you're sending personal data.
no subject
Date: 2008-09-09 01:37 pm (UTC)Sorry I got steamed about it (though it wasn't at you, of course) but I don't like people who think causing panic is justifiable.
no subject
Date: 2008-09-09 11:44 am (UTC)no subject
Date: 2008-09-09 08:20 pm (UTC)The codemonkey item that I link to from there says in part
Makes you feel a little vulnerable knowing all your public information was so nakedly exposed over the past few years, huh? Did Google know about this?
It turns out they were well aware of it. The reason Google didn’t grant users the SSL feature before, according to Perry, was because SSL is expensive. It takes a lot of bandwidth and time on both the receiver and transmitter sides to generate keys and encrypt data. Slower data connections would experience a lagging Gmail experience.
Google knew about it. Why didn't THEY warn us?
(This is intended as a historical note, not an "I told you so".)
no subject
Date: 2008-09-09 08:21 pm (UTC)The webmonkey item linked to from there says in part Google knew about it. Why didn't THEY warn us?
(This is intended as a historical note, not an "I told you so".)
no subject
Date: 2008-09-09 09:02 pm (UTC)Seriously. I am not techie literate, nor do I have the time or brain space to become so; I visit lots of sites and I assume that their security is adequate, and it's worked so far touch wood. If I can't rely on that, then my only completely safe course is to quit using the web and advise Jan to do the same.
Of course, this is an extreme reaction, but so was Mr Perry's. Had I received an ordinary message (and I have to say that I didn't look at yours, so my argument is admittedly weak) advising me of the problem and to change that setting in Gmail, I would have done it and thought no more about it. He chose the suicide bomber approach, and as I have said elsewhere, he deserves anything he gets.