How to protect your Gmail account, 2008 09 04 1249

Enabling SSL in Gmail

Researchers at the at a Defcon hackers’ conference revealed a flaw in the way Google’s Gmail handles session cookies. According to the Hacking Truths. web site:

The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID.

However, Google does provide a way to prevent that risk.  Login to your Gmail account and click the Settings link in the upper right hand corner of the page.  At the bottom of that page look for the Browser connection section and make sure that Always use https is enabled.