Re: wi-fi security?
On Thu, 06 Aug 2009 00:07:57 -0400
Nick Lidakis <nlidakis@verizon.net> wrote:
> On Wed, Aug 05, 2009 at 07:45:48AM -0400, Zachary Uram wrote:
>
> > 2) How do I make my laptop more secure so others on wifi network can't
> > steal or sniff my packets?
> >
>
> If you're using Gmail over wifi you should be logging in with
> https:gmail.com. Using https encrypts not just the login but the entire
> session. You should see, in Firefox, the little yellow lock in the
> lower right hand corner of the screen to validate this.
I don't think that this is correct:
"A security researcher at the Defcon hacker conference in Las Vegas on
Saturday demonstrated a tool he built that allows attackers to break
into your inbox even if you are accessing your Gmail over a persistent,
encrypted session (using https:// versus http://).
When you log in to Gmail, Google's servers will place what's called a
"session cookie," or small text file, on your machine. The cookie
identifies your machine as having presented the correct user name and
password for that account, and it can allow you to stay logged in to
your account for up to two weeks if you don't manually log out (after
which the cookie expires and you are forced to present your credentials
again).
The trouble is that Gmail's cookie is set to be transmitted whether or
not you are logged in with a secure connection. Now, cookies can be
marked as "secure," meaning they can only be transmitted over your
network when you're using a persistent, encrypted (https://) session.
Any cookies that lack this designation, however, are sent over the
network with every Web page request made to the Web server of the
entity that set the cookie -- regardless of which of the
above-described methods a Gmail subscriber is using to read his mail.
As a result, even if you are logged in to Gmail using a persistent,
encrypted https:// session, all that an attacker sniffing traffic on
your network would need do to hijack your Gmail account is force your
browser to load an image or other content served from
http://mail.google.com. After that, your browser would cough up your
session cookie for Gmail, and anyone recording the traffic on the
network would now be able to access your Gmail inbox by simply loading
that cookie on their machine."
http://voices.washingtonpost.com/securityfix/2008/08/new_tool_automates_cookie_stea.html
And see:
http://fscked.org/blog/fully-automated-active-https-cookie-hijacking
The correct fix (from the WaPo article):
"Web sites can say, 'Only transmit cookies for the https:// version
of these image elements, but Gmail, Facebook, Amazon and a whole bunch
of other sites just don't do this," Perry said.
I should note here
that this attack is hardly new. Perry said he told Google about this
problem a year ago, about the same time he posted an alert to the
Bugtraq security mailing list about it. Late last month, Google finally
announced a new setting for Gmail users labeled "Always Use https://";.
While people who have selected this option are immune from this attack,
many Gmail users may errantly assume that they are just as protected if
they start the login process by typing a persistent, encrypted
connection ( https://mail.google.com) into their browser. Without
checking the new "Always Use https://"; setting in Gmail, users remain
vulnerable to this attack.
"Google did not explain why using this new feature was so important,"
Perry said. "This gives people who routinely log in to Gmail beginning
with an https:// session a false sense of security, because they think
they're secure but they're really not.""
And see:
http://fscked.org/blog/how-properly-provide-mixed-http-and-https-support
Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
Reply to: