So I was sitting at work this past week wondering if anyone could sniff my gmail sessions. Since I used gmail and talk (google's implementation of Jabber) on a daily basis, I wanted to be sure that no one was monitoring my personal emails or conversations. To this end I did some investigating with tcpdump on my Mac. (tcpdump is freeware available at tcpdump.org which prints out all of the packet information to and from your computer.
So I clicked on my bookmarked gmail link and was transported to my inbox, and noticed some very troubling things. There is no encrypting schema at all. Everything is plain text inside of very easily identifiable packets. Subject, To, From, Message body, you name it, all plain text in the packets. Clearly this is troubling from a security standpoint, as I send all my online receipts to my gmail address as well. I also noted that talk was not encrypted.
After doing some searching on the web, I found a bunch of greasemonkey scripts that would automatically encrypt the emails based on varied levels of encryption algorithms. But this was limited and required a third-party software, something I wasn't thrilled about.
After logging out and logging back into gmail, I noticed that the credentials are sent to an
https://mail.google.com/..... Connection to be verified, but then are given back with the redirection to
http://mail.google.com/mail for the inbox. After some thinking, I realized that it wasn't forcing the page back to
http://mail.google.com it was just simply using the browser start addr as the place for the redirect.
In theory, if one starts at
https://mail.google.com then the HTTP-SSL session will stay valid, and thus all the information encrypted. Sure enough, this is the case. 100% encrypted unidentifiable information, all by changing the start login page of gmail from
http://mail.google.com to
https://mail.google.comUpdate your bookmarks and read your email securely!
Topic: Want to secure your Gmail account? (Read 1084 times)