The hack caught our attention because it shatters a common assumption concerning secure surfing on public access points. Up until now, we felt relatively safe using hotspots to access email as long as we logged in with an SSL session. Yes, we knew that any subsequent pages that were not appended by "https" in the address bar were were susceptible to snooping, but intruders still had no way to access the account itself.The Register suggests the Firefox extension CustomiseGoogle which, among other things, can mandate that rather than some Gmail traffic be encrypted, eliminating the information currently sent "in the clear".
Now we know better. Any session that isn't protected from start to finish by SSL is vulnerable to the hack. And because session IDs generated by most sites are valid for an indefinite period, that means intruders could silently access our accounts for years - even if we regularly change our passwords.
Thursday, August 02, 2007
Public wifi insecure - even for secure sites?
The Register reports from the Black Hat Conference that even when surfing to an SSL-encrypted site using public wifi, if not all of the site enforces SSL, enough information can be intercepted to reveal Gmail and other personal websites: