gmail identification constant?

wolfric

I'm identified on a different (secure) wifi. I've switched to a non secure wifi. Does gmail keep sending my details over? If they do are they encrypted?

liamo

Your question doesn't really make sense.

However, there is an option in GMails settings to "Always use https". Perhaps that will satisfy your requirements.

wolfric

i connect to wifi 1 (secured) i login to gmail.
i disconnect from wifi 1 gmail is still open
i connect to wifi 2(unsecured) with gmail still open i go into an email
Does gmail reattempt to login using my details. (after all i have another ip)

while https still helps, it's still exploitable

Martyr

Does gmail reattempt to login using my details. (after all i have another ip)

guessing it would re-authenticate or prompt you for credentials..

i would also guess if you investigated the http response headers being sent from gmail servers.

it would be something like:

Cache-Control: private

or

Cache-Control: private, must-revalidate, post-check=0, pre-check=0

which would prevent anyone from the same ip address through proxy reading your emails.

open to correction there, not really sure.

see section 14.9 here

cpu-dude

wolfric wrote: »

i connect to wifi 1 (secured) i login to gmail.
i disconnect from wifi 1 gmail is still open
i connect to wifi 2(unsecured) with gmail still open i go into an email
Does gmail reattempt to login using my details. (after all i have another ip)

while https still helps, it's still exploitable

It will stay connected if the cookies haven't been cleared or if you haven't signed out, the IP address doesn't change the fact that your still online.

BrokenArrows

gmail is http based
there is no constant connection after you connect the first time and enter your user details. your browser is what maintains the login session not the actual website.

this is very basically how it works
login to website on connection secure, session is stored in browser.
website is downloaded and no further communication untill you click something or untill the page refreshes like gmail does to check for new mail.

you change to unsecure connection.
you click something it downloads again with the same session stored in your browser and downloads the page.

gmail doesnt care what connection you use. It responds on the connection it was sent from.

ya im not that great at explaining things.

probe

Log into gmail always using https://www.gmail.com and your entire session will be secured.

If you use http://www.gmail.com your login will be over a secure connection, but after that you get dumped into an insecure connection for the rest of your session.

There is no such thing in reality as "secure wifi" in my books. Not WEP or WPA anyway. Perhaps over a VPN.

mehmeh12

wolfric wrote: »

I'm identified on a different (secure) wifi. I've switched to a non secure wifi. Does gmail keep sending my details over? If they do are they encrypted?

Why on earth would you change from secure wifi to non secure wifi?

probe

mehmeh12 wrote: »

Why on earth would you change from secure wifi to non secure wifi?

One might assume that he moves from a "secure" wifi system at home or elsewhere to one or more public wifi hotspots. If his browser is not set to delete cookies when it is closed, the google cookies might cause him to re-log on automatically every time opens his browser and goes to gmail. (I haven't tried it, hence am using "might". Generally these large "free" email providers put user convenience over security.)

In which case he is using a cookie (which is really a bit of text - eg "ID=ac154f1fee049118:T=1255184811:S=ALNI_MZxME1RbKXpzGEhmR-fwLooyRFIxA") in place of his user login. A gmail cookie is a google.com cookie. So even if he uses an https:// connection for his gmail, he will be dumped into an insecure connection for regular google searches.

If he doesn't log out of gmail (and clear cookies) before doing a google search in a public wifi hotspot for example, and someone was sniffing his traffic and managed to pick up his google.com cookies in the clear, they may be able to use the stolen cookies to get into his gmail account. An email provider needs to be forcing an https:// login every time the client IP number changes, so that they can set a secure connections only cookie in the client browser.

Given the additional risks set-out in http://www.boards.ie/vbulletin/showthread.php?t=2055706540 the entire email session needs to be over an https:// connection as well.

For years, yahoo mail sent passwords in the clear, unless the user specifically requested a secure connection. At least they have woken up to that issue, finally. But they still dump clients into insecure connections for the rest of their session on yahoo.com - and many other sites requiring logins which potentially store personal information.

mehmeh12

probe wrote: »

One might assume that he moves from a "secure" wifi system at home or elsewhere to one or more public wifi hotspots. If his browser is not set to delete cookies when it is closed, the google cookies might cause him to re-log on automatically every time opens his browser and goes to gmail. (I haven't tried it, hence am using "might". Generally these large "free" email providers put user convenience over security.)

In which case he is using a cookie (which is really a bit of text - eg "ID=ac154f1fee049118:T=1255184811:S=ALNI_MZxME1RbKXpzGEhmR-fwLooyRFIxA") in place of his user login. A gmail cookie is a google.com cookie. So even if he uses an https:// connection for his gmail, he will be dumped into an insecure connection for regular google searches.

If he doesn't log out of gmail (and clear cookies) before doing a google search in a public wifi hotspot for example, and someone was sniffing his traffic and managed to pick up his google.com cookies in the clear, they may be able to use the stolen cookies to get into his gmail account. An email provider needs to be forcing an https:// login every time the client IP number changes, so that they can set a secure connections only cookie in the client browser.

Given the additional risks set-out in http://www.boards.ie/vbulletin/showthread.php?t=2055706540 the entire email session needs to be over an https:// connection as well.

For years, yahoo mail sent passwords in the clear, unless the user specifically requested a secure connection. At least they have woken up to that issue, finally. But they still dump clients into insecure connections for the rest of their session on yahoo.com - and many other sites requiring logins which potentially store personal information.

Ok so have gmail always use https, log out every time when finished using gmail and delete cookies. Will this solve the OP's problem?

probe

mehmeh12 wrote: »

Ok so have gmail always use https, log out every time when finished using gmail and delete cookies. Will this solve the OP's problem?

No! Setting gmail to use https is not enough. You must use https://www.gmail.com every time to start your session as well.

Google doesn't know who you are until you log-in (to apply your gmail settings). By the time you log in, it is too late, because a hacker could have stolen your google cookies which were sent in the clear, and use them to pose as you to google.

If you have been careful to clear your cookies *every time*, you won't have any cookies to send to google in the clear. But anyone using Moxy Marlinspike's trick of intercepting the traffic between the google server and your machine will know how to give you a fake secure connection over wifi so they can see you sending your user id and password in the clear.

You really have to set up the https:// connection between your PC and google's server before any cookies or login data is sent.

Click on the .mp3 link in http://www.boards.ie/vbulletin/showthread.php?t=2055706540 to hear the full story

Moxy's website : www.thoughtcrime.org

PS: If you use firefox you can bookmark the correct gmail link and drag it into your bookmarks toolbar - so you will have an icon to click on at the top of your browser to jump to the correct gmail URL every time.

(View > toolbars > check bookmarks toolbar and go to https://www.gmail.com and drag the icon down to the next line below in your browser)

mehmeh12

probe wrote: »

No! Setting gmail to use https is not enough. You must use https://www.gmail.com every time to start your session as well.

Google doesn't know who you are until you log-in (to apply your gmail settings). By the time you log in, it is too late, because a hacker could have stolen your google cookies which were sent in the clear, and use them to pose as you to google.

If you have been careful to clear your cookies *every time*, you won't have any cookies to send to google in the clear. But anyone using Moxy Marlinspike's trick of intercepting the traffic between the google server and your machine will know how to give you a fake secure connection over wifi so they can see you sending your user id and password in the clear.

You really have to set up the https:// connection between your PC and google's server before any cookies or login data is sent.

Click on the .mp3 link in http://www.boards.ie/vbulletin/showthread.php?t=2055706540 to hear the full story

Moxy's website : www.thoughtcrime.org

PS: If you use firefox you can bookmark the correct gmail link and drag it into your bookmarks toolbar - so you will have an icon to click on at the top of your browser to jump to the correct gmail URL every time.

(View > toolbars > check bookmarks toolbar and go to https://www.gmail.com and drag the icon down to the next line below in your browser)

God im sorry i asked:D so the only way to bypass this hack is to always log on from a safe bookmark and to delete all cookies...how can ssl be not secure-i thought the whole point of end to end encryption was the safe transport of data from a computer to a website...if this is the case how do i know that when i bank online that my details are not being read by a hacker?

probe

mehmeh12 wrote: »

God im sorry i asked:D so the only way to bypass this hack is to always log on from a safe bookmark and to delete all cookies...how can ssl be not secure-i thought the whole point of end to end encryption was the safe transport of data from a computer to a website...if this is the case how do i know that when i bank online that my details are not being read by a hacker?

You don't! The best you can do is

1) go to https://www.yourbank.com. Check that you have not been forwarded to an insecure connection by your bank, as they try and save on https traffic hitting their server, (living in the 60s when computing power was expensive). If they have dumped you, complain to the bank and post details here.

2) check the security certificate (eg click on the icon to the left of the URL in your browser if using Firefox - which is the only secure windows browser at the moment - IE and Safari have unpatched vulnerabilities). Safari is OK in Mac. Check who you are connected to, and who has signed the certificate. Ideally the public key should be 2,048 bits for a banking transaction - 1,024 bit public keys are almost certainly hackable with a bot net in 2009. The Firefox cert display tells you how many times you have visited the site before. If you are a regular online banking user, and suddenly it says you have only visited a bank site once, there is something wrong with the cert and/or the connection has been compromised.

3) Only use a bank that provides you with multi-factor authentication - ie a one time code to use every time you use the service - in addition to your user id and password. Even that now has a weakness which needs to be addressed in many systems. Basically the one time code needs to be related to either the payee's bank account number or the total transaction amount to prevent malware from stealing your one time code and using it to do a fraudulent transaction in the blink of an eye. Or some other compensating control implemented. See http://www.boards.ie/vbulletin/showthread.php?t=2055699811

Or use a bank that only allows you make payments to accounts appearing on your approved payee's list. Approved payees should preferably be set-up by writing to the bank with a signed paper document - not by an online process. Or get your electronic banking configured for information purposes and transfers between YOUR accounts only.