Greasemonkey script blocks Gmail cookie-theft attacks

Greasemonkey script blocks Gmail cookie-theft attacks

Summary: By now, you're probably read about Robert Graham's Black Hat presentation (.pdf) on hijacking Gmail accounts by wirelessly sniffing non-SSL session cookies.

SHARE:

Greasemonkey script secures Gmail from cookie-theft attacks By now, you're probably read about Robert Graham's Black Hat presentation (.pdf) on hijacking Gmail accounts by wirelessly sniffing non-SSL session cookies.

The attack technique, called SideJacking, uses two homegrown tools -- Ferret and Hamster -- to sniff cookies from connections to unsecured Wi-Fi networks.

Careless Google account users are vulnerable because Gmail, Google Calendar, YouTube and Blogspot all default to "http:" instead of "https:" (which is available) at login.

It's a safe bet that Google will tweak this default but, in the meantime, there's a new Greasemonkey script that offers another layer of protection to Firefox users.

Created by Mark Pilgrim, GMailSecure forces Gmail to use a secure connection for all logins by redirecting  http://gmail.google.com/ to https://gmail.google.com/.

Here's Pilgrim's explanation of how GMailSecure works in the background to protect against things like SideJacking.

Topics: Security, Collaboration, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Title is a bit misleading and it?s kind of a silly homage to Firefox.

    Greasemonkey sounds like a really complex way to bookmark https://mail.google.com. To say that it "blocks Gmail cookie-theft" kind of undermines the larger issue that this is a problem across the board. It's a silly homage to Firefox which doesn't even implement Protected Mode.
    georgeou
    • It's perfect

      Not the solution but it's actually perfect for those of us who use Gmail, Firefox and Greasemonkey.

      _r
      Ryan Naraine
  • CustomizeGoogle Firfox Addin Does the Same Thing

    The CustomizeGoogle Firefox Addin can do the same thing for Gmail, Calendar, Docs, Reader and Google Web History - plus a lot of other stuff :>)
    pfries@...