Vulnerabilidad en cuentas de Gmail, 1a parte
Bueno, antes de dormirme … vi en un blog un titulo que me llamo la atención… “Your Gmail Account Might Be Hacked Soon”… lo cual redunda a que con un sniffeo y por una vulnerabilidad al usar gmail se podrian hacer de nuestros datos de sesión. Copy-paste de la noticia y anexo un link muy bueno donde lo detallan a fondo:
A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas. This tool will be released to the public in two weeks.
Even though when you log in, Gmail forces the authentication over SSL (Secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.
The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks. (Source)
Go to your Gmail Settings, General Tab, scroll down and click Always use https under Browser Settings, then click Save Settings.
Another good tool is Customize Google extension for Firefox. It has many useful options, including force https.
Why You Should turn Gmail SSL Feature ON > http://www.webmonkey.com/blog/Why_You_Should_Turn_Gmail_s_SSL_Feature_On_Now
Vulnerabilidad en cuentas de Gmail, 2da parte (Surf Jack): https://richieblog.wordpress.com/2008/08/22/vulnerabilidad-en-cuentas-de-gmail-2da-parte-surf-jack/