[ml] Even SSL Gmail can get sidejacked

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]

Archivio: Gennaio 2008 ml@sikurezza.org
Soggetto: [ml] Even SSL Gmail can get sidejacked
Mittente: Luca Manganelli
Data: Thu, 31 Jan 2008 14:46:44 +0100 (CET)

http://blogs.zdnet.com/security/?p=842

"Even with SSL enabled, Gmail sessions can still be hijacked by
Graham's Hamster and Ferret (or less easily with Wireshark and
Mozilla's cookie editor)."
[...]
"Gmail in SSL https mode was thought to be safe because it encrypted
everything, but it turns out that Gmail's JavaScript code will fall
back to non-encrypted http mode if https isn't available.  This is
actually a very common scenario anytime a laptop connects to a hotspot
before the user signs in where the laptop will attempt to connect to
Gmail if the application is opened but it won't be able to connect to
anything.  At that point in time Gmail's JavaScripts will attempt to
communicate via unencrypted http mode and it's game over if someone is
capturing the data."


Che bel "buco"!

Data:
- precedente: [ml] 802.1x "ristretta", Domenico Viggiani
- successivo: RE: [ml] Drive-by pharming, TNT
- indice

Argomento:
- precedente: [ml] 802.1x "ristretta", Domenico Viggiani
- indice

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005