If you enable this in your account, Gmail will not allow you to use non-SSL. If you attempt to log into "http://mail.google.com", it will switch to "https://mail.google.com".
Moreover, the session cookie "GX" is set with the "secure" flag. That means you won't disclose if even if you try normal HTTP. I have not yet been able to grab the cookie and hijack an SSL Gmail session yet. I can still hijack a lot of other Google stuff. For example, I'm posting by hijacking my own Blogger account.
Background Info
The following is the cookie specification for cookies sent by the server:
Set-Cookie: =[; =]
[; expires=][; domain=]
[; path=][; secure][; HttpOnly]
When "HttpOnly" is set, this means that cookies can only be set when within HTTP headers but not with JavaScript, thus preventing some cross-site-scripting attacks. When "secure" is set, this means the cookie is set with HTTPS but not HTTP.
When looking at the Gmail cookies, only the "GX" cookie is set with "secure" flag, all the rest can be sent via HTTP. However, the "GX" cookie is the important one that allows me to hijack the session, so that's probably appropriate.
No comments:
Post a Comment