In January of 2005 I wrote Are You Naked? and again in July of 2007 Are you *still* naked in a coffee shop?. My objective was to try and elevate the discussion about the fact the overwhelming majority of us who use free wireless internet access in public hotspots are completely “naked” since it’s trivial to capture your wireless packets as they fly through the air.
There are certain things I never do in a coffee shop: use File Transfer Protocol (FTP) but instead the Secure FTP; never access my banking or stock sites; set my firewall and more (for best practices, see that second post on the subject here).
Managing eight email addresses through the Google Gmail interface, I’ve always made certain that I access Gmail through Secure Socket Layer (SSL) which is the encrypted security protocol used by banks, stock sites, ecommerce and any other transactional site with security (you know you’re using SSL when you see the little padlock in your browser and an “s” after “http” in your browsers address bar). Felt pretty good about it too and I’ve trusted the big brains at Google to be 110% on top of security issues.
When Robert Graham demonstrated how Web 2.0 wasnt safe at last years Blackhat, it was thought that at least the SSL mode (HTTPS) of Google Gmail would be spared from sidejacking. That presumption now appears to be false according to this updated blog posting from Graham. Even with SSL enabled, Gmail sessions can still be hijacked by Grahams Hamster and Ferret (or less easily with Wireshark and Mozillas cookie editor).
This is just great. If me, Mr. Security and Web Application Awareness, has an opening for his laptop and Gmail session to be compromised, what about everyone else?
My daughter logs on to any wifi hotspot with her iPhone or Macbook and sees zero harm — though I’m trying to educate her on how to be safe (which feels to me like havng a safe sex discussion and we know how effective THAT has been globally…but I digress). This means, for example, a “packet thief” could sit in a coffee shop, log in to the free wifi and setup a rogue hotspot (it’s simple to set up your own laptop to pretend it’s a wifi access point and lure in the unsuspecting) and then fire up the tools on their laptop and capture my daughter’s packets that come through the packet thief’s own laptop. Voila! The packet thief now has her username, password — or in the case of Gmail’s cookie security hole — the cookies with temporary credentials in them.
With a temporary cookie session initiated, the packet thief can now change her password and have complete control over her email (and, God forbid, her banking, stock trading, or any ecommerce transactions executed while accidentally logged on to a thief’s laptop).
Fix this Google…now.