Changes made by Google enable complete SSL encryption

Google recently enabled a feature that allows all traffic (including session cookies) to be transmitted securely. Mike Perry, a reverse engineer and developer at Riverbed Technology,pointed out, quite a while ago, that many sites encrypt the login page of a site but then transmit the session cookies in clear text. This allows an attacker to easily take control of an account. Elinor mills from Cnet news pointed out:

Session cookies--which identify the machine as having used the correct username and password--have two modes: "secure" or "insecure." The vulnerability disclosed by Perry targets sites that attempt to use SSL, but do not flag their cookies as "secure." This flaw allows the cookies to be obtained by an attacker with access to the local network, and use them to pose as the Web surfer and access that person's e-mail accounts, bank accounts and other services, even if those users try to use https, Perry says.

Nothing was done to fix the SSL problems until a month ago when Google announced that people can set Gmail to automatically encrypt communications between a browser and Gmail servers by default, instead of having to type in https://mail.google.com, Perry says.

However, accessing the site via https://mail.google.com does not automatically preserve the "secure" session and the cookies can still be stolen, Perry says.

Mike Perry planned on releasing an automated tool to sniff Google and other accounts' session cookies but decided to delay the release after talking with Google. Google has now made an "Always encrypt" option inside of Gmail accounts and plans to do the same for its other services:

Google says it is rolling out the option not just for consumer Gmail users, but also for Google Apps enterprise users and has launched it for the premier edition of Google Apps so that communications with Google Docs, Calendar, and other included Google sites are encrypted.

It is also very possible that Google will make it so that the "always encrypt" mode is automatically enabled when people first log in via "https://gmail.google.com" instead of having to go into settings and enable it manually, Perry says.

"Just about everyone but Google simply does not want to spend the money to invest in the security of their users, and will continue to ignore this issue, just as they have for the past year," Perry wrote in an e-mail.

The vulnerability affects people using unsecured wireless networks and would require the attacker to be using the same network at the same time. However, it could affect people on other types of networks if it were to be combined with other attacks, such as ones taking advantage of a recently discovered domain name system hijacking exploit that any Web surfer could be exposed to, or more elaborate attacks involving modified DSL or cable modems, which were also discussed at Defcon, Perry says.

Perry goes into more details about the problems and his plans on his blog.

Google making SSL changes, other sites quiet - [Cnet News]

Originally posted on Sun Aug 24, 2008