Buy from the highest-rated provider   Buy DigiCert Certificate x

SSL doesn't protect Google Mail

An abnormality in the way that Gmail handles log-ins means that, even when using SSL, your account could be vulnerable. Normally, websites will encrypt your password so that it can't be sniffed but then send you a session id which can be used to identify a browser that has logged in. If a hacker is able use a man-in-the-middle attack to sniff your session id, they will have access to your Gmail account, just as if they had logged in.

Doesn't Gmail offer a way to login with SSL to this session id is encrypted too? Yes. But there are some cases where, if an SSL connection, isn't available, it will try to send the session id unencrypted.

SSL is not always complete. A good example is Gmail. In theory, using the HTTPS version of Gmail should protect you by going to, but this doesn't work as you think. The JavaScript code uses an XMLHttpRequest object to make HTTP requests in the background. These are also SSL encrypted by default - but they become unencrypted if SSL fails.

When you open your laptop and connect to a WiFi hotspot, it usually presents you with a login page, or a page that forces you to accept their terms and conditions. During this time, SSL will be blocked. Gmail will therefore backoff and attempt non-SSL connections. These also fail - but not before disclosing the cookie information that allow hackers to sidejack your account.

More Sidejacking - [Errata Security]

Originally posted on Sun Feb 3, 2008