Flash: Public Wi-Fi even more insecure than previously thought
How to gain permanent access to Gmail accounts
Black Hat Users of Yahoo! Mail, MySpace and just about every Web 2.0 service take note: If you access those services using public Wi-Fi, Rob Graham can probably gain unlimited access to your account - even if you logged in using the secure sockets layer protocol.
Graham, who is CEO at Errata Security, demonstrated the hack to attendees of the Black Hat security conference in Las Vegas. The technique uses a plain-vanilla network sniffer to read the cookies returned by Google Mail, Hotmail and scores of other sites after a user has entered login credentials.
The websites rely on the cookie as a session ID to validate the browser as belonging to the person who just logged in. By copying the cookie and attaching it to a completely different browser Errata Security researchers showed it was easy to gain unfettered access to the accounts of others.
Rob Graham displays the Gmail account of an unsuspecting Black Hat attendee
"If I sniff your Gmail connection and get all your cookies and attach them to my Gmail, I now become you, I clone you," Graham said during a presentation on Thursday. "Web 2.0 is now fundamentally broken."
The technique allowed Graham to open the Gmail account of an unsuspecting Black Hat attendee who had used the conference access point to get his email. Although the Errata Security chief closed the window several seconds after accessing it, nothing short of good manners prevented him from reading the person's messages, or, for that matter, accessing maps, calendar or other Google properties used by that person.
The hack caught our attention because it shatters a common assumption concerning secure surfing on public access points. Up until now, we felt relatively safe using hotspots to access email as long as we logged in with an SSL session. Yes, we knew that any subsequent pages that were not appended by "https" in the address bar were were susceptible to snooping, but intruders still had no way to access the account itself.
Now we know better. Any session that isn't protected from start to finish by SSL is vulnerable to the hack. And because session IDs generated by most sites are valid for an indefinite period, that means intruders could silently access our accounts for years - even if we regularly change our passwords.
The only way Graham said he knew to work around the vulnerability is to use Google and select options that automatically keep Gmail, Google Calendar and several other properties encrypted throughout the entire session. (Check our Defcon Survival Guide for more on this.) If you use most other services, you're out of luck, as they all switch to an unencrypted browsing mode after login. ®
For the last year I've been sending everything through an SSH tunnel with a http proxy on the other end when using public WiFi. Ensures end-to-end encryption. While I know there's probably *some* way to compromise even this, it's much more secure than just relying on SSL.
If you have any access to an SSH server connected to a proxy, I strongly recommend this method.
Multiple IP addresses and sessions
It should be noted that the majority of websites DO actually check that the IP address the cookie is being used from is the same that the login came from.
Although lots of companies use banks of proxy servers there is usually some session affinity to ensure that once you access a certain website your requests always come from the same proxy/cache. I have personal experience at one of my clients sites where they tried to load balance the internet connectivity across multiple DSL connections and requests would come from different IP's all the time, this broke pretty much all websites that required logins until the session affinity feature was switched on.
Although this attack is a vulnerability I think it's very insignificant in that it would be very time consuming to do, with little to no interesting/significant win for the hacker 99% of the time.
This was brought up at least two years ago as possible and a reason not to use gmail in that fashion anyway I don't like gmail (nothing to do with security I just don't like the interface) but if you think about it your asking for it if you don't pay attention when security minded people point out a new service is vulnerable. Of course none of this means anything if your email is being forked over to outside parties by the service so none of them are safe and people that work there can always read them nothing email is private get used to it.
POP3 with SSL
If you use POP3 with SSL, it's encrypted from the beginning. And the good news is that once you download the message to your own machine, you can (and should) delete it from the server. HOWEVER, how many sites use SSL?
Gotta wonder, do the RNC and DNC even encrypt their email servers? Or traffic? That would be a fun attack.
Stupid question but...
Why isn't all WiFi traffic between the access point and client encrypted as part of the protocol? Surely that negates all problems of running a non-switched network.