Google silences Gmail security blogorumors
Domain hijack vuln doesn't exist
Google security pros have taken exception to recent reports of a Gmail vulnerability that led to a rash of domain hijackings. They were the result of a plain-vanilla phishing campaign, they say.
The erroneous reports appear to have originated here, when the MakeUseOf blog reported its domain name was commandeered after someone gained unauthorized access to the owner's Gmail account and from there accessed the author's account with domain registrar GoDaddy. The author went on to argue that a Gmail vulnerability was the weak link that caused the chain to break.
Other blogs quickly followed suit, with Geek Condition creating a detailed proof of concept for setting up a Gmail filter that automatically forwards all email sent from GoDaddy support to an address controlled by the attacker. ReadWriteWeb also got in on the action, here posting a timeline for a vulnerability that, like Big Foot and the Loch Ness Monster, many people were sure existed but didn't quite have proof.
But in a blog post published Tuesday, Google security researcher Chris Evans effectively said Big Foot doesn't exist. Or at least the evidence some claimed proved Big Foot's existed wasn't accurate.
"With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information," Evans wrote. "Attackers sent customized emails encouraging web domain owners to visit fraudulent websites such as "google-hosts.com" that they set up purely to harvest usernames and passwords."
Once the phishers gained access to the Gmail account, they created filters that "forwarded messages from web domain providers."
Evans went on to refute a claim made last year that a separate domain theft was also the result of a different vulnerability in Gmail. Google did discover a cross-site request forgery in its email service in September, but fixed it within 24 hours. Last year, blogger David Airey reported his domain name was stolen in November and he blamed a vulnerability in Gmail for the theft.
"Neither this bug nor any other Gmail bug was involved in the December 2007 domain theft," Evans wrote. (We're pretty sure he meant to say November.)
Evans reminded the public of the value in turning on Gmail's HTTPS-only feature, which ensures that connections are always encrypted. Over the past few months, Google has finally extended the feature to its Google Apps users. If only eBay, PayPal Yahoo and the rest of online world offered similar services. ®
Bullshit SSL comments
Calling bullshit on the SSL comments about CPU resources. GMail supports SSL IMAP, POP3, and SMTP. Sure, the user base for that is smaller than the web system, but SSL is there none the less. SSL does not impact a system badly enough to be of that much concern versus privacy. OpenSSL seems quite well-tweaked already, and the Google PowerHouse CodePlex could easily optimize an internal version, or offload SSL to hardware-based encryption using GPUs, etc.
I will also call bullshit on the idea that there is anybody who does not need nor deserve privacy and protection. Just because you think the information you send in your emails is not important, does not mean that the other end does not, or that it really is not important to someone else. At the very least, your privacy is paramount whether you believe it is or not.
So encryption, email keys, and the like are not the standard? Then why do we not make them the standard by using them and encouraging others to use them as well?
Paris, calling bullshit on the hat-trick.
Perhaps, but no...
Strange Anti-HTTPS comments.
GMail can support everyone turning it on. That's why they feature that. Currently. They're doing fine, they can afford it.
Other companies, that aren't Google, might have 100 apps running on a small server, and of course, that wouldn't be feasible to offer HTTPS to huge groups of users. Of course, maybe if they had invested in new hardware, they could have promoted secure growth without stifling advancement.
But this is Google. They're good to go.
What's with the HTTP and not HTTPS?
Mostly @Steven Knox
It has been pointed out that SSL isn't free. It costs CPU cycles.
Gmail is still free. Google doesn't want to support a huge SSL user base because that would require more hardware.
You could have just as easily asked, why isn't every single website on the Internet encrypted with SSL. Maybe not. Certs cost money, too. Google can eat this cost no problem, but an ongoing demand for more CPU would be a bit harder.