As I'm getting ready to miss the first Super Bowl weekend of my married life to attend the the O'Reilly Social Graph FOO Camp, I'm reminded that I should be careful about using wireless at the conference by this informative yet clueless post by Larry Dignan on ZDNet entitled Even SSL Gmail can get sidejacked which states

Sidejacking is a term Graham uses to describe his session hijacking hack that can compromise nearly all Web 2.0 applications that rely on saved cookie information to seamlessly log people back in to an account without the need to reenter the password.  By listening to and storing radio signals from the airwaves with any laptop, an attacker can harvest cookies from multiple users and go in to their Web 2.0 application.  Even though the password wasn’t actually cracked or stolen, possession of the cookies acts as a temporary key to gain access to Web 2.0 applications such as Gmail, Hotmail, and Yahoo.  The attacker can even find out what books you ordered on Amazon, where you live from Google maps, acquire digital certificates with your email account in the subject line, and much more.

Gmail in SSL https mode was thought to be safe because it encrypted everything, but it turns out that Gmail’s JavaScript code will fall back to non-encrypted http mode if https isn’t available.  This is actually a very common scenario anytime a laptop connects to a hotspot before the user signs in where the laptop will attempt to connect to Gmail if the application is opened but it won’t be able to connect to anything.  At that point in time Gmail’s JavaScripts will attempt to communicate via unencrypted http mode and it’s game over if someone is capturing the data.

What’s really sad is the fact that Google Gmail is one of the “better” Web 2.0 applications out there and it still can’t get security right even when a user actually chooses to use SSL mode. 

Although the blog post is about a valid concern,  the increased likelihood of man-in-the-middle attacks when using unsecured or shared wireless networks, it presents it in the most ridiculous way possible. Man-in-the-middle attacks are a problem related to using computer networks, not something that is limited to the Web let alone Web 2.0 (whatever that means).

Now Playing: 50 Cent - Touch The Sky (Feat. Tony Yayo) (Prod by K Lassik)


 

Friday, 01 February 2008 17:37:48 (GMT Standard Time, UTC+00:00)
Hey Now Dare,
Catchy title, interesting post.
Thx 4 the info,
Catto
Friday, 01 February 2008 21:09:27 (GMT Standard Time, UTC+00:00)
Actually, that post was written by George Ou, not Larry Dignan. Even as a fellow ZDNet blogger I get confused by that layout. The by-line should be bigger.
Sunday, 03 February 2008 15:03:50 (GMT Standard Time, UTC+00:00)
Cool, the post.

Thanks for the information.
Comments are closed.