Saturday, August 23, 2008

A Warning to Web E-Mail Users

Last month Google added a new security feature to GMail, a setting to force GMail to use the HTTPS protocol for all interactions. Google posted instructions for enabling it. Enabling this extra security is always a good idea, but you should consider it mandatory if you ever use any public network, such as your local coffee shop's wireless. Without HTTPS set to always-on, anyone who shares a network with you and has the ability to monitor the traffic over that network can gain full access to your account. Unfortunately, it's not just Google Mail that's vulnerable, it's all Google web apps and many other sites around the web. Some technical details can be found on the site of Mike Perry, the author who published the vulnerability. There is more information on his blog beyond that post.

All the technical stuff aside, the lesson to take from this would be that public networks remain very insecure. The odds of you being targeted for a hack are probably tiny, but they aren't zero. And though one prominent security expert extolls running an open wireless network in his home, I don't. Note the responses at the bottom of that post for other security experts also disagreeing. Personally, my wireless network doesn't broadcast it's ID, so you have to know what it is to get in. And even if you guess, my router is set up to recognize only the unique identifiers associated with the network adapters in my computers. While this is almost certainly a paranoid level of security, it does ensure that I'm going to be the last person in my neighborhood who's wireless is hijacked. (For the record, there are 4 secured and 2 unsecured networks visible to my laptop as I sit here on my couch. Mine is the only one not broadcasting its network ID.)

No comments: