Join 3,512 readers in helping fund MetaFilter (Hide)


The Middler
August 28, 2008 10:48 AM   Subscribe

Your Gmail account isn't secure. Announced at Defcon 16, Jay Beale's tool, The Middler (man-in-the-middle) to steal session ID from not only Gmail users, but LinkedIn, LiveJournal, Facebook, and presumably any site that uses a session-based cookie. Enable https permanently. (previously)
posted by sluglicker (53 comments total) 27 users marked this as a favorite

 
I'm bummed at the piss-poor way Google has "enabled" HTTPS: It works, but didn't work with the Blackberry client (mostly fixed now), it breaks the Send To-> function on their Firefox toolbar, broke Gmail notifier (now fixed I guess), and the "enable https" option wasn't available (last time I checked) on Gmail For Your Domain.
posted by These Premises Are Alarmed at 10:56 AM on August 28, 2008


From the Middler's website:

"The Middler allows an attacker to: Clone users sessions in any application that uses cleartext HTTP, even after authenticating over HTTPS.....

Replace HTTPS links with HTTP links before serving them to the victim, while making sure to submit the user's data to the server over SSL. "

So would enabling HTPPS do any good?
posted by JauntyFedora at 11:00 AM on August 28, 2008


So this is bad, right?

Seriously, can someone dumb it down a bit for me?
posted by Mister_A at 11:02 AM on August 28, 2008 [3 favorites]


Ok - the SSL/Cookies thing for dummies:

(full disclosure, former intern at Google, doing a PhD in computer security. None of this violates my NDA.)

First off, you need to know that when you are using a public wireless network (coffee shops, your university, etc), your Internet browsing can be eavesdropped upon by anyone else nearby. They can see which web pages you visit, which IMs you send, and which *ahem* adult image you are looking at.

When you login to Google Mail, your username and password are transmitted in an encrypted format (what we call SSL) -- thus stopping bad guys from being able to learn your account details.

However, your browser does not send your username and password back and forth every time you want to send a new email. Instead, Google issues your browser with a 'cookie' -- which is a text string. Anyone who knows this cookie, can pretend to be you -- they can check your email, or send new messages as you.

This cookie is sent in plain text. That is, while your username and password are sent in an encrypted manner, Google sends the cookie, the keys to your email kingdom, over the wire in such a way that any smart person can grab them, and then impersonate you.

Since Google Mail first started back in 2004, the company has offered a secure version of it's webmail service, accessible at https://www.gmail.com. The only problem? No one other than security geeks knows about it.

The issue is made slightly worse, by this recent attack (which was discovered a year ago. Google was given 7 months notice, and they rushed the fix out a couple days before the guy presented it at Defcon).

Essentially, if you have not set this preference, and you routinely use the SSL version of gmail (https://www.gmail.com), and you -ever- use a public wifi connection, your cookie can still be stolen via some sneaky man-in-the-middle attacks.

The main problem here, essentially, is that Google doesn't want to switch everyone over to SSL --- because doing so uses more CPU, and when spread across millions of users, it pushes up their costs. Yes, this is about money.

Google offers SSL, but does nothing at all to publicize it (i.e. by putting a link on the main google mail login page advertising it), so that when criticized, the company can claim it is all about "consumer choice." In Google's view of the world, users who care about security and privacy will search through 3 layers of config options to find this new hidden option. This is frankly, bullshit.

Most people have no idea that their web surfing is so vulnerable to eavesdropping when using wifi networks, and this is the real problem. Google is just making it worse.

For those of you who care about your privacy, I can highly recommend the Customize Google firefox extension.. It'll make all your webmail traffic go over SSL by default, and as an added bonus, will strip out Google's tracking cookies, and text ads from other websites. A win-win.
posted by genome4hire at 11:17 AM on August 28, 2008 [121 favorites]


I can't dumb it down, but I can make it blow it out of proportion it.

EVERYONE RUN, THE INTERNET IS DOOMED.
posted by TwelveTwo at 11:17 AM on August 28, 2008 [1 favorite]


Mister_A: "So this is bad, right? Seriously, can someone dumb it down a bit for me?"

What's your gmail address? I'll send you an explanation.
posted by Plutor at 11:18 AM on August 28, 2008 [2 favorites]


Yeah, I was writing a comment about security a little while ago, doing some cross-checking, and I was stunned to find that Gmail, Hotmail and a bunch of the other major apps I checked out did not default to HTTPS. That seems totally nuts to me. I mean, forget man-in-the-middle attacks, if the login page is HTTP and someone captures the POST of the login form, they've got your password in clear text.

Clever mathowie and company, you can't even get to the MeFi login page via HTTP.

Seriously, can someone dumb it down a bit for me?

There's a fair probability, under some conditions, that someone using the techniques linked to could temporarily or permanently take control of your GMail account. You should follow the steps in the link Enable https permanently.
posted by XMLicious at 11:19 AM on August 28, 2008


So would enabling HTPPS do any good?

Yes, because SSL is designed to detect man-in-the-middle attacks. There is authentication built into SSL. (This is in addition to encryption.) When you switch from HTTPS to HTTP for the rest of your session, the client will stop trying to verify the host is who they say they are.
posted by chunking express at 11:20 AM on August 28, 2008


So if you delete all your cookies before and after using the public wifi, and only use the https version of gmail while you're on the public wifi, you're good, right? *crosses fingers*
posted by desjardins at 11:22 AM on August 28, 2008


Oops, wait, GMail's login page requires HTTPS but Hotmail's doesn't. Sorry, misremembered that.
posted by XMLicious at 11:24 AM on August 28, 2008


So....Google is doing some evil? Breakdown...of worldview....imminent....
posted by DU at 11:24 AM on August 28, 2008


Wait a minute.

....users who care about security and privacy will search through 3 layers of config options to find this new hidden option. This is frankly, bullshit.

It sure is. I clicked on "Settings" and there it was, on the first page of config options.
posted by DU at 11:25 AM on August 28, 2008 [1 favorite]


There is authentication built into SSL. (This is in addition to encryption.) When you switch from HTTPS to HTTP for the rest of your session, the client will stop trying to verify the host is who they say they are.

1. Go to https://gmail.com.
2. Oh noes! Certificate mismatch!
3. Oh, wait, it's for mail.google.com. Is Google too cheap to spring for the extra cert for the redirect? WTFGOOG?
4. Habituate to clicking through.
5. Fail to notice when the certificate is actually for l33t3v1lh4xx0rz.com.
6. Profit! For l33t3v1lh4xx04z.com.
posted by enn at 11:30 AM on August 28, 2008 [2 favorites]


It works, but didn't work with the Blackberry client (mostly fixed now)

Is that through the Blackberry browser, Opera Mini, or the gmail app for the Blackberry? I'd vastly prefer to use the secured side if it's an option.
posted by quin at 11:31 AM on August 28, 2008


Any website that can should be using https ***all the time, for everything*** (ahem: metafilter)

I think that someday, not using it will be equivalent to negligence.
posted by blue_beetle at 11:32 AM on August 28, 2008 [1 favorite]


also, Google Reader allows all-the-time HTTPS browsing. You might want to change your bookmarks.
posted by blue_beetle at 11:33 AM on August 28, 2008


and the "enable https" option wasn't available (last time I checked) on Gmail For Your Domain.

No, it's been enabled for a while - at least two weeks. It can be set by the domain admin. It applies to all browser access, not just to mail but to Docs, Spreadsheets, etc.
posted by me & my monkey at 11:36 AM on August 28, 2008


Just to be clear.

Using the SSL version of google (https://www.gmail.com) is not enough to protect yourself. It will at least protect you from passive adversaries (i.e. people who only snoop), but it will not protect you against active adversaries (people who are willing to engage in a Man in the Middle attack, and spoof connections).

To be safe, you need to turn on this new SSL-only option in your gmail settings, and start typing in https://www.gmail.com (or change your bookmarks, or use CustomizeGoogle)

If you type in www.gmail.com (without the https), even with the fancy new cookie setting, you can still be tricked into going to a malicious website.
posted by genome4hire at 11:36 AM on August 28, 2008 [4 favorites]


Thanks a bunch, genome4hire . Plutor, did I really win the Italian lottery like you said in that email?
posted by Mister_A at 11:36 AM on August 28, 2008


Here's how to patch Gmail notifier if you use it and have enabled https. (http://mail.google.com/support/bin/answer.py?hl=en&answer=9429)

----

Note: If you've enabled the 'Always use https' setting in Gmail, you'll need to install a patch for the Notifier to work with this setting:

1. Download the patch (.zip).
2. Open the folder.
3. Double-click the notifier_https.reg file.
4. Click yes when you're asked to confirm if you want to add the information to the registry.
5. Restart the Notifier.

If you decide you no longer want to use the https setting, you'll need to install the other file included in the download to reset the Notifier. Use the same method as above, except with 'notifier_https_undo.reg.'

posted by knapah at 11:39 AM on August 28, 2008 [2 favorites]


Also, this seems as good a place as any to mention my favorite GMail attack, which I believe is now fixed (but I'm not going to hit one of the exploit pages to be sure) — GMail used XMLHttpRequest to grab your contact list as a Javascript array literal from a URI that was constant across accounts. I could put up a page at attacker.com with <script src="http://mail.google.com/mail/?_url_scrubbed"> and the array literal would be evaluated if you visited it while logged in to GMail — but nothing would happen, because it was just a literal, not an assignment and with no other side effects. So how does attacker.com get at the data? Redefine the Array() constructor so that evaluating []-notation will send the contents off to your waiting server. I love Javascript.1

1. Not ironic.
posted by enn at 11:47 AM on August 28, 2008 [3 favorites]


Not My LiveJournal!
posted by mannequito at 11:54 AM on August 28, 2008 [1 favorite]


PGP as a Gmail option would be nice; not a chance of that, though.
posted by acro at 11:58 AM on August 28, 2008


For Mac users of Google Notifier, an easy hack to permanently enable secure connections.
posted by Dipsomaniac at 11:59 AM on August 28, 2008 [4 favorites]


To their credit, using SSL all the time is a pain in the ass. Using it in mixed mode is a pain in the ass the way browsers currently implement it. Like the way most browsers will throw up an error if a single asset -- image, javascript, whatever -- is loaded from a non-SSL server from your SSL session. This can be altered or turned off, but it probably isn't for most users.

To alleviate that, some people will turn on SSL for an entire site, even the non-secured parts. What does that do? Well, it adds some overhead on the server side (large, as it's multiplied by number of clients) and a small amount of overhead on the client. Additionally, many browsers have different caching policies for SSL-enabled files, as do proxy servers. So suddenly all the work you've done on your server to put things in nice, cacheable places is invalidated by the fact that every image is getting pulled once per browser session, not once a week/month/whenever.

If SSL is going to be standard everywhere, and necessarily used over entire sites that share cookies and session IDs (like Google's application suite), then we need to rethink the way this thing works. Or do a lot more session/cookie invalidation and come up with a better way to handle logins.
posted by mikeh at 12:04 PM on August 28, 2008


so insightful that, if it weren't for the blue, i'd think i was reading lifehacker.
posted by RockyChrysler at 12:07 PM on August 28, 2008


Is Google too cheap to spring for the extra cert for the redirect? WTFGOOG?

enn, to be fair, it may be due to all that Giersch Ventures bullshit.
posted by phooky at 12:13 PM on August 28, 2008


I'm a little wary of genome4hire's suggestions since, to my knowledge, Google's never used www.gmail.com with its SSL certificate, as noted above. Everything's been routed to mail.google.com as long as I can remember.

Also, that customizegoogle Firefox extension looks great, but it's a GPL-licensed single developer (as far as I can tell) extension. As in, I can't find a public source repository for it, so it's not like it's actively developed by a group. While it's easy to go in and review the source, this is pretty much the best vector for someone hijacking Google accounts that I can think of. Do you go in and review the source every time you install a new version to make sure someone didn't break the customizegoogle.com server and insert their own version that hijacks sessions in an even worse way?
posted by mikeh at 12:21 PM on August 28, 2008


phooky, they make that mistake across all their SSL servers. If you try https://google.com/analytics for example, you will get a cert name mismatch error.
posted by mkb at 12:27 PM on August 28, 2008


Enn and mikeh are right. Be sure to type 'https://mail.google.com'. Don't use 'http' and don't use 'gmail.com'.
posted by cobra libre at 1:24 PM on August 28, 2008 [2 favorites]


First off, you need to know that when you are using a public wireless network (coffee shops, your university, etc), your Internet browsing can be eavesdropped upon by anyone else nearby.

A question I have been meaning to ask, maybe someone here knows: when I am on an ethernet connection (say, in my office) and the airport (mac osx 10.5) bars are still on, is my computer not only sending and receiving through the ethernet cable, but also broadcasting everything out the wireless antenna?

(this may be a stupid question but I have always wondered this)
posted by Rumple at 1:28 PM on August 28, 2008


Re: Gmail for your Domain

No, it's been enabled for a while - at least two weeks. It can be set by the domain admin. It applies to all browser access, not just to mail but to Docs, Spreadsheets, etc.

Where? I'll be damned if I can find a setting *anywhere*.
posted by vertigo25 at 1:29 PM on August 28, 2008


Also, this seems as good a place as any to mention my favorite GMail attack, which I believe is now fixed

Yeah, this is fixed now. It's depressingly easy for sites to leave these kinds of XSS vulnerabilities in (most major sites I can think of have had multiple XSS vulnerabilities over the years). They're easy to fix, but also easy to miss.
posted by wildcrdj at 1:44 PM on August 28, 2008


A question I have been meaning to ask, maybe someone here knows: when I am on an ethernet connection (say, in my office) and the airport (mac osx 10.5) bars are still on, is my computer not only sending and receiving through the ethernet cable, but also broadcasting everything out the wireless antenna?

Well, assuming those bars mean you are connected to the wireless network, then your computer can choose either network interface to send data out/in. This will depend on a host of factors. Basically, the answer is it's probably not broadcasting "everything" out, but it could broadcast anything out. I usually turn my wireless off on the laptop when I'm plugged in to a network (using the hardware wireless-off switch, not sure if Macbooks have those, but I assume they do - they're pretty standard on Windows laptops).
posted by wildcrdj at 1:46 PM on August 28, 2008


Enn, Mikeh, Cobra Libre: what's wrong with 'gmail.com' if that redirects automatically to https://mail.google.com (and I have https set to always-on)? I tend to just type "gmail" in my address bar and go where Firefox takes me...I end up typing my password in at https://www.google.com/etcetc.

This only seems to be a problem if I take the trouble to type in https://gmail.com -- and who would do that in these days of miraculous intelligent address bars?
posted by col_pogo at 2:30 PM on August 28, 2008


Question: what if you're using Thunderbird to retrieve your messages from your Gmail account?
posted by Minus215Cee at 2:34 PM on August 28, 2008


good question, Minus–I do that too.
posted by Mister_A at 2:36 PM on August 28, 2008


col_pogo: Because if someone was trying to intercept your connection to https://mail.google.com it's unlikely that they'd have an SSL certificate for it that would be automatically accepted by your browser - so you ought to immediately get some kind of warning about the certificate. Whereas if you go to an http:// address and you unexpectedly end up on someone else's server you would have no such warning; you would have to notice that you weren't forwarded to https://mail.google.com, or that you were forwarded to somewhere else.
posted by XMLicious at 2:40 PM on August 28, 2008


col_pogo: if your browser is taking you first to http://www.gmail.com, which is then redirecting you to https://mail.google.com, the problem is that you can't trust that http://www.gmail.com is actually gmail. The "man-in-the-middle" attack is that someone takes you to www.evilhacker.com instead of gmail, and makes it look like gmail. Then they redirect you to an "https" site with a bogus certificate, that looks like mail.google.com. Since most people just shrug at those certificate issues, now they get you to enter your info.

Even if you go to https://www.gmail.com, the problem is that that gives you an invalid certificate, since they only signed it for mail.google.com. So anyone could present that certificate (evilhacker.com presents the mail.google.com cert, your browser says "hey, it doesn't match1!" but since you always see that error going from https://www.gmail.com, you don't think anything of it, and you're in evilhacker land again).
posted by wildcrdj at 2:40 PM on August 28, 2008 [1 favorite]


Where? I'll be damned if I can find a setting *anywhere*.

Manage your Domain ... GMail ... Settings or some such. I read about it on one of the official Google blogs a while back, and I know I've had it enabled for more than two weeks. Let me know if you want a screenshot.

what if you're using Thunderbird to retrieve your messages from your Gmail account?

If you're using IMAP4, that's going through SSL. I don't know about POP3.
posted by me & my monkey at 3:06 PM on August 28, 2008


also, Google Reader allows all-the-time HTTPS browsing.

It's not under Settings. Directions please?
posted by mattbucher at 3:11 PM on August 28, 2008


SSL is only available for the Premier Edition of Google Apps.
posted by harkin banks at 3:40 PM on August 28, 2008


Like the way most browsers will throw up an error if a single asset — image, javascript, whatever — is loaded from a non-SSL server from your SSL session. This can be altered or turned off, but it probably isn't for most users
Which is a good thing, because it's always been necessary if you want to make a secure browser. If any component of the page is insecurely loaded the whole page can be compromised that way.
come up with a better way to handle logins
Like, say, web app designers could just use well-known widely-deployed secure authentication techniques like Digest authentication instead of rolling their own form-and-cookie systems every time.
posted by hattifattener at 3:57 PM on August 28, 2008


wildcrj: thanks. On macs it is a software switch. It seems that most likely the computer could only be connected to one network at a time, of course, but whether the antenna still just aimless broadcasts outwards, I'm still not sure....
posted by Rumple at 6:08 PM on August 28, 2008


I vote we sidebar genome's first comment. Thanks, y'all.
posted by lunit at 8:03 PM on August 28, 2008


hattifattener, Microsoft broke digest authentication pretty much deliberately, so no one has ever nor will ever use it. Sad.
posted by vsync at 8:33 PM on August 28, 2008


> A question I have been meaning to ask, maybe someone here knows: when I am on an ethernet connection (say, in my office) and the airport (mac osx 10.5) bars are still on, is my computer not only sending and receiving through the ethernet cable, but also broadcasting everything out the wireless antenna?

System Preferences -> Network. Internet goes through the active service on top. (By default, Ethernet then Airport). However, you can still talk to local devices over wireless if they share the same subnet (or to oversimplify, the same wireless access point).

OS X keeps track of the local subnets it is connected to (the switch, and the wireless access point), but it still needs to know a route to send traffic to a device (which could be a server, www.google.com) that is not in the immediate network 'vicinity' of the computer. OS X can only manage using one such route at a time by default, so it picks the one provided by the router field in the top most active network interface (ethernet when it is plugged in, even if airport is active, by default). You can change that by clicking the Gear in the network panel and selecting "set service order."

Security wise, your computer will still respond to queries and remote access attempts from anyone in the same network vicinity's as you (ethernet or wireless), but if someone from the internet tried to connect to your laptop over the wireless connection, your computer would actually try to respond via the ethernet (if both were active) which would break the connection and their attempt to connect would be unsuccessful.

In short: if you didn't change anything, and your mac is connected to ethernet and wireless, all internet destined traffic is going through the ethernet connection, and I have not seen much 'leaking' to the wireless at the same time. Also, OS X will use DNS servers provided from the active top service, so even if someone spoofs and takes over your wireless network and sets up their own evil DNS server, your machine will ignore it while it has an ethernet connection.

(Fun fact, many people were able to get fully legit 'internal testing' domains for google.com and live.com from trusted root certificate authorities, allowing them to break even the SSL trust system, also mentioned at this years defcon)
posted by mrzarquon at 8:56 PM on August 28, 2008


Also, for those still using https://www.gmail.com

Just use: https://mail.google.com/

No SSL Cert errors, as gmail.com just redirects to that damn site anyway. Put it in your bookmarks menu, and you are done, along with checking the "always use ssl" option.

Also, Do you trust *your* dns server? I know I do.
posted by mrzarquon at 8:58 PM on August 28, 2008


> even if someone spoofs and takes over your wireless network and sets up their own evil DNS server, your machine will ignore it while it has an ethernet connection.

I am assuming here that your mac is connecting to some random *different* wireless network, not the wireless network provided by your airport extreme / linksys / etc that you are also plugging your macs ethernet port into. If that is the case, then yes your entire network is compromised.
posted by mrzarquon at 9:01 PM on August 28, 2008


Thanks mrzaquon, that clears it up some. Normally I am on wireless only with all attendant risks, but at work we have both ethernet and wireless and I usually go with ethernet because it is faster.
posted by Rumple at 10:12 PM on August 28, 2008


Jebus, doesn't it seem like secure browsing for consumers is something that should not still be so obscure?
posted by Tubes at 7:18 AM on August 29, 2008


If you don't need to use a particular network interface (ethernet, wireless, etc) on your mac, you probably are best to turn them off via the Network preferences.
posted by chunking express at 7:59 AM on August 29, 2008


Tags for this post might be more useful if they included "gmail" and "google." Just sayin'.
posted by aaronetc at 2:26 PM on August 29, 2008


« Older The aim of Self-Portrait Challenge is to create an...  |  Phil Hill, the only American e... Newer »


This thread has been archived and is closed to new comments