Comments on: The Middler

The Middler

sluglicker — Thu, 28 Aug 2008 10:48:28 -0800

Your Gmail account isn't secure. Announced at Defcon 16, Jay Beale's tool, The Middler (man-in-the-middle) to steal session ID from not only Gmail users, but LinkedIn, LiveJournal, Facebook, and presumably any site that uses a session-based cookie. Enable https permanently. (previously)

By: These Premises Are Alarmed

These Premises Are Alarmed — Thu, 28 Aug 2008 10:56:46 -0800

I'm bummed at the piss-poor way Google has "enabled" HTTPS: It works, but didn't work with the Blackberry client (mostly fixed now), it breaks the Send To-> function on their Firefox toolbar, broke Gmail notifier (now fixed I guess), and the "enable https" option wasn't available (last time I checked) on Gmail For Your Domain.

By: JauntyFedora

JauntyFedora — Thu, 28 Aug 2008 11:00:10 -0800

From the Middler's website: "The Middler allows an attacker to: Clone users sessions in any application that uses cleartext HTTP, even after authenticating over HTTPS..... Replace HTTPS links with HTTP links before serving them to the victim, while making sure to submit the user's data to the server over SSL. " So would enabling HTPPS do any good?

By: Mister_A

Mister_A — Thu, 28 Aug 2008 11:02:03 -0800

So this is bad, right? Seriously, can someone dumb it down a bit for me?

By: genome4hire

genome4hire — Thu, 28 Aug 2008 11:17:26 -0800

Ok - the SSL/Cookies thing for dummies: (full disclosure, former intern at Google, doing a PhD in computer security. None of this violates my NDA.) First off, you need to know that when you are using a public wireless network (coffee shops, your university, etc), your Internet browsing can be eavesdropped upon by anyone else nearby. They can see which web pages you visit, which IMs you send, and which *ahem* adult image you are looking at. When you login to Google Mail, your username and password are transmitted in an encrypted format (what we call SSL) -- thus stopping bad guys from being able to learn your account details. However, your browser does not send your username and password back and forth every time you want to send a new email. Instead, Google issues your browser with a 'cookie' -- which is a text string. Anyone who knows this cookie, can pretend to be you -- they can check your email, or send new messages as you. This cookie is sent in plain text. That is, while your username and password are sent in an encrypted manner, Google sends the cookie, the keys to your email kingdom, over the wire in such a way that any smart person can grab them, and then impersonate you. Since Google Mail first started back in 2004, the company has offered a secure version of it's webmail service, accessible at https://www.gmail.com. The only problem? No one other than security geeks knows about it. The issue is made slightly worse, by this recent attack (which was discovered a year ago. Google was given 7 months notice, and they rushed the fix out a couple days before the guy presented it at Defcon). Essentially, if you have not set this preference, and you routinely use the SSL version of gmail (https://www.gmail.com), and you -ever- use a public wifi connection, your cookie can still be stolen via some sneaky man-in-the-middle attacks. The main problem here, essentially, is that Google doesn't want to switch everyone over to SSL --- because doing so uses more CPU, and when spread across millions of users, it pushes up their costs. Yes, this is about money. Google offers SSL, but does nothing at all to publicize it (i.e. by putting a link on the main google mail login page advertising it), so that when criticized, the company can claim it is all about "consumer choice." In Google's view of the world, users who care about security and privacy will search through 3 layers of config options to find this new hidden option. This is frankly, bullshit. Most people have no idea that their web surfing is so vulnerable to eavesdropping when using wifi networks, and this is the real problem. Google is just making it worse. For those of you who care about your privacy, I can highly recommend the Customize Google firefox extension.. It'll make all your webmail traffic go over SSL by default, and as an added bonus, will strip out Google's tracking cookies, and text ads from other websites. A win-win.

By: TwelveTwo

TwelveTwo — Thu, 28 Aug 2008 11:17:46 -0800

I can't dumb it down, but I can make it blow it out of proportion it. EVERYONE RUN, THE INTERNET IS DOOMED.

By: Plutor

Plutor — Thu, 28 Aug 2008 11:18:16 -0800

Mister_A: "So this is bad, right? Seriously, can someone dumb it down a bit for me?" What's your gmail address? I'll send you an explanation.

By: XMLicious

XMLicious — Thu, 28 Aug 2008 11:19:16 -0800

Yeah, I was writing a comment about security a little while ago, doing some cross-checking, and I was stunned to find that Gmail, Hotmail and a bunch of the other major apps I checked out did not default to HTTPS. That seems totally nuts to me. I mean, forget man-in-the-middle attacks, if the login page is HTTP and someone captures the POST of the login form, they've got your password in clear text. Clever mathowie and company, you can't even get to the MeFi login page via HTTP. Seriously, can someone dumb it down a bit for me? There's a fair probability, under some conditions, that someone using the techniques linked to could temporarily or permanently take control of your GMail account. You should follow the steps in the link Enable https permanently.

By: chunking express

chunking express — Thu, 28 Aug 2008 11:20:20 -0800

So would enabling HTPPS do any good? Yes, because SSL is designed to detect man-in-the-middle attacks. There is authentication built into SSL. (This is in addition to encryption.) When you switch from HTTPS to HTTP for the rest of your session, the client will stop trying to verify the host is who they say they are.

By: desjardins

desjardins — Thu, 28 Aug 2008 11:22:35 -0800

So if you delete all your cookies before and after using the public wifi, and only use the https version of gmail while you're on the public wifi, you're good, right? *crosses fingers*

By: XMLicious

XMLicious — Thu, 28 Aug 2008 11:24:25 -0800

Oops, wait, GMail's login page requires HTTPS but Hotmail's doesn't. Sorry, misremembered that.

By: DU

DU — Thu, 28 Aug 2008 11:24:34 -0800

So....Google is doing some evil? Breakdown...of worldview....imminent....

By: DU

DU — Thu, 28 Aug 2008 11:25:53 -0800

Wait a minute. ....users who care about security and privacy will search through 3 layers of config options to find this new hidden option. This is frankly, bullshit. It sure is. I clicked on "Settings" and there it was, on the first page of config options.

By: enn

enn — Thu, 28 Aug 2008 11:30:53 -0800

There is authentication built into SSL. (This is in addition to encryption.) When you switch from HTTPS to HTTP for the rest of your session, the client will stop trying to verify the host is who they say they are. 1. Go to https://gmail.com. 2. Oh noes! Certificate mismatch! 3. Oh, wait, it's for mail.google.com. Is Google too cheap to spring for the extra cert for the redirect? WTFGOOG? 4. Habituate to clicking through. 5. Fail to notice when the certificate is actually for l33t3v1lh4xx0rz.com. 6. Profit! For l33t3v1lh4xx04z.com.

By: quin

quin — Thu, 28 Aug 2008 11:31:59 -0800

It works, but didn't work with the Blackberry client (mostly fixed now) Is that through the Blackberry browser, Opera Mini, or the gmail app for the Blackberry? I'd vastly prefer to use the secured side if it's an option.

By: blue_beetle

blue_beetle — Thu, 28 Aug 2008 11:32:07 -0800

Any website that can should be using https ***all the time, for everything*** (ahem: metafilter) I think that someday, not using it will be equivalent to negligence.

By: blue_beetle

blue_beetle — Thu, 28 Aug 2008 11:33:32 -0800

also, Google Reader allows all-the-time HTTPS browsing. You might want to change your bookmarks.

By: me & my monkey

me & my monkey — Thu, 28 Aug 2008 11:36:19 -0800

and the "enable https" option wasn't available (last time I checked) on Gmail For Your Domain. No, it's been enabled for a while - at least two weeks. It can be set by the domain admin. It applies to all browser access, not just to mail but to Docs, Spreadsheets, etc.

By: genome4hire

genome4hire — Thu, 28 Aug 2008 11:36:27 -0800

Just to be clear. Using the SSL version of google (https://www.gmail.com) is not enough to protect yourself. It will at least protect you from passive adversaries (i.e. people who only snoop), but it will not protect you against active adversaries (people who are willing to engage in a Man in the Middle attack, and spoof connections). To be safe, you need to turn on this new SSL-only option in your gmail settings, and start typing in https://www.gmail.com (or change your bookmarks, or use CustomizeGoogle) If you type in www.gmail.com (without the https), even with the fancy new cookie setting, you can still be tricked into going to a malicious website.

By: Mister_A

Mister_A — Thu, 28 Aug 2008 11:36:42 -0800

Thanks a bunch, genome4hire . Plutor, did I really win the Italian lottery like you said in that email?

By: knapah

knapah — Thu, 28 Aug 2008 11:39:42 -0800

Here's how to patch Gmail notifier if you use it and have enabled https. (http://mail.google.com/support/bin/answer.py?hl=en&answer=9429) ---- Note: If you've enabled the 'Always use https' setting in Gmail, you'll need to install a patch for the Notifier to work with this setting: 1. Download the patch (.zip). 2. Open the folder. 3. Double-click the notifier_https.reg file. 4. Click yes when you're asked to confirm if you want to add the information to the registry. 5. Restart the Notifier. If you decide you no longer want to use the https setting, you'll need to install the other file included in the download to reset the Notifier. Use the same method as above, except with 'notifier_https_undo.reg.'

By: enn

enn — Thu, 28 Aug 2008 11:47:36 -0800

Also, this seems as good a place as any to mention my favorite GMail attack, which I believe is now fixed (but I'm not going to hit one of the exploit pages to be sure) — GMail used XMLHttpRequest to grab your contact list as a Javascript array literal from a URI that was constant across accounts. I could put up a page at attacker.com with <script src="http://mail.google.com/mail/?_url_scrubbed"> and the array literal would be evaluated if you visited it while logged in to GMail — but nothing would happen, because it was just a literal, not an assignment and with no other side effects. So how does attacker.com get at the data? Redefine the Array() constructor so that evaluating []-notation will send the contents off to your waiting server. I love Javascript.¹ 1. Not ironic.

By: mannequito

mannequito — Thu, 28 Aug 2008 11:54:23 -0800

Not My LiveJournal!

By: acro

acro — Thu, 28 Aug 2008 11:58:51 -0800

PGP as a Gmail option would be nice; not a chance of that, though.

By: Dipsomaniac

Dipsomaniac — Thu, 28 Aug 2008 11:59:10 -0800

For Mac users of Google Notifier, an easy hack to permanently enable secure connections.

By: mikeh

mikeh — Thu, 28 Aug 2008 12:04:37 -0800

To their credit, using SSL all the time is a pain in the ass. Using it in mixed mode is a pain in the ass the way browsers currently implement it. Like the way most browsers will throw up an error if a single asset -- image, javascript, whatever -- is loaded from a non-SSL server from your SSL session. This can be altered or turned off, but it probably isn't for most users. To alleviate that, some people will turn on SSL for an entire site, even the non-secured parts. What does that do? Well, it adds some overhead on the server side (large, as it's multiplied by number of clients) and a small amount of overhead on the client. Additionally, many browsers have different caching policies for SSL-enabled files, as do proxy servers. So suddenly all the work you've done on your server to put things in nice, cacheable places is invalidated by the fact that every image is getting pulled once per browser session, not once a week/month/whenever. If SSL is going to be standard everywhere, and necessarily used over entire sites that share cookies and session IDs (like Google's application suite), then we need to rethink the way this thing works. Or do a lot more session/cookie invalidation and come up with a better way to handle logins.

By: RockyChrysler

RockyChrysler — Thu, 28 Aug 2008 12:07:01 -0800

so insightful that, if it weren't for the blue, i'd think i was reading lifehacker.

By: phooky

phooky — Thu, 28 Aug 2008 12:13:33 -0800

Is Google too cheap to spring for the extra cert for the redirect? WTFGOOG? enn, to be fair, it may be due to all that Giersch Ventures bullshit.

By: mikeh

mikeh — Thu, 28 Aug 2008 12:21:25 -0800

I'm a little wary of genome4hire's suggestions since, to my knowledge, Google's never used www.gmail.com with its SSL certificate, as noted above. Everything's been routed to mail.google.com as long as I can remember. Also, that customizegoogle Firefox extension looks great, but it's a GPL-licensed single developer (as far as I can tell) extension. As in, I can't find a public source repository for it, so it's not like it's actively developed by a group. While it's easy to go in and review the source, this is pretty much the best vector for someone hijacking Google accounts that I can think of. Do you go in and review the source every time you install a new version to make sure someone didn't break the customizegoogle.com server and insert their own version that hijacks sessions in an even worse way?

By: mkb

mkb — Thu, 28 Aug 2008 12:27:10 -0800

phooky, they make that mistake across all their SSL servers. If you try https://google.com/analytics for example, you will get a cert name mismatch error.

By: cobra libre

cobra libre — Thu, 28 Aug 2008 13:24:24 -0800

Enn and mikeh are right. Be sure to type 'https://mail.google.com'. Don't use 'http' and don't use 'gmail.com'.

By: Rumple

Rumple — Thu, 28 Aug 2008 13:28:42 -0800

First off, you need to know that when you are using a public wireless network (coffee shops, your university, etc), your Internet browsing can be eavesdropped upon by anyone else nearby. A question I have been meaning to ask, maybe someone here knows: when I am on an ethernet connection (say, in my office) and the airport (mac osx 10.5) bars are still on, is my computer not only sending and receiving through the ethernet cable, but also broadcasting everything out the wireless antenna? (this may be a stupid question but I have always wondered this)

By: vertigo25

vertigo25 — Thu, 28 Aug 2008 13:29:07 -0800

Re: Gmail for your Domain No, it's been enabled for a while - at least two weeks. It can be set by the domain admin. It applies to all browser access, not just to mail but to Docs, Spreadsheets, etc. Where? I'll be damned if I can find a setting *anywhere*.

By: wildcrdj

wildcrdj — Thu, 28 Aug 2008 13:44:19 -0800

Also, this seems as good a place as any to mention my favorite GMail attack, which I believe is now fixed Yeah, this is fixed now. It's depressingly easy for sites to leave these kinds of XSS vulnerabilities in (most major sites I can think of have had multiple XSS vulnerabilities over the years). They're easy to fix, but also easy to miss.

By: wildcrdj

wildcrdj — Thu, 28 Aug 2008 13:46:51 -0800

A question I have been meaning to ask, maybe someone here knows: when I am on an ethernet connection (say, in my office) and the airport (mac osx 10.5) bars are still on, is my computer not only sending and receiving through the ethernet cable, but also broadcasting everything out the wireless antenna? Well, assuming those bars mean you are connected to the wireless network, then your computer can choose either network interface to send data out/in. This will depend on a host of factors. Basically, the answer is it's probably not broadcasting "everything" out, but it could broadcast anything out. I usually turn my wireless off on the laptop when I'm plugged in to a network (using the hardware wireless-off switch, not sure if Macbooks have those, but I assume they do - they're pretty standard on Windows laptops).

By: col_pogo

col_pogo — Thu, 28 Aug 2008 14:30:10 -0800

Enn, Mikeh, Cobra Libre: what's wrong with 'gmail.com' if that redirects automatically to https://mail.google.com (and I have https set to always-on)? I tend to just type "gmail" in my address bar and go where Firefox takes me...I end up typing my password in at https://www.google.com/etcetc. This only seems to be a problem if I take the trouble to type in https://gmail.com -- and who would do that in these days of miraculous intelligent address bars?

By: Minus215Cee

Minus215Cee — Thu, 28 Aug 2008 14:34:24 -0800

Question: what if you're using Thunderbird to retrieve your messages from your Gmail account?

By: Mister_A

Mister_A — Thu, 28 Aug 2008 14:36:12 -0800

good question, Minus–I do that too.

By: XMLicious

XMLicious — Thu, 28 Aug 2008 14:40:12 -0800

col_pogo: Because if someone was trying to intercept your connection to https://mail.google.com it's unlikely that they'd have an SSL certificate for it that would be automatically accepted by your browser - so you ought to immediately get some kind of warning about the certificate. Whereas if you go to an http:// address and you unexpectedly end up on someone else's server you would have no such warning; you would have to notice that you weren't forwarded to https://mail.google.com, or that you were forwarded to somewhere else.

By: wildcrdj

wildcrdj — Thu, 28 Aug 2008 14:40:43 -0800

col_pogo: if your browser is taking you first to http://www.gmail.com, which is then redirecting you to https://mail.google.com, the problem is that you can't trust that http://www.gmail.com is actually gmail. The "man-in-the-middle" attack is that someone takes you to www.evilhacker.com instead of gmail, and makes it look like gmail. Then they redirect you to an "https" site with a bogus certificate, that looks like mail.google.com. Since most people just shrug at those certificate issues, now they get you to enter your info. Even if you go to https://www.gmail.com, the problem is that that gives you an invalid certificate, since they only signed it for mail.google.com. So anyone could present that certificate (evilhacker.com presents the mail.google.com cert, your browser says "hey, it doesn't match1!" but since you always see that error going from https://www.gmail.com, you don't think anything of it, and you're in evilhacker land again).

By: me & my monkey

me & my monkey — Thu, 28 Aug 2008 15:06:00 -0800

Where? I'll be damned if I can find a setting *anywhere*. Manage your Domain ... GMail ... Settings or some such. I read about it on one of the official Google blogs a while back, and I know I've had it enabled for more than two weeks. Let me know if you want a screenshot. what if you're using Thunderbird to retrieve your messages from your Gmail account? If you're using IMAP4, that's going through SSL. I don't know about POP3.

By: mattbucher

mattbucher — Thu, 28 Aug 2008 15:11:56 -0800

also, Google Reader allows all-the-time HTTPS browsing. It's not under Settings. Directions please?

By: harkin banks

harkin banks — Thu, 28 Aug 2008 15:40:48 -0800

SSL is only available for the Premier Edition of Google Apps.

By: hattifattener

hattifattener — Thu, 28 Aug 2008 15:57:17 -0800

Like the way most browsers will throw up an error if a single asset — image, javascript, whatever — is loaded from a non-SSL server from your SSL session. This can be altered or turned off, but it probably isn't for most users

Which is a good thing, because it's always been necessary if you want to make a secure browser. If any component of the page is insecurely loaded the whole page can be compromised that way.

come up with a better way to handle logins

Like, say, web app designers could just use well-known widely-deployed secure authentication techniques like Digest authentication instead of rolling their own form-and-cookie systems every time.

By: Rumple

Rumple — Thu, 28 Aug 2008 18:08:33 -0800

wildcrj: thanks. On macs it is a software switch. It seems that most likely the computer could only be connected to one network at a time, of course, but whether the antenna still just aimless broadcasts outwards, I'm still not sure....

By: lunit

lunit — Thu, 28 Aug 2008 20:03:02 -0800

I vote we sidebar genome's first comment. Thanks, y'all.

By: vsync

vsync — Thu, 28 Aug 2008 20:33:27 -0800

hattifattener, Microsoft broke digest authentication pretty much deliberately, so no one has ever nor will ever use it. Sad.

By: mrzarquon

mrzarquon — Thu, 28 Aug 2008 20:56:10 -0800

> A question I have been meaning to ask, maybe someone here knows: when I am on an ethernet connection (say, in my office) and the airport (mac osx 10.5) bars are still on, is my computer not only sending and receiving through the ethernet cable, but also broadcasting everything out the wireless antenna? System Preferences -> Network. Internet goes through the active service on top. (By default, Ethernet then Airport). However, you can still talk to local devices over wireless if they share the same subnet (or to oversimplify, the same wireless access point). OS X keeps track of the local subnets it is connected to (the switch, and the wireless access point), but it still needs to know a route to send traffic to a device (which could be a server, www.google.com) that is not in the immediate network 'vicinity' of the computer. OS X can only manage using one such route at a time by default, so it picks the one provided by the router field in the top most active network interface (ethernet when it is plugged in, even if airport is active, by default). You can change that by clicking the Gear in the network panel and selecting "set service order." Security wise, your computer will still respond to queries and remote access attempts from anyone in the same network vicinity's as you (ethernet or wireless), but if someone from the internet tried to connect to your laptop over the wireless connection, your computer would actually try to respond via the ethernet (if both were active) which would break the connection and their attempt to connect would be unsuccessful. In short: if you didn't change anything, and your mac is connected to ethernet and wireless, all internet destined traffic is going through the ethernet connection, and I have not seen much 'leaking' to the wireless at the same time. Also, OS X will use DNS servers provided from the active top service, so even if someone spoofs and takes over your wireless network and sets up their own evil DNS server, your machine will ignore it while it has an ethernet connection. (Fun fact, many people were able to get fully legit 'internal testing' domains for google.com and live.com from trusted root certificate authorities, allowing them to break even the SSL trust system, also mentioned at this years defcon)

By: mrzarquon

mrzarquon — Thu, 28 Aug 2008 20:58:08 -0800

Also, for those still using https://www.gmail.com Just use: https://mail.google.com/ No SSL Cert errors, as gmail.com just redirects to that damn site anyway. Put it in your bookmarks menu, and you are done, along with checking the "always use ssl" option. Also, Do you trust *your* dns server? I know I do.

By: mrzarquon

mrzarquon — Thu, 28 Aug 2008 21:01:06 -0800

> even if someone spoofs and takes over your wireless network and sets up their own evil DNS server, your machine will ignore it while it has an ethernet connection. I am assuming here that your mac is connecting to some random *different* wireless network, not the wireless network provided by your airport extreme / linksys / etc that you are also plugging your macs ethernet port into. If that is the case, then yes your entire network is compromised.

By: Rumple

Rumple — Thu, 28 Aug 2008 22:12:33 -0800

Thanks mrzaquon, that clears it up some. Normally I am on wireless only with all attendant risks, but at work we have both ethernet and wireless and I usually go with ethernet because it is faster.

By: Tubes

Tubes — Fri, 29 Aug 2008 07:18:09 -0800

Jebus, doesn't it seem like secure browsing for consumers is something that should not still be so obscure?

By: chunking express

chunking express — Fri, 29 Aug 2008 07:59:21 -0800

If you don't need to use a particular network interface (ethernet, wireless, etc) on your mac, you probably are best to turn them off via the Network preferences.

By: aaronetc

aaronetc — Fri, 29 Aug 2008 14:26:16 -0800

Tags for this post might be more useful if they included "gmail" and "google." Just sayin'.