Google, WTF?December 23, 2007 10:30 pm General
After some investigation I found the most probable reason of the break-in into my gmail account, which caused the spam message to be broadcasted to my entire gmail address book.
GMail performs login using https. Then (bah!) it redirects to http! All further interactions are done in insecure mode – unless the original address you typed in your browser started with https (or you change it manually and explicitly in the address line). Awesome, isn’t it? For details, see for example here.
So, I guess when I read my gmail using some occational free hotspot in the city (thanks to my n800), there was some “man in the middle” attack. It is not a big deal for minimally educated script kiddie – once http stream is not encoded and all cookies are there…
I definitely blame myself for being so lame and not knowing that bad fact about GMail (and not being paranoid enough to check the security of the connection when I have to). But I am deeply disappointed that GMail is so unsecure by default – and that information is not printed with big red letters on top of the page.
I guess there might be some people around who are still not aware of that shameful detail about GMail – so I am warning them.