dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
16
share rss forum feed

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to MacGyver

Re: Beware Hotel WiFi

gmail doesn't use https?



MacGyver
Don't Waste Your Energy
Premium,ExMod 2003-05
join:2001-10-14
Canada
kudos:2
Reviews:
·voip.ms
·TekSavvy DSL

This was with the iPad's built-in email app. I don't know if it uses HTTPS login like the web login forces.

I have no concrete proof, which isn't unexpected with most security breaches, but I think it's just too much of a coincidence that this hack occurred on the same day we checked out of the hotel.



Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:2
Reviews:
·Frontier Communi..
reply to dave

said by dave:

gmail doesn't use https?

Did a Google search and several articles came up. Here is an example.

»howto.cnet.com/8301-11310_39-200···account/

I don't use gmail so I have not experience with it.


Napsterbater
Meh
Premium,MVM
join:2002-12-28
Milledgeville, GA
reply to dave

IMAP and POP use SSL or TLS


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

said by Napsterbater:

IMAP and POP use SSL or TLS

I was assuming (incorrectly) that the access was via a web browser.

POP and SMTP *can* use secured connections but it's not mandatory in the protocol and for all I know, gmail doesn't insist. I myself use Verizon, and they offer but do not require the use of secured connections (you configure your client for a different port number).


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by dave:

POP and SMTP *can* use secured connections but it's not mandatory in the protocol...

Yup. POP/SMTP are plain-text (including passwords) protocols. Many providers now allow it over SSL/TLS (encrypted) connections but some don't.

Most hotel/hotspot Wi-Fi is unencrypted so users using POP/SMTP over that show everything to anyone looking.
--
Don't feed trolls--it only makes them grow!


Napsterbater
Meh
Premium,MVM
join:2002-12-28
Milledgeville, GA
reply to dave

I was talking about IMAP and POP connections to google/gmail, they require SSL or TLS


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8

Ah, ok. So we're left with not really knowing how the exposure happened - since IMAP and POP require SSL/TLS, and HTTPS is at least possible....



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Well if a Chinese hacker had access to hotel Wi-Fi and the user was using an encrypted connection to get their email (SSL/TLS/HTTPS/VPN etc) they'd have seen nothing but gibberish. The email address would be unknown by the hacker. If standard (unencrypted) POP/SMTP was used they'd have seen the email addy and the password (as clear text). With the latter no "hacking attempts" would've been required--they'd simply log in.

In short it's probably coincidence.
--
Don't feed trolls--it only makes them grow!



Archivis
Your Daddy
Premium
join:2001-11-26
Earth
kudos:19
reply to dave

said by dave:

gmail doesn't use https?

It doesn't matter if it does. HTTPS is not secure when you're on an open wireless network. There are tools in place that allow people to hijack sessions on open wi-fi networks, allowing them to place themselves in your secure session.

There are other tools that can even hijack wi-fi sessions to route through the hacker's laptop (or whatever) before the data gets sent to the wireless router. Everyone would connect to the laptop as its hotspot and the hacker's laptop would send that information onward, capturing everything in its path, including secure sessions.
--
A government big enough to give you everything you want, is strong enough to take everything you have. -MLK


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

said by Archivis:

said by dave:

gmail doesn't use https?

It doesn't matter if it does. HTTPS is not secure when you're on an open wireless network. There are tools in place that allow people to hijack sessions on open wi-fi networks, allowing them to place themselves in your secure session.

There are other tools that can even hijack wi-fi sessions to route through the hacker's laptop (or whatever) before the data gets sent to the wireless router. Everyone would connect to the laptop as its hotspot and the hacker's laptop would send that information onward, capturing everything in its path, including secure sessions.

https: protects against this
--
* seek help if having trouble coping
--Standard disclaimers apply.--


Archivis
Your Daddy
Premium
join:2001-11-26
Earth
kudos:19

On many sites, https is used just for the authentication, but no for the actual session, so many sites can have your sessions hijacked and your accounts hacked even if you used https to sign in.

Gmail will use https for the entire session, but as I was saying earlier is that when someone intercepts the connections for wifi connections, they can intercept and automatically re-issue certifications in the middle of your session. Your browser may flag something, but most people click by it and not think anything of it. Some browsers may not be set high enough to notice it, setting only an innocuous alert at the bottom of the screen, or not at all.

There are all sorts of other various methods as well. If you went to an http site that had you log in and redirected you to an https site, you could be redirected to login somewhere that issues its own cert and then captures your credentials.

»www.ietf.org/mail-archive/web/tl···948.html

This is an outdated example one of many various security flaws that have been discovered in SSL/TLS over the years and if any of the devices are running unpatched firmware, it's easier for an attacker to pop in the middle and hijack your session.
--
A government big enough to give you everything you want, is strong enough to take everything you have. -MLK



Archivis
Your Daddy
Premium
join:2001-11-26
Earth
kudos:19

There's a program called SSLstrip that does exactly what I was talking about. Works for gmail as well as other sites.
--
A government big enough to give you everything you want, is strong enough to take everything you have. -MLK