By default, Google Mail sets a session cookie that doesn’t have the secure flag, meaning that if you log in to GMail, leave, and later return to the unencrypted “http://” URL (instead of “https://”), your browser will transmit your session information in plain-text to the server. This problem gained some attention last year and we mentioned a couple of strategies to get around the problem, either by using a Firefox plugin, or by only using GMail and logging out before browsing other sites.

A tool was recently released called Surf Jack, which is demonstrated in the video above. Surf Jack makes it incredibly easy to steal the credentials from another user’s GMail session. An attacker could take this into a typical coffee shop, wait for someone to check their mail, and then harvest their session. This gives the attacker complete access to anything confidential that the victim may have in their inbox.

Thankfully, since the problem was identified last year, Google added an additional setting in the GMail settings panel that fixes the problem. It looks like this:

gmailhttps_20080812.jpg

If you go into the Settings panel, choose “Always use https”, and save your changes, GMail will change its default behavior and use the secure flag on its session cookie. From that point forward, you’ll no longer be vulnerable to GMail session snatching, regardless of what machine or browser you use to check your mail.

I’m not sure why this isn’t the default value, but it isn’t, so go change it.

Surf Jack – HTTPS will not save you