HOWTO: secure Gmail to prevent session hijacking

HOWTO: secure Gmail to prevent session hijacking


By default, after logging into Gmail with a secure https connection, you are forwarded to an unencrypted url with some session data that tells Gmail and other Google services that you’ve authenticated successfully.

The problem is that anyone sniffing your wireless (or wired) connection can listen to that session information and use it to impersonate you. This could mean reading your email, pulling previously entered addresses from Google maps, or opening up your Google Docs or Analytics information. This session “sidejacking” was recently demonstrated at the 2007 Black Hat conference, where the presenter, Robert Graham, took control of an audience member’s account during a live presentation.

Safely Connecting to Gmail
If you’re using public, unencrypted, or WEP-encrypted WiFi, there’s a way to force Gmail to use an encrypted connection. If you manually navigate to, your connection will remain encrypted after logging in. This does not work for, so make sure to use the right address.

Log Out Before Leaving Gmail
This part sucks. Your authentication cookies will still be set for the domain. If you navigate to any other Google properties after logging into secure Gmail, your session information will be spilled for any WiFi sniffer to see. This probably includes going to any site that runs adsense… which is almost every site available via the internet tubes.

So, to safely use Gmail:

  1. close all other browser tabs and windows before going to secure Gmail
  2. don’t click any URLs in emails or navigate to any other sites while Gmail is open
  3. sign off before continuing to browse the web (might not hurt to also flush any cookies)

8 thoughts on “HOWTO: secure Gmail to prevent session hijacking

  1. pwestbro says:

    You can also use the Better Gmail Firefox Add-on to enable this as well

  2. jason_striegel says:

    Thanks pwestbro. I haven’t had a chance to check this yet, but I think the same rules still apply with the Firefox add-on. Ie. you still need to have everything else closed while using Gmail, and you need to sign off/clear cookies before navigating away. Otherwise, those session cookies will still be transmitted when you visit any property.

  3. tms10000 says:

    Will is force the XmlHttp traffic over ssl too? Gmail will check and fetch your email asynchronously, and I don’t think it matters if the page that execute the code was served over ssl, the data it fetches is still unencrypted. You may thwart the sidejacking but you can’t prevent someone to snoop on your email. Much like unencrypted POP3.

  4. Adi Roiban says:

    I have watched xmlHTTP requrest and they are also handled over HTTPS

Comments are closed.

Discuss this article with the rest of the community on our Discord server!