HOWTO: secure Gmail to prevent session hijacking

By default, after logging into Gmail with a secure https connection, you are forwarded to an unencrypted url with some session data that tells Gmail and other Google services that you’ve authenticated successfully.

The problem is that anyone sniffing your wireless (or wired) connection can listen to that session information and use it to impersonate you. This could mean reading your email, pulling previously entered addresses from Google maps, or opening up your Google Docs or Analytics information. This session “sidejacking” was recently demonstrated at the 2007 Black Hat conference, where the presenter, Robert Graham, took control of an audience member’s account during a live presentation.

Safely Connecting to Gmail
If you’re using public, unencrypted, or WEP-encrypted WiFi, there’s a way to force Gmail to use an encrypted connection. If you manually navigate to https://gmail.google.com/, your connection will remain encrypted after logging in. This does not work for https://www.google.com/gmail, so make sure to use the right address.

Log Out Before Leaving Gmail
This part sucks. Your authentication cookies will still be set for the google.com domain. If you navigate to any other Google properties after logging into secure Gmail, your session information will be spilled for any WiFi sniffer to see. This probably includes going to any site that runs adsense… which is almost every site available via the internet tubes.

So, to safely use Gmail:

1. close all other browser tabs and windows before going to secure Gmail
2. don’t click any URLs in emails or navigate to any other sites while Gmail is open
3. sign off before continuing to browse the web (might not hurt to also flush any cookies)