

Gmail Vulnerability Reveals Private Info, Emails, Contacts - ComputerGuru
http://neosmart.net/blog/2008/breaking-severe-gmail-security-vulnerability/

======
paul
It sounds like a bad proxy cache is serving someone else's content to him. I'm
just guessing, but I've seen it happen before (with both Gmail and
FriendFeed).

~~~
ajross
Gmail serves its content via HTTPS, which isn't (statefully) proxyable or
cachable by design. The explanation from Google makes no sense. If they're
serving readable/unencrypted content to _anything_ but the end user's web
browser then they have a serious security flaw.

~~~
bretthoerner
Unless you force it over to HTTPS or use an extension, it still uses plain ol'
HTTP after authentication.

~~~
mwerty
I never understood why that was. I use <https://mail.google.com> to login and
it sticks with https.

~~~
rufo
That's what he means by "forcing it" - if you specifically type
<https://mail.google.com/> Gmail will encrypt the entire session; if you just
go to <http://mail.google.com/> or (more commonly) www.gmail.com it uses SSL
for authentication, then switches you back to unencrypted HTTP for the rest of
your session.

------
gojomo
This headline jumps to premature conclusions; he saw something weird but
there's no confirmation yet that it's a Gmail-specific vulnerability.

In particular, it could be a problem with a misbehaving cache closer to him.
(Note especially: in his second screenshot, he's in "Basic HTML" mode. In both
screenshots, he's using plain 'http' not 'https' connections.)

It's possible it's Google's fault, but to broadcast that impression without
further investigation is unfair to readers -- it's stealing attention with
trumped-up claims.

