

Gmail Account Hacking Tool - aneesh
http://www.hungry-hackers.com/2008/08/gmail-account-hacking-tool.html

======
sd
FYI, the process has been simplified with a security tool called Surf Jack.

See [http://enablesecurity.com/2008/08/11/surf-jack-https-will-
no...](http://enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-
you/) for more information. The Internet -- it's a fragile thing.

------
Hexstream
Most sites have this well-known (?) security issue... Hardly new and
surprising.

~~~
immad
Yeah, and targeting Gmail in isolation seems pointless

------
chrisbroadfoot
Um, HTTPS _will_ save you.

(oops, I was referring to the link in the "surf jacking" comment below/above
by sd)

~~~
sd
I think the concern is that HTTPS is necessary, but not sufficient for
security. If you use HTTPS on your site, but send cookies without the secure
flag, then it is possible for someone to trick the user into acquiring (or
otherwise obtain) standard HTTP content. Setting the secure flag requires that
all content sent relative to the cookie be from HTTPS. Hopefully, that makes
some sense.

