

Even SSL Gmail can get sidejacked - edw519
http://blogs.zdnet.com/security/?p=842

======
tlrobinson
_"Sidejacking is a term Graham uses to describe his session hijacking hack
that can compromise nearly all Web 2.0 applications that rely on saved cookie
information to seamlessly log people back in to an account without the need to
reenter the password."_

and

 _"Web 2.0 is fundamentally insecure because data isn't encrypted"_

Uh no, many "web 1.0" (and 1.2, 1.5, 1.6, 2.6, 3.0, AND 3.3... but not 1.8 or
2.5) sites are also vulnerable... it has nothing to do with a particular
version of the interwebs.

Anyway, from Robert Graham's article it sounds like XMLHttpRequests that are
normally protected by SSL will fallback to non-SSL in the case of failure.
Normally that should never happen, since http and https are considered
different "origins" in terms of the same-origin policy. I couldn't tell if
this is a browser issue, or if Gmail is doing something crazy. Either way,
it's a big problem and should be fixed.

~~~
imsteve
Could you put your ssl stuff on a different subdomain to prevent the browser
from doing this?

~~~
tlrobinson
Subdomains are also considered different origins. There are other ways around
it, like using <script> tags.

As far as whether or not that would prevent falling back to non-SSL, I doubt
it.

~~~
imsteve
But if it can't make the connection to a non-SSL server on that domain then it
can't send a cookie, I'd think. Unless it falls over to the non-subdomain.

------
tarkin2
"This is actually a very common scenario anytime a laptop connects to a
hotspot before the user signs in where the laptop will attempt to connect to
Gmail if the application is opened but it won't be able to connect to
anything."

I'm sure this sentence just flowed in the author's head, but what? It's a pity
because this is the most crucial sentence in the article.

~~~
dkokelley
I think what it means is that if you have an application that logs into gmail
(either as a home page when you open your browser, google talk or other
compatible client, or an email client such as outlook) automatically (after
you've connected to the network but before you're connected to the internet)
the application will try again, disabling ssl to see if that works. After
you've finally connected to the internet, your application will log in to
Gmail and open a session in Gmail without ssl. Then someone who is monitoring
the unencrypted data will be able to sidejack your session.

I'm pretty sure this is how it works, but correct me if I'm wrong.

~~~
tarkin2
That sounds about right, thanks; however it depends on the extant client-side
javascript reverting to http while you're not connected to the internet, as
pmjordan said.

