

Gmail is safe, as long as you avoid falling for phishing scams - paul
http://googleonlinesecurity.blogspot.com/2008/11/gmail-security-and-recent-phishing.html

======
paul
The followup to <http://news.ycombinator.com/item?id=372699>, which
incorrectly claimed that Gmail was open to cross-site attacks.

------
sh1mmer
While Google have an interest in talking about the message that Gmail is
secure, from a security perspective it's kind of naive to say "Gmail is
secure".

All web mail (or any other system) is just a step away from the next exploit.
The difference in my mind between web mail and regular mail is there another
dangerous attack vector (XSS) which is only fixable by a single vendor.

The standard mail servers companies use are often vetted patched from many
sources and can be hidden behind some pretty well tested encryption protocols.

Trusting mission critical things like domain name registrations to web mail
seems like an unacceptably big risk to me. While XSS wasn't the issue this
time, it clearly has been in the past.

~~~
andreyf
_Trusting mission critical things like domain name registrations to web mail
seems like an unacceptably big risk to me._

What?

------
Haskell
"We did have a Gmail CSRF bug reported to us in September 2007 that we fixed
worldwide within 24 hours of private disclosure of the bug details."

What about bugs that aren't disclosed?

~~~
andreyf
What about them? :)

------
paul9290
What about a user on stumbleupon ... stumbling onto a nefarious website?

The community would curtail such a site after awhile, but those prior may have
been hacked.

