Blayne Sucks

The privacy of GMail has annoyed me for some time now, but I found another reason to dislike it. Apparently someone designed a point and click tool to hack GMail accounts. It was demoed recently at Black Hat in Las Vegas.

Now, some of the things that are demoed at these conferences are pretty exotic, but this one appears to be based on basic computer security techniques, such as packet sniffing and replay attacks. Once the attack has succeeded, the attacker can read old emails or send new ones. (Of course, if you were using GPG, they wouldn’t be able to read your emails nor send new ones that could be authenticated as sent from you.)

Of course, because the tool is based on packet sniffing and replay attacks, the attack can be twarted by always connecting to GMail with an SSL connection. There’s a cool Firefox plugin called GreaseMonkey that has a user script you can install which will force GMail always to connect with SSL.

Regardless of the details, how is it possible that we still have this sort of problem? Seriously. People have known about these techniques for a long time now. Sometimes it feels like we’re not advancing technology at all.

Another good example of this de-evolution of security techniques was also presented at Black Hat. It was a talk about “Premature AJAX-ulation,” which makes the excellent point that AJAX tends to push a lot of business logic to untrusted clients. (I thought Ars Technica covered it well.)