Almost all Web-based e-mail and other collaborative services just aren’t safe to use over public Wi-Fi any more, due to a breach described today by a security firm CEO at the Black Hat security conference.
Web 2.0 services, even though the login’s made through SSL (Secure Sockets Layer), are crackable through a simple workaround, announced by Rob Graham, the aforementioned security guru, at the Las Vegas Black Hat conference today. Unlimited access to your accounts only requires an ordinary network sniffer program to read the cookies sent to users by Google Mail, Yahoo, and scores of other sites. That cookie confirms the browser asking for data belongs the person just logging in, but using a copied cookie by a completely different browser makes unrestricted access to your accounts easy.
“If I sniff your Gmail connection and get all your cookies and attach them to my Gmail, I now become you, I clone you,” Graham said during a presentation reported by The Register. “Web 2.0 is now fundamentally broken.”
Any session not totally SSL-secured from beginning to end is crackable. The indefinite duration of many session IDs allows silent access to your accounts years from now, even after passwords change. Therefore, instant messenger services offered by Web 2.0 firms (again, Yahoo comes to mind) which use the same password as e-mail service are also crackable.
The one exception was Google, and only if the customizegoogle firefox extension is set to lock Gmail, Google Calendar, and Google Docs into requiring SSL encryption for their entire sessions.
How will this change your public Wi-Fi habits? Are you alerting your road warriors the only path to safety without a VPN is the Google-Firefox-extension trinity?
Stay on top of the latest tech news
Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!