Gmail still not 100% safe even over SSL... beware of SideJacking

What is SideJacking? It's a new term for hijacking your browser session.

SideJacking was listed as one of The Five Coolest Hacks of 2007.

What's new here is that your Gmail account can be compromised even when SSL is being used.

From the Errata Security Blog:
"SSL is not always complete. A good example is Gmail. In theory, using the HTTPS version of Gmail should protect you by going to https://mail.google.com/mail, but this doesn't work as you think. The JavaScript code uses an XMLHttpRequest object to make HTTP requests in the background. These are also SSL encrypted by default - but they become unencrypted if SSL fails."

And, how would SSL fail? A wily hacker just needs to send a few RST (reset) packets to thwart the SSL communication on port 443. (If there's not already a tool to make this process easy, don't worry, there will be).

So, what's the solution?
Until Google fixes these weaknesses, VPN tunnels are your friend. Basically, the only 100% secure (or as close as you can get) way to connect to the internet securely is to connect over a VPN tunnel to your home machine, then browse to the internet on that machine. This was also covered on GRC's SecurityNow podcast some time ago.

You can also run LogMeIn or GoToMyPC on your home computer. These encrypt communication from your laptop to the host computer. Connect to your home computer that way and then do your browsing.

You could also connect with an SSL VPN box at your company, and if it's configured, browse from there.

Hopefully Google will fix the security weaknesses. I should mention that Gmail is still the best major free web-based email solution, since MSN and Yahoo force SSL for the password entry, but don't encrypt the pages after that point. Gmail lets you conduct the whole session over SSL even after you're logged in.

Lastly, another protection is to make sure you log out of Gmail when you're done. That way, if you go to a coffee shop and you're browser is open when you wake up your laptop from suspend mode, it won't automatically connect, potentially exposing your session id. And if you do use Gmail there, log out when you leave, since that way if someone just stole your session id but hasn't yet used it to compromise your account, it's ok because you've just invalidated it.

I plan to do some testing on Firefox soon to see if it pops up its warning "Although this page is encrypted, the information you have entered is to be sent over an unencrypted communication and could be easily read by a third party" when SSL is blocked during a Gmail login.

For more information on browser security, check out this page from Michael Horowitz' site.