This story was updated on 28th September to report that the vulnerability has been patched. Yesterday, we reported on an unholy trinity of Google vulnerabilities that put emails, private photos and website security at risk. Today came word of a new weakness that makes it easy for bad guys to silently put a backdoor in Gmail …
Email with attachements?
If it forwards all email with attachments won't that just be all spam now?
Since attachments are the new signal for spam this doesnt seem like a great filter.
Aside from fixing the vuln, just asking users to re-authenticate if adding a filter should block this - the user will then be alerted to something dodgy.
Rather like with online banking when adding a new payee, and getting asked for some password characters.
PS. TYPO (homophone) - "slight of hand"-> "sleight of hand"
security? what security??
the 'Login page' to Gmail may be 'TLS v1.0 256 bit AES (1024 bit RSA/SHA)' security,
BUT! when you have logged in, the security rating of that page drops to ZERO!!! (and hotmail, yahoo, etc do the same thing!!)
can someone tell me why this is 'still secure' ????
- I have an account with dabs in the same 'format' as webmail, for tracking orders and payments, but the webpage is secure all the way through, so dont say its not possible...
If you log in via https://mail.google.com it will be secure after login as well.
RE: security? what security??
I'm just guessing at the reasoning behind this, but I'd image webmail is "unsecure" after login for performance reasons, since https can be dog slow.
Presumably some sort of risk vs performance assessment was done, the result of which being the status quo.
Or (more likely) they just said "fuck it, no bugger's paying for this, so they'll get whatever the hell we give them".
It's a free service and thus our own stupid fault if we keep valuable information on there.
DABS, being somewhere you spend money, is perhaps a little more concerned with your privacy, the security of your credit card and (most important of all to them) keeping your custom.
It's still the best email
No doubt google will fix this bug (if it really exists) and improve their service. All the other email companies have security problems too.
CustomizeGoogle has lots of handy features for gmail/firefox users, including a preference to always use the secure servers. http://www.customizegoogle.com/ , or you can just get it from the Firefox extensions page. Just thought it might help.
So what are your attachments, Inspector Gadget?
This is going to depend a lot on who it hits. I can see businesses risking a lot of stuff--why do they send half a dozen lines of text, and a huge don't-read-this warning, as a ,doc file?
Me, they'll get a lot of pictures, mostly CGI.
And a lot of spam.
But what's to say that another filter won't pick up different data, such as a spreadsheet extension?
thanks for the tips, guys!! :)
I'm sure we can sleep better now... I have found my prob for a number of years now, and no-one has bothered... its only when something bad happens, that people are shocked out of their 'false sense of security'!!
I only keep yahoo for my 'spam-email' - it is the one I tell most USA URLs, and anything dubious( and I am NOT one of those nuts who wants 'fancy folders etc' on the beta..) there is a fair amout of 'internal spam' but the fiters are OK, if a bit complex to use..
google wins out for my serious mail, due to quick and easy filtering, clean layout, amd intelligent spam detection! and viewing word documents on any PC is a definate bonus!!
and if it is 'compromised' like my ISP mail and many others were, I can just make a new one, and forward filtered mail onwards... :)
RE: RE: security? what security??
When I was at university, our webmail was https all the way through and the performance was fine.
RE: RE: security? what security??
Hardly a fair comparison, how many users did your Uni mail have vs Gmail.
@Wyrmhole and @fon
All well and good about using Gmail thru https://... but unfortunately IE has the annoying tendency to default to http:// when you type only 'www.gmail.com' into the addressbar, it wont remember that you only ever previously used https:// on that URL.
Use a favorite instead, but its a common gotcha because I only ever type the url instead of using favorites. Try it - begin typing the www URL, let it auto-complete in IE, then find it goes to http://...
Of course Google cant be held responsible for this. Its MS. I'm not sure about the behaviour in firefux. I don't think much of that browser either.
I know in IIS that you can force certain pages to use only https, so I don't think this is an IE problem.
Rather, the sysadmins have decided not to force https, only reason I think of is because of performace reasons.
- the simple answer is DONT USE IE!!
Firefox and opera are much better, they will all tell you exacly what security level you are on... you might have to make sure it is switched on, and do a bit of *work* to make sure your browsing is easy enough, but I am sure you will find it a much better experience than 'getting a bad surprise' from one of the many 'gaping holes' in IE!!
Plus you dont have to wait for the usual megabyte patch to block the recently found hole... I think you will find the *whole* dowload of either browser will actually be smaller!!
there is also a big forum community for both, to help...
I see no problem myself with https, I have an aging win98 system with only 1.5G CPU, and it works even better than some new ones with XP!!
excellent I was looking for this feature!
it's a pain to keep all your gApps users synchronized - there are a lot of things like contact management that can't be done centrally, this could allow me to create common user experiences across the domain by crafting a special login page that acts more or less like a login script, pushing changes to their account every time they log on.
thank you gmail!!!
look out for win server 2008 Longhorn - it hopes to do away with the problems of IIS, with active directory, and most networking and group policies will *far* easier!! :)
and Vista is another 'crock' -- MS seem to be making the whole OS secure, to stop hackers getting to IE!!!
HTTPS has nothing to do with this CSRF vulnerability!
Guys, I keep reading about http vs https here.
That's completely off-topic.
While it's all good and mandatory using https for anything sensitive, like accessing your webmail, this GMail exploit uses CSRF, which works just fine over https.
An in-depth explanation of how it works, what should be done on the server side to fix it and what users can do to protect themselves is given in this article: http://hackademix.net/2007/09/26/gmail_csrf/
it's a feature!
Almost 5000 pieces of spam in my gmail inbox I just gave up on trying to keep up with it let them have it.
This is why...
I don't use Google products. I don't trust that company's sense of security, or for that matter, trust them not to dick with my stuff on their own.
People always get on my nuts about "WHY DO YOU INSIST ON USING YOUR OWN <photo sharing/webmail/Office suite> WHEN GOOGLE GIVES YOU A PERFECTLY GOOD ONE FOR FREE?"
The answer is simple. First, it's on a computer that I control. Either a server I've colo'd, or a server in my basement, or my desktop itself. Second, I've got the option to secure it however which way I want to. For instance, I have two Gallery sites on one of my servers. One is configured to be open to the public. The other, where I keep the more private things, is, in addition to Gallery's own inbuilt security, buried behind Apache's security (.htaccess), which is buried behind a VPN. The two Apache instances run as different users and can't access *ANY* common location - it's impossible for the public Apache to read anything that the private Apache can read (or write) lest someone find a way to elevate the public Apache instance to root.
And all this security is for sodding *PICTURES*. Pictures that the people pictured wouldn't appreciate getting to the public ('cuz mommy doesn't know they drink, or they're running around with their mistress, or something) or are of a trusted and personal nature, or are part of some contract work. People who need access can still get access (call me, you'll get onto the VPN, get an Apache login, and get a Gallery login that lets you read the appropriate album. All in a few quick keystrokes).
Webmail? I'm still searching for the ultimate balance of security and usability for that - but at least I'm in control. And my spam filter works better.
As for everything else - the stories are similar. There's no reason to use services that someone else provides and provides no guarantee on if it's within your means to do it any other way. Obviously it's not for everyone, but it should be no surprise at all when something that's only a ploy to get you to look at ads and gather information about you so you can look at "more relevant" ads doesn't turn out to be as safe as they look on the outside.
Re: - the simple answer is DONT USE IE!!
Of course, that's the standard answer. And one i usually give as well. But there are some sites that are not accessible with anything other than IE. I hear you say "Don't use these sites." or "Mail the webmaster to 'fix' it", and while there are certain sites that you can avoid, and certain webmasters that actually listen to you, there still remain sites that stay accessible only with IE. An example i use is my own banking site which is accessible though, but i can't make any transactions when using Firefox.
re: bank sites, etc...
(not off-topic, we are talking 'security'..:) )
so tell me, when you buy a new car, do you believe the guy when he says *only use our special oil!* - only a wimp would...
a major reason for banks sites not working is they *have no clue* about 'what goes on'... so they 'do it the MS way', much the same as they would buy a 'rollsroyce' instead of a 'ford' - judged purely on financial standards, not capability..
If a site is built with basic tools, it will work in any browser!,
there is support available, with some success...
http://forums.mozillazine.org/viewforum.php?f=25 )--- = Mozzilla Standards Evangelism
http://kb.mozillazine.org/Talk:128-bit_Encryption )--- = example of 'browser racism'...
http://my.opera.com/community/forums/forum.dml?id=29 )--- = Take action, Open the web!!
http://my.opera.com/community/forums/forum.dml?id=27 )--- = cross-browser Web design
yes, but tell them why you are changing...
- say that you want to use *your* browser to do me-banking, and say you are using Linux or Mac!! (even if you are not...) - that will confuse them, they cannot be lazy, and say windows... :D
the banks in spain and portugal still think the customer is king, it is time for the rest to get into the 21st century!!
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- FOUR DAYS: That's how long it took to crack Galaxy S5 fingerscanner
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Did a date calculation bug just cost hard-up Co-op Bank £110m?